Government Teleworking Could Last for Months, Exacerbating Cyber Risk

As federal government guidance on social distancing due to the COVID-19 pandemic is extended through April, a new reality is setting in for federal workers — a prolonged period of telework, even beyond the coronavirus crisis.

This new normal was echoed by Defense Secretary Mark Esper, who reiterated in a virtual town hall that Pentagon officials who are able to work from home can expect to do so for “as long as necessary…it’s going to be weeks, for sure, maybe months,” reports Nextgov.

But a sudden transition to telework isn’t without its challenges. In the private sector, aided by cloud-based collaboration tools and robust work-from-home policies, the adjustment has been relatively streamlined. However, the public sector is much less nimble.

Remote workforce brings new challenges

Many government CIOs simply hadn’t planned — both culturally and technologically — for an extraordinary volume of federal employees and contractors to be working from home for an indeterminate amount of time. Indeed, several factors could hurt the federal government’s ability to gear up for a new remote workforce, writes Bloomberg Law. These include constrained IT budgets, a reliance on proprietary legacy software that is hard to access remotely, and even recent efforts to scale back telework.

It’s a new world order that is also playing out for state and local governments. The Town of Cary, NC, like many other municipalities, is facing this very predicament, reports CNBC. “In a matter of days, we’ve had to prepare hundreds of staff to work remotely. Because we’re a government organization, we have staff in a variety of roles, and for many of them, working from home hasn’t been part of their lives before this week,” said Nicole Coughlin Raimundo, chief information officer for the Town of Cary.

Teleworking cybersecurity is top of mind

CIOs are also cognizant that these home networks, with potentially dozens of devices connected to them, may not be as secure as government networks and could put the entire IT infrastructure at risk.

The cybersecurity challenges of a government-wide move to teleworking is a top-of-mind concern for the Department of Defense, too.

Speaking in the virtual town hall to Pentagon officials, Secretary Esper said: “…if you're teleworking — if you're doing anything that involves the networks and IP — be very, very careful of IP vulnerabilities… We are a little bit more exposed when we're doing telework, using a lot more bandwidth, there's more open ports, et cetera.”

Hidden cyber risks threaten security postures

It's a challenge that is playing out for many organizations. As the digital ecosystem expands, so does the attack surface. This makes government agencies increasingly vulnerable to cyber risk as bad actors look to exploit unmonitored and potentially insecure home networks or digital assets deployed on those networks. That risk is compounded by the fact that security teams lack the right tools to gain visibility into the security posture of these assets or the insight needed to identify, prioritize, and remediate the assets that represent critical or excessive risk.

Furthermore, the increased reliance on cloud services and a lack of insight into the risk profile of all cloud-hosted assets during times like these can also introduce hidden risk.

Agencies need a way to visualize risk across the attack surface

With little preparedness for this new way of working and few resources to protect their rapidly expanding digital landscape, it’s critical that government organizations quickly find ways to understand where cyber risk lies across their IT infrastructure — before threat actors take advantage of them. One way to do this is to develop a security performance management program that includes the ability to analyze the entire digital attack surface — in the cloud, and across geographies, operational units, and remote/home offices — on a continuous basis.

This takes the guesswork out of identifying the assets that represent the most risk, such as those with insecure access points; unpatched systems; unknown malware infections; etc. — and where those assets reside.

With this visibility, security teams can then prioritize and quickly mitigate issues and stay one step ahead of threat actors. They can also more effectively identify lapses in their security performance program and communicate to CISOs and CIOs where additional investment in security controls is needed.

Could COVID-19 kick start digital transformation?

As telework becomes routine for millions of government personnel and contractors, it’s critical that agencies do all they can to achieve continuous visibility into digital assets and cybersecurity risk — today and tomorrow.

Indeed, some predict that coronavirus-imposed teleworking could be the major shift needed for digital transformation to really take hold. The virus has pushed businesses and governments to think outside the box in how they work, collaborate, educate, triage patients, and thwart cyber threats — all while saving resources, lowering costs, and increasing efficiencies.

Given these benefits, the teleworking mentality could persist well beyond the pandemic. Organizations that today face the cybersecurity challenges that this new world order presents will be better prepared for the future.