Like many people, I find it easiest to write about my direct experience. Currently I work from home, and I spend my working time doing application penetration testing on behalf of Pivot Point Security clients. This basically involves trying to hack into their systems with my web browser from the public Internet, just like black-hat hackers are trying to do.
There’s a sizable and growing need for application penetration testing, as more and more businesses expose more and more applications outside their firewalls to support not only customers and partners, but also us remote employees. Notwithstanding Yahoo CEO Marissa Mayer’s recent edict to the contrary, telecommuting is growing in popularity with both workers and management. The business doesn’t have to provide teleworkers with space and power, so facilities costs go down. And the teleworker doesn’t have to commute and organize his or her entire life around spending the day at the office, so happiness and productivity go up, by and large.
But not everyone is cut out for working at home. It can get pretty lonely, and it’s easy to feel cut off from office goings-on when you’re 2+ hours’ drive from your nearest co-worker. Working from home can also feel, well… unexciting. I mean, once in awhile I manage to pull off an electrifying exploit, but most aspects of my job are pretty straightforward. I must admit that sometimes I long to hang out by the water cooler and hear about what everybody else is doing.
It’s important for businesses to keep remote employees engaged and make sure they feel like they’re part of the team. Otherwise they might become disgruntled — and disgruntled, disaffected, disloyal and/or dishonest employees (along with contractors and other “insiders” with access to your network) remain the leading cause of security breaches.
All the application penetration testing in the world won’t protect your organization from hackers who have access to your corporate headquarters LAN because you gave it to them. There’s no shortage of stories about ex-employees with an ax to grind that use their access permissions in untoward ways.
Besides using penetration tests and other approaches to ensure that your systems are safe from attack from outside, it’s important to mitigate insider threats. Perhaps the most important thing you need to do in this regard is make sure that as soon as people no longer need access to your IT systems, they no longer have access.
This is especially true for employees who have left the company. But it also holds true for contractors, consultants, business partners and all the other types of users out there. Indeed, from the standpoint of third-party vendor risk management, it’s also important to know you’re secure from threats initiated by the employees of cloud computing providers and others within partner organizations who can potentially access your data.
Mitigating insider threats is an important consideration for many organizations, and there are best practices “quick wins” and best-bang-for-the-buck solutions for organizations of all sizes. Securing your infrastructure and data in the context of a holistic approach to IT security will yield the best results. Part of that holistic approach should include making sure your employees don’t feel like outsiders, lest they start acting like them.