Federal agencies rapidly shifted to hybrid and remote working environments in response to COVID-19 last year, resulting in over 75 percent of the workforce switching to telework. In the transition to remote work, agencies grappled with provisioning devices, enabling collaboration among dispersed coworkers, network connectivity, and cybersecurity – among other issues. By many accounts, they enabled workers to be productive and conduct business securely.
Now, some agencies have begun sending workers back to the office, and the movement will only continue as more Americans are vaccinated. At the same time, leaders across the Federal government acknowledge that pandemic telework has been successful in many ways, and they envision a hybrid of telework and in-office work for many employees.
As workers transition back to their offices, either full time or part time, agencies will again grapple with multiple issues, from health and safety procedures, to changes in service delivery, to device and network security. Cybersecurity teams in particular will be tasked to support the transition to ensure employees can continue meeting agency missions without introducing new security risks.
Review Current Recommendations and Policies
As agencies plan for employees to return to the office, it’s important to review best practices and current recommendations. For example, in December, the Cybersecurity and Infrastructure Security Agency (CISA) released a draft version of a Trusted Internet Connections (TIC) Use Case to provide guidance for remote use of cloud-based resources. Updating agency policies around remote access and bring-your-own-device (BYOD) to comply with this guidance ensures staff have the same secure access when they transition to hybrid or in-person environments.
More broadly, agencies should review policies for BYOD, virtual private network (VPN) access, and secure log-ins from personal devices.
Strict checks must be put in place to ensure employee devices are fully compliant. Also, communication with employees is key. By keeping the workforce educated on and informed about best practices and new updates to operating systems and approved applications, Federal agencies can minimize security risk.
IT teams must assess current cybersecurity tools and infrastructure to ensure the most appropriate technologies are used. Whenever possible, technologies that have security built in, rather than bolted on, should be selected. These can protect data and users at a lower risk.
Take Inventory and Address Security Gaps
Cybersecurity threats surged across the public and private sectors with the transition to remote work. A report last month, for example, revealed that application threats surged by almost 20-fold across all levels of government last year. Because of the volume and severity of cyber threats, agencies must take a comprehensive inventory of all assets that connect to agency networks – before workers return to the office. This inventory enables cybersecurity teams to identify security gaps and develop a punch list of actions that need to be taken to close them.
Aggregation of data from multiple security tools is a key component of ongoing asset management, noted Bobby McLernon, vice president of Federal sales at Axonius.
“No single tool can provide a complete answer to the most important questions cybersecurity teams ask on a daily basis, but even organizations using more than 100 security tools still report visibility gaps,” McLernon said. “The answer is aggregation of the data from all of those tools, so that agencies have an accurate picture of their security posture.”
Align to the Mission of the Agency
Above all else, cybersecurity teams planning for the workers’ transition back to the office should make sure they’re aligning with the agency leadership and the agency mission.
“That’s the most important thing to do now,” McLernon advised. “Understanding the agency’s plan to return to work can help teams predict how to support the agency and ensure a smooth, secure return to the office.”
Agency leaders must prioritize strategic alignment to close security gaps and ensure employees are successfully meeting mission objectives, even as government policies shift. Looking at lessons learned from decades of managing devices, such as desktops and laptops, and then from the shift to cloud and Internet of Things (IoT), five major themes can help cyber teams plan for future transitions:
- Change is constant: The number, type, and form of devices that organizations manage are constantly growing and changing, and all security-related device management programs should be built to adapt to the inevitable evolution of devices;
- Discovery is a process, not an event: In a dynamic environment, the devices that organizations are responsible for securing appear and leave very quickly. An inventory that is accurate today may not be tomorrow, and definitely won’t be in a month;
- Continuous interrogation is critical: Expectations of security solution coverage and adherence to controls must be constantly challenged;
- Map expectations to action: Any time a device deviates from policy, organizations need a plan in place to automate threat mitigation; and
- Tools will change: The number of tools in use will increase over time. Understanding which tools should be protecting which devices is the foundation of device security.
Learn how Axonius can help agencies with planning cybersecurity asset management and executing an efficient, safe transition back to in-person working environments. Read “Why Asset Management Matters for Federal Cybersecurity.”