It’s clear that telework is here to stay. In November, the Department of Defense extended COVID-related telework flexibilities, allowing civilian employees with kids to work remotely until at least June 30, 2021. In January, the Defense Information Systems Agency and Joint Force Headquarters Department of Defense Information Network released a memo touting telework benefits.
Even if agency employees return to the office this summer, it’s unlikely that telework policies will go back to what they were pre-pandemic. Acknowledging this new environment, it’s an important time for agencies to bolster efforts combating the threat of unauthorized access to government systems and improper data management.
Thankfully, maintaining threat awareness, improving security hygiene like multifactor authentication and encryption, and strengthening data protection can protect critical defense data whether work is completed at the Pentagon or in a corner of the bedroom.
Maintaining threat awareness
Everyone is busy, which can lead to workers overlooking potential threats. Mundane activities like filling out forms or opening email links, could be phishing attempts or other threats in disguise. Forms or email could have encrypted links to malware, allowing hackers on the other side access to employee information.
A recent CISA analysis reminds users of these basics, like taking action on unauthorized login attempt alerts, and understanding phishing and other tactics used to exploit and enter an agency’s infrastructure.
This guidance is important and IT leaders can also help improve threat awareness through frequent reminders and periodic training, prompting federal workers to exercise essential cautions. Basics include not entering credentials online to an unknown source, being wary of clicking on documents from unknown sources, and overall, contacting IT when things seem suspicious.
Commingling of personal and work-related data, even if it’s unclassified, through home-based tools and enterprise cloud-based services is also a considerable problem where greater awareness is needed. If a worker has a work-issued Windows PC but is more comfortable with their personal Apple Mac, they may switch data back and forth on both devices. This can increase productivity, but significantly increases their device attack surface. Workers need to understand the potential dangers of these choices.
Multifactor authentication and encryption methods
As telework complicates security risks, government agencies can take simple steps to strengthen their security hygiene with multifactor authentication and encryption.
Equipping devices with multifactor authentication methods, a CMMC practice, is a solid start at protecting critical infrastructure and sensitive data. Passwords provide some protection, but even with constant management and updates, leave gaps. Multifactor authentication provides one more level of security. In order to be effective, every user, on every device, needs to be equipped with MFA capabilities — which can be hard as previously stated when workers use personal equipment sometimes for professional use.
Sometimes, workers need to access sensitive information, and they might not follow through on critical security protocols already set in place by IT departments. Enforcing end-to-end encryption on any sensitive documents, messages and content is essential to protect agencies from disastrous scenarios where classified items can fall into the wrong users. This should include not only within government, but materials and communications touched by contractors as well.
Agencies should also maintain robust security technology software and protocols from workers who may bypass encryption or MFA software using external storage systems from home like external hard drives, thumb drives or other equipment, which poses another damaging security risk. Additionally, immutable data (often a strategy for backup and data recovery) is a growing trend to ensure recoverability and integrity of data.
Modernizing a remote access strategy
Even with the right security policies in place, remote work has opened agencies up to greater vulnerabilities, and they must always be prepared for a potential breach. Any organization that feels its security is bulletproof and doesn’t have a backup in place sets itself up for disaster. The DOD is a data-centric organization, so data needs to be accessible and secure, so it can protect our war fighters and effectively support DOD missions.
The volume of data being collected and stored also continues to expand exponentially, and the DOD is considering whether certain datasets are disposable, a topic exposed by the DOD Data Strategy. However, getting rid of data without endeavoring to gain insight can pose potentially significant risks. As agencies grapple with how to handle continuously increasing amounts of data, investment in backup solutions becomes more critical.
A proper backup system and policy means data is there when you need it and prevents data loss. To be effective, data protection should be continuous and recovery should be instant. With DOD data, that means there’s no delay in getting the information that could be critical to mission decisions and that there’s no chance that the data has been manipulated.
Backup also needs to be seamless, reliable and easy to use. The midst of a cybersecurity incident is not the time to adjust to a complex system.
The DOD remains heavily targeted by those with malicious intentions seeking sensitive government information. An increase in telework ultimately heightens data volumes, due to the fact larger networks are needed to withstand and provide all the resources remote workers require to remain secure.
While telework will most likely continue throughout 2021 in some capacity, the threat landscape also continues to evolve. Encouraging employees to exercise security best practices, prioritizing basics that still remain a challenge, and always having a backup will ensure defense operations can continue smoothly, regardless of cyber threats and disruption to the workplace.
Rick Vanover, is senior director of product strategy at Veeam Software, and Mike Miller is vice president, federal, at the company.