You might have a preconception about this article by the title. If you’re thinking that remote work and COVID-19 have been written and spoken about ad nauseam - I agree with you. COVID-19 and remote work is the premise of this article, but I’m going to talk about an open secret (even taboo in some circles) in the realm of information security from senior management to junior analysts and administrators.
Information security policies, baselines, and procedures are not evenly applied across the organization for myriad reasons. Some of those reasons are budget, personnel technical skills and availability, and most importantly, personalities. Personalities are a significant driver in policy and baseline acceptance from department to department and team to team. We all like to think that the policy created from the input of stakeholders is best for all and will be welcomed with open arms, but this is rarely the case.
Policies are supposed to be enforceable using some kind of negative action against the violators. I can’t tell you how many times I’ve heard of circumstances where there was supposed to be a negative action based on policy and nothing happened. We like to think that we’ll do what we're compelled to do with policy violators, but are you really going to let an employee go or enact a negative action that would motivate someone to leave? More than likely not unless there is a criminal liability or a significant financial liability (the financial liability threshold is different for each company). A reprimand that delays a promotion, a bonus, or even a raise is less impactful than a fine, demotion, or employment termination, and still gets the point across. Hopefully, the employee isn’t fed up with their employer. Replacing people is difficult, thus we compromise and re-train.
There will always be push and pull in the policy and baseline world from department heads, groups of employees, and individuals because of compliance requirements and adopted industry standards - even when they’re tailored. The usual pushback is cybersecurity gets in the way of doing someone’s job or they shouldn’t have to do this because I don’t want to; the list goes on. The root of this issue lies in cybersecurity products and services breaking the functionality of other software or are too complex for employees outside of the information security industry to use. There’s also a significant lack of knowledge of why we do things. Some people want to learn the why while others have no interest. Personalities.
“Responding to events where there is no plan is as important as execution when you have plans.” – Ryan Miller, WEBGAP CISO
To compound matters, the majority of companies were not prepared for a mass work-from-home (WFH) transition in a short period. Can you blame companies for not having business continuity plans for a 100-year or more event since the development of vaccines that have near-zero predictability?
Large organizations were hit and miss when facilitating WFH for their workforce when it came to providing secure remote access to internal resources and access to cloud applications. If an organization already had a stockpile of laptops with their security baseline applied, they probably had remote access figured out and needed to supply the laptops and remote access at volume. Large organizations still have to rely on personal devices, at least in the short term. Even with a stockpile of laptops, it’s unlikely there are enough for full workforce coverage.
Most small and medium businesses were not prepared to any degree because they hadn’t invested in remote work capability due to no inherent need, lack of expertise, or WFH was prohibited. Organizations that were unprepared for en masse WFH were left with employees using personal devices across the entire workforce in most cases. Small and medium businesses have a perfect storm with their unpreparedness for remote work and personalities.
Personal devices combined with personalities are the crux of the issue with WFH. Asking an employee to install endpoint protection software on their personal laptop and or desktop often raises questions about if the employer will use the endpoint protection software to spy. You must also contend with personal device age and specifications. If the personal laptop or desktop is too old there might be compatibility issues with modern browsers and endpoint protection. Older laptops and desktops also typically have fewer processor cores and memory that makes supporting endpoint protection functions difficult because of resource exhaustion. Even newer personal laptops and desktops can have bottlenecks with memory because home-designed laptops and desktops typically come with eight gigabytes of memory; that is half of what is typically needed for business tasks.
The thing we know people can do is go to a website and log in. If a person can’t navigate the web and perform its basic functions, it’s going to be tough to keep a job. Browser isolation that is accessible through a web login that doesn’t require software installation and configuration (browser within a browser) is the easiest way to fill control gaps for web threats. All you must do is ask employees to go to the URL for your browser isolation product, log in, then they can browse the web all they want. You’ll keep the personal laptop and desktop resource usage low because the processor and memory on the server, where the browser isolation engine resides, are doing all of the work.