Keeping government communications private has always been challenging, but it has reached new levels of complexity with the rapid and involuntary shift to remote work brought on by the coronavirus. Preventing sensitive data breaches and leakage has never been more critical while simultaneously being more difficult. The approach that agencies, departments and workforces should use to keep their communications truly private is two-pronged: training employees and implementing secure communications tools.
From a cybersecurity perspective, employees are an organization’s main vulnerability. Phishing emails and social engineering attacks are a concern even when the organization has direct control over the buildings and networks that employees are using on a daily basis. These threats are magnified when employees are working remotely. Bad actors rightly see this as an increased attack surface to gain access to confidential data and communications. Therefore, keeping your communications private should start with taking the threat seriously and issuing guidance and training that’s emphasized at the highest levels of leadership.
The question becomes how to both create a secure communications program and mandate its use. Employees often don’t understand the need to exclusively use programs that are authorized by the organization. For example, one company, upon shifting to remote work, failed to establish guidance for approved secure communications tools. As a result, employees used unapproved and unsecured tools instead. Apart from being an inefficient use of company resources when employees claim paid software as an expense, these uncontrolled tools made it impossible to ensure the confidentiality of private communications.
One study found that employees often didn’t understand how end-to-end encryption could secure their communications, so they simply didn’t use the right tools. Even more alarming, some employees believed such precautions were futile; they did not believe the tools could offer protection for themselves or their organization’s data. The billions of dollars spent on software, network hardening, and device compliance measures are wasted if employees do not understand why they need to use the provided solutions. Organizations should consider implementing mandatory cyber training that’s designed to inform employees of the hazards they face when working remotely as well as the steps they can take to keep communications secure.
These training solutions can either be outsourced or created in-house, but they should seek to create employees who are an asset to the organization’s security posture. Such employees, once they understand why certain policies are in place and why they need to deal with the hassles that come with increased security, can become a valuable first layer of defense. Leadership and management must be fully on board with the program and should lead by example in using the approved communications tools and by taking steps to identify which communications belong on secure channels.
An organization’s security guidance should include clarification on how to classify sensitive data. Not all communications are created equally, and management has the responsibility to identify which ones should be private. One technique is to use a classification system similar to that used by the government, in which sensitive data or topics are labeled at a higher classification. These communications are then required to be sent over secure channels.
Apart from training and guidance, an organization must put a comprehensive system of technical controls in place to ensure that communications are kept private in the world of remote work. It will likely take a suite of programs and tools to accomplish this. Virtual private networks (VPNs) are a good place to start, since depending on the type, they can both protect resources on a network or secure the data leaving an employee’s device over an unsecured network.
Organizations can revisit their compliance policies for asset tracking and device management. They can use scanning tools to ensure operating systems are updated or determine when a device last checked in. Mobile device management (MDM) software, while needing extra considerations due to privacy concerns, is another way to help ensure that devices are as secure as possible, and it can offer valuable insights into the health of an organization’s network and devices.
With the increased attack surface created by remote work, it’s never been more critical that organizations revisit their cyber policies and the training they offer to employees. The secure communications tools an organization chooses to implement are crucial, but it will be money wasted if there isn’t comprehensive employee training and guidance in place. Employees can be a valuable first line of defense if they’re given the tools and guidance to understand why security is so crucial, and taking these steps will help keep communications truly private while employees work remotely.
Alex White is a former National Security Agency (NSA) engineer and currently serves as Co-Founder & CTO at Glacier, a full-service, end-to-end encrypted, and anonymous platform for your most crucially sensitive data and devices.