By Louie Castaneda
Country Manager, Fortinet Philippines
The fact that ECQ has been re-imposed on Cebu City is a sobering fact that the fight against COVID-19 is far from over. Nobody knows if or when we can go back to life pre-pandemic , so the challenge remains to create sustainable operations that will ensure that essential government services are not disrupted even if we face a community quarantine situation again. In terms of productivity, local governments are also faced with figuring out how to ensure the full utilization of their workforce to ensure the smooth continuity of government operations and public services. These outcomes require secure remote access to sensitive government networks and data, which in turn requires careful planning, combined with an experienced team trained to deal with critical situations in flux.
On the upside, employees are becoming increasingly comfortable with their new reality of working from home and handling remote working technologies such as VPN connections and multifactor authentications. From an IT perspective, maintaining operational consistency is important but organizations cannot compromise on security for the sake of expediency. This security challenge is broken down into its components:
The first component to consider is ensuring the endpoint security of a remote worker’s computing environment. This can be a home network with vulnerable IoT devices such as baby cams and doorbells attached. Also, family members using applications and platforms such as social media and gaming consoles that potentially introduce threats into the network.
This entire operating environment is outside of the organization’s control, and brings a new meaning to the term ‘insider risk’. The key question is, “how do you isolate the remote worker’s device, or at least, ensure the integrity of any government data and operations in use on that device?”
A second element is transmission security – this involves ensuring that government data is encrypted when it moves across the internet.
It is critical as you move employees to a more autonomous and exposed remote worker status that you heighten their security awareness. While you can compensate for many of the new risks they pose to the organization (such as updating or upgrading your secure email gateway and web filtering solutions), it is also essential that you understand that these workers have become, in many ways, both your most vulnerable targets as well as your front line for defending the network.
Data from FortiGuard Labs show that cybercriminals are now explicitly targeting remote workers with phishing attacks designed to prey on their concerns about their health and well-being, or their novice status as teleworkers. End-user training, therefore, is critical in helping them spot, avoid, and report suspicious emails and websites.
A third element is the headquarters or parent office. The networks of nearly all of these government environments were designed with the expectation that employees would be working from inside the network perimeter. Does that network have the ability to absorb the number of connections expected from moving its workforce to a remote location? Can it handle those connections with acceptable latency, so that users do not become frustrated by slow network performance? Can it ensure that these connections are secure and only available to authorized users?
Outside of those three primary considerations, other issues need to be addressed as well. Bandwidth is an important consideration in any IT solution. Do any of the applications require unusually high levels of bandwidth? How efficient can your solution be when not all teleworkers will have broadband access? Even if they do have access, it is important to recognize that not only do broadband speeds vary dramatically, but that other resources attached to a home network – such as children engaged in distance learning – can eat into available bandwidth.
With these considerations and options in mind, key elements of a solution for secure remote access by a government workforce should include:
- A Virtual Private Network (VPN) whose endpoints are the remote user’s device and the parent office (or cloud).
- Multifactor authentication to ensure that only the authorized remote employee is able to access the employer’s network or data.
- Employer-provided endpoint security to ensure secure computing and access to government data and networks, even when the employee is working from a home network that is vulnerable or compromised.
- Data Loss Prevention (DLP) that provides a safety net against the inadvertent exposure of sensitive data, even when employees are operating with potential distractions and under extraordinary stress factors.
- Device management control to accommodate organizations that want to permit – or may even require – BYOD operations by their employees.
Network architects and IT security teams must make sure that collaborative technology is available to the new remote workforce so they can remain productive and connected, without sacrificing essential security policies and practices.
From an IT overhead perspective, multiple remote access solutions should function as a single integrated system as far as possible, with a single point of management. Organizations that have been grappling with the need to move rapidly to support remote and mobile worker populations do not have to – and frankly, should not – re-invent the wheel, either in terms of technologies or the best practices required for their adoption.
Local governments and organizations can achieve a more effective and secure remote workforce model by focusing on these considerations noted above. We have all been practicing social distancing over the last few weeks to protect against viruses and illness. Likewise, continue to practice cyber distancing online to prevent unwanted intrusions. And if you can, continue to stay home and do your part to fight the coronavirus pandemic by abiding strictly to your local community quarantine measures.