Extending Corporate OPSEC to Those Working From Home

Raise your hand if you don’t allow your employees to work remotely. No one? Absent those whose position makes remote work impractical, companies that don’t allow their employees remote access to their email, calendars, and other applications are as rare as the albino rhino.

We recently covered the need to address the security aspects of remote workers, from the context of ensuring the remote worker is technologically protected in the same manner in which they would be if they were sitting in the corner office on the 2nd floor of their corporate headquarters.

These technological solutions work and work well, providing the user understands why the security is in place and that they are truly the first and last line of defense. They must also be aware of the fact that if their presence within the corporate infrastructure is compromised or usurped, the entirety of the corporate defenses will now be dealing with the threat from the inside out.

How Might This Occur?

When an employee starts work with a company they (ideally) receive a plethora of briefings and online, on-demand mandatory training sessions to ensure all the boxes for compliance and security are checked. Indeed, a test may be given at the end for which the user must score a passing grade, or take the test over.

The goal is retention of the knowledge - the reality is the new employee is racing through the materials so they can get to what matters most to them and their family – new position requirements/responsibilities, reporting chain, health benefits, direct deposit in place, etc.

As one who has worked remotely for the past 12 years and is lost inside an office, the ability to work remotely is a personal requirement. For many companies it is a necessity. The ability to bring into play a more diverse workforce and save on operational expenses makes the remote worker very attractive.

But … did he just use a negating “but?” Yes, he did.

Before you cut loose your employee with enterprise access from anywhere on the planet, make sure you go over the basics of good security hygiene and basic operational security (OPSEC) as it applies to your company.

OPSEC: Company Data Stays Inside the Company

A recent court filing in an intellectual property theft case showed executives at a Fortune 50 company were routinely storing corporate documents on their phones, uploading them to third party data stores, or private storage devices. And, surprise (well not really) emailing sensitive company documents to their private email accounts. Does that free webmail provider protect that data as well as you do on your mail servers?

Educate those who will have unfettered access to your information how to protect your information. When expectations on security and data protection are not levied, assumptions are made, and we know what happens when we assume: you make an ASS out of U and ME.

Have the hard discussion with each employee who will be a remote worker, before they become a remote worker. Have that discussion one on one, so they understand the level of trust which is being bestowed upon them by the company and by extension the company’s customers, clients and partners.

In that discussion, make sure to include a segment on how to treat information in their home or remote location. At work, they may have a clean desk policy, and a secure place to lock up papers and equipment; does that extend to the employee’s remote work environment?

Who Lives Here?

What about the individuals who cohabitate with your employee? Who are these people? Are they employed by your direct competitors?

Hadn’t thought about that? Hmmm, a direct competitor able to overhear, view and record the remote meetings of one of your key engineers, because he/she is working from a table less than one meter from where your engineer “works from home.”

Or perhaps when your employee gets up from the laptop connected to your corporate network he doesn’t lock it down while in the kitchen making a sandwich and all that is on the screen is available for casual perusal.

Now jump to the more nefarious, such as uploading malware into your environment, or launching a DDOS from within. “Oh joy!” says your computer security incident response team, as they work to keep it from spreading. Or perhaps even worse, a DDOS or malware is launched into your partner and customer networks from within yours, because an employee didn’t have their workstation at home locked down and an unscrupulous friend/roommate took advantage of them.

OPSEC, something we all discuss all the time, keeps those secrets secret - except when we allow them to slip away because we didn’t ask the right questions or give the proper guidance to our employees.

About Christopher Burgess

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).