Flipping the On(site) Switch: Ensuring Federal Employees Return to a Cyber Secure Workplace

MeriTalk recently spoke with Bobby McLernon, vice president of Federal sales at Axonius, on how Federal agencies can ensure employees will transition smoothly back to in-person working environments, while maintaining proper cybersecurity practices.

MeriTalk: Many agencies will begin sending employees back to the office this year. What implications does this have for cybersecurity?

McLernon: The cybersecurity implications are substantial. Last March, overnight, the Federal government went from roughly 20 percent of their workforce approved for telework to over 75 percent working from home. That’s over a million employees who used to work in an environment controlled and protected by IT and security teams, now working from kitchens, spare bedrooms, basements, and so on.

Assuming each Federal employee uses at least two devices, a minimum of 2 million government-issued devices have not been in the office for almost a year. That’s 2 million devices handling a variety of government data, all from home. At the direction of management, employees even invested in personal devices to ensure business continuity. All of this raises cybersecurity flags for government agencies.

Another implication is at the policy level. For example, agencies may choose to implement new health and safety measures because of COVID-19, such as temperature checks. This introduces two major complications: a new set of devices and additional regulations. The data from these devices is considered protected health information, and use of it must adhere to HIPAA regulations.

MeriTalk: What steps should cybersecurity teams prioritize before the Federal workforce returns to the office?

McLernon: The most important thing for cybersecurity teams to do is to align with agency leadership and agency mission. This not only gives teams a leg up in predicting how they can support the agency, but also helps with understanding the agency’s plan to return to work. Will the entire staff return at once or in a phased approach? Will some teams remain remote or go hybrid? Understanding the plan will help ensure a smooth and secure return to work.

Another important step before returning to the office is to run an asset inventory. It’s critical to determine what devices employees will be bringing back and establish if those devices are compliant.

MeriTalk: How can asset inventories provide a strong foundation for cybersecurity teams preparing for changes in the new year?

McLernon: A comprehensive inventory of all assets that connect to agency networks, including issued devices, cloud instances, virtual machines, and personal devices, enables cybersecurity teams to develop a punch list of how to close security gaps and ensure compliance. This is more important than ever as Federal employees return to the office with devices that are new to the agency network and potentially unsecured.

MeriTalk: Why is it important for agencies to take on a mission-focused approach, rather than a technology-focused approach, as cyber teams define their key initiatives for 2021?

McLernon: Once again, staying aligned with the leadership and mission of the agency is essential. Improving communication between cybersecurity teams and agency leadership has many benefits, including being able to better predict what will be needed. Is your agency expanding into new areas? Adding or reducing headcount? Undertaking new initiatives?

The change in administration makes this even more significant. With every new administration comes a new agenda. The cybersecurity leader who understands those goals will be in a better position to rise to the challenges of 2021. Cyber teams will then have a contextual baseline to guide their technology and staffing decisions.

MeriTalk: What are your recommendations for agencies shifting to hybrid working environments?

McLernon: Federal cybersecurity teams should review the latest guidance on remote and hybrid work. CISA released a draft Trusted Internet Connections use case last December, which lays out the network security patterns to secure remote user access to agency campuses, agency-sanctioned cloud service providers, and the web. Updating agency policies around remote access and BYOD to comply with this guidance ensures that staff have the same secure access when they transition to hybrid or in-person environments.

Also, NIST announced in September last year that it’s working on updating its teleworking guide (SP 800-46, last revised in 2016). It’s important to keep up with current guidance to ensure you’re able to maintain compliance.

MeriTalk: What cybersecurity tools or strategies do you consider vital for adapting to rapid shifts in work policies and practices?

McLernon: We’ve worked with a number of agencies that have seen significant ROI from investing in cybersecurity asset management. Many common challenges facing cybersecurity teams can be addressed with improved asset management, including:

Finding unmanaged devices
Identifying devices that are missing agents
Seeing which devices have malfunctioning agents
Discovering cloud instances not being scanned for vulnerabilities
Finding cloud instances that are misconfigured or not in compliance
Accessing contextual information about an alert
Identifying software that is not allowed on government networks

Cybersecurity asset management brings together data from many different sources to help give cybersecurity teams easy answers to these challenges.

MeriTalk: What are some best practices that can help agencies ensure continuous security interrogation continues after employees return to the workplace?

McLernon: IT infrastructure barely resembles what it looked like just five years ago. A recent survey that we commissioned found that 52 percent of virtual machines (VMs) now reside in the cloud, and 55 percent of organizations have active Internet of Things projects. The survey also found that security teams use an average of 108 security tools.

The changes in IT infrastructure place enormous pressure on IT and security teams, which are already struggling to find new management and security tools that can keep up. VMs, new devices, and new device types are driving complexity. Cybersecurity teams that stay nimble will better adapt to changing environments.

Aggregation of data from multiple security tools is becoming a key component of ongoing asset management. No single tool can provide a complete answer to the most important questions cybersecurity teams ask on a daily basis. Organizations using more than 100 security tools still report visibility gaps. Security complexity – driven by evolving threats and new regulations – drives more siloed investment in tools, which further compounds the visibility problem. The answer is aggregation of the data from all of those tools, so that agencies have an accurate picture of their security posture.

MeriTalk: How can agencies best invest in cybersecurity to support future modernization efforts?

McLernon: It’s clear that the new administration wants to prioritize Federal IT security initiatives. Every agency will have a tremendous opportunity to improve their security posture in 2021. Having a thorough understanding of your current environment will help you decide where to focus improvement efforts. Cybersecurity teams should ask:

Do we know what is on the network?
Can we see who is on the network?
What is happening on the network?
How is our data protected?

MeriTalk: What’s your final piece of advice to Federal agencies in planning a return to the workplace from a cybersecurity and asset management standpoint?

McLernon: Think about where we were on day zero of this effort. The government must have all of its resources, HR management, and law enforcement available on day one when everyone returns to the building. The IT professionals need to be ramped and staffed appropriately for reclamation efforts. It is critical that agencies have a plan to keep them security-compliant and moving forward in the eyes of the Office of Management and Budget, as well as taxpayers.

In regards to telework, government agencies have undergone a huge transition. IT leaders will face many challenges as the workplace adjusts and continues to evolve daily, from technical issues to worker accommodations. For example, leaders must be ready to continue to support hybrid and remote work for employees who may not be able to return to the office full time in the short term.

Finally, it comes down to the basics – identify gaps, mitigate threats, and invest in automation when you can. As a nation, we managed a transition to remote work overnight last March. Agencies that embrace lessons learned will surmount the challenges of transitioning back onsite as well.

Axonius is the cybersecurity asset management platform that gives Federal agencies a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies. To learn more about why asset management matters for Federal cybersecurity, read this complimentary ebook.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.