Welcome to our Work Unleashed series: a collection of posts from Box executives and conversations with Box customers on navigating the "new normal" of work today. Here, you'll find insights and resources that enable your teams to do their best work, anywhere, anytime.
Even during a crisis, work never ceases. Many technology providers support critical businesses like hospitals, logistics planning, and those in charge of access to daily needs, from medical attention to food. Right now, the COVID-19 pandemic is bringing us all together as a community in ways that would have been hard to imagine even a few weeks ago.
Top of mind for most CISOs right now is how to enable work, to continue to operate virtually and seamlessly, while providing the same levels of trust we rely on. It’s no longer as simple as securing the perimeter. With access to critical content primarily in the cloud, built-in security is more important than ever.
But we need to be flexible about the how of getting there. From a CISO's perspective, here are three essential things to be thinking about right now.
1. Be wary of phishing and hackers in disguise
Big events — not just pandemics, but annual events like the holidays and tax season — are prime time for cybercrime. When the emotional tensions are high, and people are anxious, they're vulnerable to malicious actors who prey on that vulnerability and distractibility.
Recently Johns Hopkins University announced that malware designed to look just like the university's COVID-19 tracking map had been designed to steal information from users of the fake site. Anxious people searching for up-to-the-minute pandemic information wouldn't necessarily notice that the site was bogus. Another potential phishing trick right now is hackers posing as coworkers trying to access work remotely: "Hey do you have the access code to get into our VPN? I'm locked out."
It's more important than ever to instill best practices in your users and remind them not to deviate from standard good security habits. Encourage secure access such as via VPN whenever possible, even when just signing in to quickly check email or Slack. In addition, users should be educated that when they call in with a technical problem from a remote location, they may be asked for added level of authentication, and they must understand that in a virtual environment, there’s a little bit more validation needed.
Still, security can’t just be upon all users.
2. Re-evaluate your security thresholds and controls
Ensure the right controls are in place to protect remote work. Be intentional about what thresholds make sense for your organization's risk appetite.
- Make sure you have secure authentication for all your users. For example, at Box, we use Okta for single sign-on (SSO) and Duo on mobile for 2FA .
- You may not be able to depend on the security and hygiene of the devices being used. For companies where work typically happens at the office or via managed devices, it might be challenging or even impossible to get new equipment to workers in remote locations quickly right now. With increased use of personal devices, you have to treat these as untrusted origins. To protect your company, ensure high-risk users from untrusted end-points are coming in through a secure terminal before accessing any data or content. That stepping stone of access, delineates your protected environment from any level of toxicity from the user's environment. Alternatively. you can verify or force compliance on access end-points and only allow access from compliant ones.
- Think about teams where there is additional risk when going remote because they have access to privileged information — such as customer support or billing. When "clean room policies" (where data in and out of a location is tightly controlled) cannot be observed, you may even need to modify business practices, for example, ceasing to take credit card information via phone, because you can't secure the remote line.
3. Maintain visibility through a "single pane of glass" view
It's more important than ever to have telemetry and a unified view of access to your most important data. There are three key points here:
- Avoid content sprawl. Ensure your content is on a platform with robust audit and reporting capabilities. Beyond handling the crisis happening right now, this is an opportunity for any CISO who wants to enable remote work to understand whether they have their content — their crown jewels — protected. Centralized content is about having all your content on one platform, while integrating with key applications such as Slack and Office 365, so accessing and collaborating on content is a flexible experience.
- Use monitoring solutions to see activity across the organization. Part of the CISO’s job is to enable your team to keep an eye on the behavior of individuals and to look for anomalies. Actionable intelligence from data analysis is key to swift remedial actions.
- Since work has gone largely virtual, go beyond geolocation when monitoring for suspicious behavior. The trick will be not to get so desensitized to an increase in false positives of suspicious sessions, that we ignore valid alerts.
Carrying on with work in a secure way
Remote work continues to fuel business operations and connected commerce. It's no longer about securing the perimeter, but securing the flow of information as we work with increasingly distributed teams. Cloud content management that integrates with collaboration tools like Zoom and Slack ensures mission-critical work can continue, uninterrupted.
From my perspective as a CISO, it's important to make sure your tools have native security controls, integrate with each other, and are configured securely. Increasingly, we're seeing customers expect providers to come with built-in capabilities, whether it's DLP, data classification, or threat detection, and hold those capabilities to a higher standard.
Normally, setting up new security tools and architectures takes time. Partnering with providers who have built-in security allows you to scale up quickly to meet the current business need, without worrying about users seeking workarounds that can result in a data breach. We're taking this very seriously, and are working very closely with our customers during this time to so they can keep their businesses moving, while keeping their valuable information secure.
To learn more about how Box enables your dispersed teams, check out our remote work resource hub. Plus, sign up for our most popular online event — the free half-day Box Virtual Summit — with a remote work-focused CIO panel that you won't want to miss.