How to Set Up and Manage a Secure Remote Workforce
By Jen Swensson, Kevin Manson,
Over the last few weeks, our customers have called us to learn from our experience as a 100% remote organization. They ask a variety of questions, including:
- What technologies have you deployed for your remote workforce to ensure you appropriately secure a larger attack surface?
- What features and functionality have you enabled within these technologies?
- Do you have a remote work policy and what does it include?
Deepwatch was designed and engineered at our inception for every employee to work from home. As a result, our business has been architected and operational from an access, security and compliance perspective to fully support a remote team. We are sharing some of our best practices as well as specific tools you can use to successfully secure your remote team. Deepwatch’s team of analysts, engineers and threat hunters are seeing a significant uptick in phishing and other attacks over the last few weeks. It’s more important than ever to implement stringent policy, strong architectural design and a renewed awareness campaign across your remote teams.
Technologies Enabling a Remote Workforce
Deepwatch built a cloud-based architecture with flexibility and security in mind. Below is our logic in how we selected our remote collaboration technologies.
Zero Trust vs VPN’s
At Deepwatch we utilize a “Zero Trust” remote access solution which provides strong encryption and ties into our Identity Management platform solutions. This allows us to leverage role based access and authorization utilizing multi-factor authentication to provide granular access as well as auditing of who’s logging in, where they’re logging in from, and what specific systems and applications they are accessing. This not only reduces overall risk, but also improves the user’s experience as what applications they see and are allowed to access is streamlined toward helping them with day to day operations.
We chose a zero trust model versus traditional “VPNs” (Virtual Private Networks) for the added security control, visibility, and the overall user experience which helps us to drive efficiencies with our business to better serve our customers. While we leverage a zero trust model, not all organizations will be able to migrate to this model immediately. Remote access VPNs provide a simple solution for users to be able to gain access to corporate resources. They can be tied into the same type or similar type of Identity solutions we leverage here at Deepwatch. When leveraging VPN’s, access should be mapped out to create a set of unique remote access profiles that limit access to segments of the environment users should have access to. Unfortunately, this is also one of the weaknesses of VPNs vs Zero Trust solutions. VPN’s based upon the policies that are deployed, provide support to large swathes of an organization that often grant broad access for users to be able to interact with systems they do not require access to.
Constant Communication Technologies
Our customers communicate securely and conveniently 24x7x365 with their assigned Deepwatch team, which we call Squads, via Slack. This allows our customers and our teams to quickly and efficiently communicate vs creating long email threads where communications can break down and be lost in translation, or be caught in a game of phone tag. This allows groups of individuals to collaborate in real time as if they were in person even though they may be hundreds of miles apart. Other benefits of the real-time communications solution are the available integrations into a multitude of solutions we leverage to help enable the business and empower our employees.
While real-time collaboration is extremely powerful, with a remote workforce, it is still important for team members to be able to see each other and talk virtually face to face. For these instances we leverage a conferencing tool to allow video chat, and sharing and collaboration of information.
Work From Home Policy Considerations
Managing a remote workforce isn’t any more or less difficult than a physical workforce. Each present unique considerations and having leadership equipped with the skills and tools to lead their teams is important no matter where an employee sits.
Deepwatch has operated from day one as a 100% remote workforce, as such we have not adopted a ‘policy’ for working from home as this is the daily mode for all, that would be like having a ‘working in the office’ policy for a company that operates fully from an office. Companies operating in a hybrid or partial work from home environment may wish to consider a dedicated policy around this. Important considerations for such a policy include:
- Adherence to federal, state and local laws. Policies related to wage and hour compliance, meal and rest periods, accessing technology outside working hours, leave entitlements, insurance benefits, background checks, drug testing, and workplace accommodations are all subject to federal, state and local law
- Reimbursement for office supplies, furniture, equipment, cell phone and internet. Ensure you review state and local laws related to such required reimbursement
- Ensuring back-up connectivity during power or internet outages
- Considering whether smart devices are secure and enable privacy requirements
- Anyone with printed confidential information should have a shredder and fireproof safe
- Childcare considerations including ensuring employees are dealing with child daycare responsibilities while working
Sample policies are available from the Society for Human Resource Management (SHRM) and should be customized to ensure they align with your culture, unique workforce requirements, and business models. Complexity with federal, state and local laws make it especially important to engage your human resource professionals in developing strategies and support for working remote and leading remote teams.
Your human resources team may also need to engage legal counsel to review policies for compliance with federal, state and local laws. Companies operating globally outside of the United States will have additional considerations and compliance obligations and should engage counsel with expertise in each geography.
If you would like to learn how to run a remote security team or general work from home best practices, please feel free to reach out to us anytime. We’re here to help.