Insight by Menlo Security

How agencies can keep employees cyber safe from themselves

The move to remote work during the pandemic has increased the threat surface among agencies and the private sector.

As employees worked from home on a permanent basis, concerns rose about personal WiFi, home computers and other devices that may not be a secure as what they used in the office.

But the conventional wisdom that this decentralized access leads to greater cyber risks doesn’t have to be the case.

Agencies can open up access to improve employee mission success while retaining visibility into network and applications performance and limiting the cyber risks.

Agencies can take tangible steps to further ensure employees can access data and applications from anywhere, at any time, while also lowering their exposure to cyber threats.

Jack Miller, the head of global professional services for Menlo Security, said agencies must consider implementing a virtual air gap to reduce the risk of employees working remotely and to battle the increasing threats posed by web applications.

Menlo Security implemented this approach for the Defense Information Systems Agency.

“We have several hundred thousand people from different mission partners already on the platform today, and everything’s working great,” Miller said. “It is tested and tried and true. Now, there’s challenges to get there, like any kind of big project, and by doing the proper planning up front, in trying to have good pilot groups that are representative so we can identify issues before they become impactful to broad swaths of the organization. It helps move things along really quickly. The good news is for anybody doing a deployment of these types of technologies is that after you get through the initial hurdle, you do reach a level of homeostasis, where everything kind of runs pretty smoothly after that.”

This approach, in many ways, helps protect employees from themselves.

“By implementing a process like isolation, we can we can restrict access. So what happens today when people go to the internet, we give them far more access that they need to have to be able to do their job. The first thing is access to do their job. Well, do they need access to this website? Or do they not need access to this website?” Miller said. “The next step is I’m giving them access, but what level do they really need to do their job? Does that website on the internet really have to be able to run code on the local desktop for that employee to do what they’re trying to do? Or can we let the code run somewhere else? We’ve kind of removed the risk. What we’re really saying is that for most of our internet interactions, we can restrict access down to a point with isolation, where it suddenly doesn’t matter that much if there if we can’t establish a level of trust.”

Miller said the security controls must be seamless and transparent, but also can’t impact the mission.

“If we can implement processes where we say it doesn’t matter if someone makes a mistake, we’re still safe. We’re always going to be better off doing that, whether that’s a combination of processes and technology, than trying to think everybody’s got to be perfect all the time,” he said. “As the saying always goes: ‘We have to be right every time. The bad guy only has to be right once.’ Is there a bad person there waiting to pounce? There’s a good chance they might be especially if they’re working in a highly targeted, industry or vertical.”

The challenge of being perfect all the time and the growing threat surface is pushing agencies toward a zero trust architecture.

“It’s important that we always include least privilege access into the zero trust conversation because that’s the whole reason we’re trying to establish a level of trust. So we can determine how much access to give and we can determine their level of access base on a couple things. One is how much do I trust you? And the other thing is do you need to have access to this to be able to do your job? We have to look at both of those,” Miller said.

Empowering the Federal Workforce While Limiting Cyber Risk

If we can implement processes where we say it doesn't matter if someone makes a mistake, we're still safe. We're always going to be better off doing that, whether that's a combination of processes and technology, than trying to think everybody's got to be perfect all the time. Right as the saying always goes: ‘We have to be right every time. The bad guy only has to be right once.’ Is there a bad person there waiting to pounce? There's a good chance they might be especially if they're working in a highly targeted, industry or vertical.

Zero Trust and Remote Work

It’s important that we always include least privilege access into the zero trust conversation because that's the whole reason we're trying to establish a level of trust. So we can determine how much access to give and we can determine their level of access base on a couple things. One is how much do I trust you? And the other thing is do you need to have access to this to be able to do your job? We have to look at both of those.

Listen to the full show:

Featured speakers

  • Jack Miller

    Head of Global Professional Services, Menlo Security

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts