Some organizations are born with remote culture and security, some achieve it, and some have it thrust upon them. It’s important to understand that setting the wrong goals can backfire. Take a step back and look at some of the greater changes you face.
1Password came into the world as a fully remote organization 14 years ago. Even though we’ve opened two offices in that time, the majority of our staff still work remotely. Although nobody has an easy time of anything these days, we were in a far better position to adapt than most when we had to suddenly shutter those offices on March 10, 2020. It didn’t require the development and implementation of new security policies and practices for remote workers.
Yet we can understand what those suddenly thrust into such a change are confronted with.
It is our business to help people and organizations improve their security in ways that work for those people. Security for real people in real organizations is our bread and butter. Because of that, and our long-term experience being mostly remote, I feel that we can offer some advice that goes beyond the innumerable checklists out there.
What I say here isn’t going to be exhaustive by any means. Indeed, I’m deliberately keeping it short. And this introduction has already gone on too long.
Understand your goals
Start by determining if your goal is genuine information security for your organization, or if you’re seeking CYA (Cover Your Anterior) security. The latter isn’t so much aimed at preventing security failures as it is at shifting blame and responsibility for them.
- You create a policy that is difficult for people to realistically comply with.
- You wait for something to go wrong.
- You find a person who failed to comply and shift the blame to them.
- Your anterior is covered.
The major problem, of course, with CYA security, is that it doesn’t prevent things from going wrong. It also leads to unhappy people, who are either perpetually stressed by not being able to meet demands or who have simply developed contempt for those creating and enforcing those security policies. The benefit is that you are covered.
On the other hand, if you wish to promote genuine security, you’ll develop policies and practices that reduce the chance of things going wrong. This approach should reduce real risk, but it does mean that failures are the responsibility of those designing the policies and practices.
In real life, policies are going to be a mixture of both. It is not always possible to avoid some CYA security, but you should recognize when you are doing it. What is different now (as you have to learn how to secure your people and organization with everyone working remote or hybrid) is that there will be more cases where genuine security and CYA security come into conflict.
Two problems come into play more in the current situation: security fatigue and security absolutism. Security fatigue occurs when people are given so many security-related things to worry about, they are likely to just give up. Security absolutism is the incorrect belief that security is an all-or-nothing concept instead of taking incremental steps to reduce risk. And it’s highly destructive.
‘All or nothing’ gets you nothing
Let me walk through an example of where fatigue and absolutism come into play and harm security.
We correctly say that people should have strong and unique passwords for each and every service they use, but that doesn’t mean that having strong and unique passwords for only some of the sites and services they use does no good. In fact, that kind of absolutist thinking is wrong. Every single time you set a unique password for a service, you are reducing the risk of attack, even if you haven’t done so for absolutely all of the others. We need to remind ourselves that achievable incremental improvements are real security improvements.
Suppose Molly looks at her duplicate passwords report using 1Password Watchtower and sees 40 logins that do not have unique passwords. If Molly believes she needs to fix each and every one of those to be secure, she may just give up. But if she takes only a few at a time, starting with the services she uses most often, or that need the most protection, she can make real and substantive improvements.
Another example is software updates. Each and every time one of your users applies updates and security patches to their systems and software, they improve their security and the security of your organization. And this is still true even if they don’t patch everything. But if people think they have to update the firmware on their internet-connected toaster-fridge for there to be any gain from using the latest version of their web browser, they may not attempt to keep anything updated at all.
To genuinely improve security, we must help people understand that they should go after low-hanging fruit. Doing so will reduce their risk and the risk to your organization. This involves communicating that there are real, reasonable things they can do that will improve security and that security is not all-or-nothing.
Not Lake Wobegon
You need to try to understand your users. They are trying to do their jobs in what might be difficult and unusual circumstances. Their goal is to do their jobs; their goal is not to make the IT managers happy. And as you have to have your users perform more of their own IT tasks at home, you need to be careful to not target your rules and guidelines to what you imagine your average user to be. You need policies that will work for pretty much everyone, and not just the average and above.
You might also assume that your average user is a lot like you. As an IT or information security specialist, you may automatically think that everyone in every household has their own computer. But many households have one shared computer. They may even use the same account on that computer. You need to consider that not everyone has a private place to work at home, particularly with children out of school. There will also be a wide range of computing skills. So you can’t just target your instructions to what you imagine your average user to be. You want everyone to improve their security, not just the most sophisticated users.
One thing that we’ve found success with at 1Password is that we’ve set up a system to granting exemptions for specific policies. We would much rather know that Kim needs to use a third-party browser extension (and what that extension is) than to have Kim and others simply not comply with our browser extension policy. We don’t get mad when people ask for exemptions. We get mad when we find out that someone should have asked and didn’t.
Help and support
You can’t expect people to comply with security policies if you don’t give them the means to do so. You need to provide the help and support that your people will need to succeed at what you’re asking them to do. Sometimes it’s as simple as making sure they have the best password manager out there (hint, hint). That one is easy.
Let’s take another example: If you are going to ask people to make sure their home Wi-Fi is using WPA2, you have to do more than say, “Look at the (usually terrible) documentation for the router (that they don’t even know they have)”. This is going to be a tricky one. Each household is going to be different, and you are going to spend one-on-one time to help many people through that. This will take time and patience.
We learned something like this the hard way. One of our policies for people’s home machines is full disk (or file system) encryption. At the time we put this policy together, the only people with Windows machines were developers. Only later did we learn that Bitlocker isn’t available on Windows Home edition. Since then, we’ve paid for people to move to Windows Professional, and we have a few people who can talk others through setting that up.
In general, when you roll out a policy, be sure you have the support in place, so people don’t give up in frustration.
Understand what you can and can’t control
Just as you have to steer your users to go after the low-hanging fruit, you will have to do the same in terms of what you can control or see about your users’ systems.
Managers, particularly IT and security managers, like to know what’s going on with their systems and with their people. There’s a sense of visibility into activity you have when you can see people in an office, and when they’re on your network using machines, you provide for them. You aren’t going to have that. Even if you supply people’s home devices so you can install your monitoring systems on them, you won’t have the kind of awareness you want.
This doesn’t mean that you have to be blind. You can, for example, generate a number of useful reports with 1Password Business. There will be plenty of other things that you can and should see, but I’d also encourage you to accept that people’s home networks are not your networks. Highly intrusive tracking and monitoring of those is fraught with problems, particularly because those home networks are used by others in the household and for non-work activity. Before installing monitoring tools on those, be aware that some introduce points of attack, so you need to let your people know that you are doing so and that you don’t have the right to know about the non-work activity on those networks.
By understanding your goals, incorporating flexibility, offering sufficient support to your people, and learning to trust in what you’ve built, you can get through uncertain times with information security intact. When things return to normal – whatever that means for you – what you’ve learned along the way will undoubtedly serve you well.