In less than two weeks, our entire work culture shifted. In response to COVID-19, on March 19, 2020, California declared the first statewide stay-at-home order. By March 30, 26 states had joined California, sending millions to work from home. With that, COVID-19 forced companies to make rapid decisions to keep workforces safe and business moving forward.
Since that time, companies have plunged headlong into response and survival plans. Immediate concerns were focused on the health of employees and getting them set up to work from home. Security and IT teams worked around the clock to make sure employees had the tools they needed to stay connected and productive. Slack, Zoom, Microsoft OneDrive, and other collaboration apps were rolled out en masse, if they weren’t already part of a work culture. All of this put a strain on security. Suddenly, security was on the hook to manage data risk beyond traditional company perimeters and do it at scale.
By now, other considerations are coming into focus. While employees are settling into home-office routines, companies are focused on making sure their businesses will exist. That may sound dramatic, but it’s the same problem that Bob’s coffee shop, JP Morgan, and a million other businesses continue to ponder. Business as we knew it is not going to be the same. With a nearly 100% remote workforce — and a world that is social distancing — how do we keep employees productive and teams innovating while keeping businesses secure?
To make sure employees stay on task and don’t waste time, some companies have chosen the Big Brother route. Since they can’t see their employees working from home, they’ve installed monitoring software that collects screenshots every few minutes, logs keystrokes, and tracks website visits.
The challenge with this surveillance approach is that these types of monitoring metrics are not a measure of productivity or security. An engineer tallying up keystrokes won’t tell you whether the lines of code for your new product release were finished on time. And a sales rep logging keystrokes and looking busy is not going to alert you to the fact that he was really uploading your customer records to a personal email account.
Not only does the Big Brother approach fail to solve productivity and security issues, it leads to a cultural problem: namely, a lack of trust and transparency. And that’s certainly not the type of environment that fosters collaboration, creativity, and innovation.
Future of Work
The future of work has fundamentally changed. According to recent industry research, nearly three-quarters of CFO respondents plan to move more employees into permanent remote positions after the COVID-19 pandemic. The reality is that working from home and the collaboration apps that keep employees connected and productive are here to stay.
When it comes to securing a collaborative culture, covertly counting keystrokes or tracking how long workers are on their computers is antiquated police-state security. Surveillance of end users stands in stark opposition to what an open, collaborative culture is all about. If you accept these as truths, it is not a difficult leap to see that conventional approaches to data security must change.
There is a new way to think about data security. It starts by assuming positive rather than negative intent. It’s based on trusting and verifying versus not trusting at all.
To solve the security challenge, new approaches to security need to take into account the implications of using collaborative apps and the increasing exposure of the endpoint. Rather than counting keystrokes, security should focus on out-of-the-ordinary file movements — for instance, when a remote worker downloads 20 files to a thumb drive or uploads financial records to a personal Dropbox. When someone abuses the trust that has been given to them, security can then investigate. That way, you don’t let one “bad apple” ruin it for the rest, and the rest of the workforce can get their jobs done without interruption. Fundamentally, a trust-but-verify approach positions security teams as partners — not the police.
To address the productivity issue — well, for starters, security should not be a crutch for solving performance problems. Performance should be measured by achieving key business results. What security teams should be doing is enabling employees to work with apps that enhance productivity and help them do this safely. In our “new normal,” it is more important than ever for security to be seen as enabling — rather than impeding — the very performance-based and collaborative culture businesses need to succeed.
Change does not come easy. And this new approach to securing a culture of collaboration definitely calls into question some holy grails of data security. The late Rear Admiral Grace Hopper, known as one of the foremost computer science engineers, said the most damaging phrase in the language is “We’ve always done it this way!” COVID-19 has unleashed unprecedented change on how we get work done. It’s time that data security catches up.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
Joe Payne brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and software-as-a-service (SaaS) solutions to enterprises across numerous industries. As President … View Full Bio