Cybersecurity, Emerging Issues in Security, Policies and Training

Managing Security in the Age of ‘The Big Quit’

COVID-19 has changed work more than any event in modern history. At the onset of 2020, unemployment was at an all-time high, as businesses were forced to trim their teams or, in more extreme cases, shutter entirely. Now, nearly 2 years later, we’re facing another form of unemployment, but this time, it’s employees in the driver’s seat. 

remote work security

Chalk it up to a recovering economy and extra time to soul-search, but sky-high attrition rates have launched us into a new era of the pandemic being called “The Big Quit.” More than 20 million people quit their jobs in the second half of 2021 (U.S. Bureau of Labor Statistics).

According to data from LinkedIn, millions of baby boomers are retiring early, but millions of Gen Z workers—in their teens and early 20s—are quitting, too. It’s the highest resignation rate since the government started keeping track 20 years ago.

For businesses that want to survive and thrive, the time for introspection is now. Many companies have made positive changes, such as more competitive pay and better benefits, including flexible working hours and increased time off for primary caretakers. But no change has been more significant than the shift to remote and hybrid working environments. 

A recent survey from FlexJobs showed that 58% of respondents prefer to work exclusively remotely post-pandemic, while 39% want a hybrid work environment. Many companies have permanently adopted some form of work-from-home (WFH) policy, but it’s also presented some real challenges, the first and most glaring being security concerns. 

The response to increasingly insecure work setups has been an equally strong increase in zero-trust frameworks. O’Reilly describes zero trust as following five tenets: The network is always assumed to be hostile; external and internal threats exist on the network at all times; network locality is not sufficient for deciding trust in a network; every device, user, and network flow must be authenticated and authorized; and policies must be dynamic and calculated from as many sources of data as possible.

With news of prevalent ransomware and phishing attacks—most that originate from the inside—it’s easy to understand why a zero-trust framework is attractive, especially when you consider the added entry points for workers on their home networks, outside the safety of a centralized IT system. But with its benefits come downfalls, from hindering productivity to, as the name implies, a distrust of employees. 

Job satisfaction is a crucial part of employee retention, and professionals have made it clear that the opportunity to work at least some of the time remotely is important. However, the rush to adapt to wider-scale remote working, no matter how well intended, has left employees frustrated with how they were treated in the “new normal” at work. Whether voyeuristic systems that track employees’ every move or cumbersome IT processes that make it difficult to get work done, WFH culture has come with growing pains. 

As far back as 1995, long before WFH was even possible, Harvard Business Review speculated about the promise of viable work virtuality due to the increasing growth of oversight systems. “Audit mania” and relinquishing trust from employees were foreshadowed to be a self-fulfilling prophecy. What reason do employees have to trust their employer if they are seen as untrustworthy? What does that do to motivation? We all know good relationships are predicated on trust, and zero-trust-style heightened monitoring and security practices, although part of the solution, are also part of the problem. 

From the perspective of both a business leader and a 30-year security industry veteran, I absolutely believe that the feeling of mistrust has influenced employee dissatisfaction during the pandemic. On the other hand, there is no doubt that in a remote world, zero-trust paradigms are needed—specifically, expanding the security boundaries from the network perimeter to the application layer and down to the endpoints. However, there are ways to roll out zero-trust initiatives that are less disruptive than others. 

  1. Focus on critical assets first: Not all data in the enterprise is equal, and the security tools protecting it shouldn’t be either. By ensuring the most friction applies only to sensitive data, you can limit worker frustration by removing unnecessary hoops to access applications necessary to get work done. 
  2. Define normal: By not understanding who has access to what across an organization, everything looks like an anomaly. This means inordinate friction will be applied to common-access situations. To avoid this, make sure zero trust starts with a very thorough and accurate identity governance program.   
  3. Just-in-time access and reviews: Too often, reviews and permission updates are done in a bespoke system that isn’t timely or aligned with daily business workflows. Permissions to the application layer are critical in any zero-trust rollout, and the ability to review or add access at the point of need is key. 

Remote working, at least in some capacity, is here to stay. Better security is needed to protect the enterprise, but if implemented incorrectly, your organization may do more harm than good. The onus is on businesses to regularly assess users’ account access and increase or decrease it to only what they need to accomplish their daily work. It’s equally important to do this in a way that is communicated effectively and doesn’t feel like surveillance.

John Milburn is CEO at Clear Skye, an identity governance and administration (IGA) software company. Milburn is dedicated to closing the value gap that has existed in the IGA market for the last 20 years. With more than 25 years of enterprise software experience, he brings with him a deep knowledge of the security and identity management space. He previously held executive roles at renowned organizations such as Quest Software; Dell; and, most recently, One Identity. You can follow Clear Skye on Twitter and LinkedIn.