Neill Feather, president of web security firm SiteLock, spoke with TechRepublic's Dan Patterson about the unique challenges of maintaining security with a distributed workforce.
Watch the video, or read the full transcript of their conversation below:
Patterson: Digital transformation is a fundamental component of every company, but that means you are more likely than not to have a distributed workforce. Keeping that workforce safe and secure at scale can be a challenge.
Neill, let's start with the one-on-one, distributed teams can be really efficient. When people work at home in their smart home office, they often have access to tools and tactics that let them be flexible with their lives and end up getting a lot of work done. How do you keep those people secure, and how do you keep communications siloed to just your team?
Feather: I think there's a lot of things to think about when you're dealing with a distributed workforce. I think one thing, first of all, is to kind of know what inventory of applications your distributed workforce prefers to use and what they're using today to communicate with one another, to share documents, to share things across. You'd be surprised how many businesses don't know how their employees are communicating with each other all the time. Once you understand that, you can start to take steps to put the right protocols in place for each of those applications to help really drive a more secure environment for your employees. But the first step is awareness I think.
Patterson: Do you recommend that organizations encourage users to centralize on a platform like Slack, or Google chats, or Skype to use one central place for communication?
SEE: Remote access policy (Tech Pro Research)
Feather: I think it makes it easier to communicate when everybody is in one place. In that perspective, we try to do that. Although I would say that even in our case, we have a number of different chat platforms and things that people do use, but I think especially if your concern is the fewer touch points you have, the easier it's going to be to do that as you can start to understand the security and privacy settings that are available in each one of these platforms, and you can take steps to help your employees be more secure and understand that as well.
Patterson: What are some of the steps and best practices to keeping employee communication safe and secure?
Feather: I think there are a couple of things that are kind of the basics. You should enable multi-factor authentication on wherever these applications supported so that users don't just need their password, but they also need access to a mobile phone or some other kind of authentication mechanism in case their password happens to be one of the many that's part of the latest compromise of password data that we read about all the time.
The other one is, there are certain ... for a lot of like the document sharing type of applications settings where you can limit communication to within your organization or warn users when they're communicating with people outside of the organization. That helps to eliminate risks of this kind of stumbling across a link or something else and getting access to potentially sensitive data just because an email gets forwarded as a link and that references one of your documents.
Patterson: What do you recommend employees as well as managers do, not if, but when a cyber attack or breach happens?
SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)
Feather: The first thing to do even before it happens is to have a plan in place so that you know what you're going to do, who's going to be involved, what external groups are you going to contact, and then the actual response is a little bit easy to you because you have a plan that you can just execute off of, and hopefully you've practiced maybe once or twice as well before anything happens. I think the best thing you can do is be transparent with people and explain what happened, who and how they were impacted, and then what you're going to do about it. It's both from a, how do we make this right for you, as well as a moving forward, how do we make sure this doesn't happen again.
Patterson: In the enterprise and certain startups, I'm sure that we're all accustomed to quarterly trainings especially trainings about cyber attacks and make sure to look out for phishing attacks and that kind of thing. What do you recommend employees do and managers or systems do to reduce the risk of a cyber attack?
Feather: That's a broad question. I think the best thing and one of the easiest things to do is, think of it as a quarterly kind of exercise, and one of the things that we're going to manage this quarter ... Look, it's a broad ... cybersecurity is a really broad environment, a broad landscape, and if you try to do everything at once, you'll end up overwhelming your employees and you're not going to get much out of that either. So my recommendation would be to take a more targeted approach to say, "This quarter we're going to train on phishing, or this quarter we're going to train on utilizing VPN," and make sure your privacy settings are up to date everywhere, and turning on multi-factor authentication. Whatever those things that are important to you that quarter and where you see that you have the biggest gaps right now, I think ... Security is about risk mitigation, so you've got to identify the biggest risk for your organization and address those one by one.
- Slack: The smart person's guide (TechRepublic)
- Video conferencing technology for distributed workers is getting better (ZDNet)
- Cheat sheet: Two-factor authentication (TechRepublic)
- A Winning Strategy for Cybersecurity (ZDNet/TechRepublic special feature)
- How to achieve better security with third-party vendors (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.