DoD Study Shows Why WFH and Hybrid Work Remains Difficult

Nearly 15 months after the COVID-19 pandemic hit the globe, work-from-home remains a work in progress.

After the World Health Organization declared COVID-19 a pandemic in March 2020, companies and government agencies took the unprecedented step of moving workers out of traditional offices and sending them home, creating a never-before-seen burden on IT and security staffs to not only keep employees productive but safe from cyber-attacks. In many cases, cybersecurity became an afterthought during the race to get employees and their home offices up and running.

Yet despite these burdens, work-from-home worked for enterprises. Now, many tech firms such as Microsoft and Amazon are readying to welcome workers back later this year. The New York City government is also moving toward bringing municipal workers back as vaccines become more available.

Despite the last 15 months, organizations of all sizes are still trying to learn the lessons from the WFH experiment and how these might be applied to future situations. There also remain questions of the long-term effects of WFH on both employers and employees. A recent report from the U.S. Department of Defense Inspector General’s Office potentially holds some answers.

With over 3.2 million active-duty military personnel, as well as civilian employees and third-party contractors, the Defense Department remains one of the biggest employers in the United States (and the world) and DoD is in the unique position of determining what is working, and what is not, with WFH. As part of the study, the IG’s office surveyed more than 54,600 Defense Department employees. Of that number, 82 percent reported working from remote offices between March and August 2020.

Unlike many other organizations, the Defense Department had a plan in place for over a decade to specifically address a pandemic and employees switching to remote work. 

This included the “use of laptops, high-speed telecommunications links, and other systems that enable personnel to perform essential functions while teleworking. The plans should also include the requirement to test telework procedures, the impact of Government-wide mandated telework on internal networks, and backup plans for communications infrastructure,” the report noted.

Despite the planning, work-from-home in the wake of COVID-19 was not a seamless experience for the Pentagon, according to the IG’s report.

“Of those who teleworked, survey respondents reported problems accessing DoD Component networks, voice and video teleconference applications, and identified shortfalls in Government-furnished equipment available to DoD personnel when their Components first transitioned to maximum telework in mid-March 2020,” the IG found, although improvements were made over time and employee experiences became better.

Monti Knode, director of customer and partner success at security firm Horizon3.AI, notes the Defense Department and its workers experienced many of the same issues as its private sector counterparts, with the added burden of remaining combat-ready.

“At a massive scale, the DoD is struggling with the same aspects of work-from-home as the rest of the country, but in addition to being productive, the DoD must ask: ‘How can we continue to be combat effective?’ Being combat effective is a binary answer; either you are, or you aren’t,” Knode told Dice.

Shadow IT and Security

The Defense Department IG report also found that when employees needed applications to complete their work, they would routinely find workarounds, including Zoom for cloud-based video conferencing, as well as other apps and tools not fully approved by the DoD’s guidelines.

By using unsecured apps and hardware, however, Defense Department employees opened the door to various security threats and potential hacking. “Using unauthorized applications or sharing DoD information over improperly secured devices, even temporarily, increases the risk of exposing sensitive departmental information that could impact national security and DoD missions,” the report notes.

Rick Holland, CISO and vice president for strategy at security firm Digital Shadows, noted that the flexibility of remote working also opens the door to numerous cybersecurity risks for organizations like the DoD. This includes an expanded attack surface, since security and IT teams need to manage devices, such as phones and tablets, along with apps that can now access government resources and data.

“The challenges of remote working likely means that organizations don’t have the same security controls as you would when working in the office,” Holland, a former U.S. Army intelligence officer, told Dice. “Depending on how traffic is routed, some web browsing might not have any network-based inspection. In an office, all the traffic would have some level of inspection. Endpoint-based security controls are even more critical when you don’t have the robustness of on-premises network security that working out of the office provides.”

Other reports also found that, over the last 12 to 15 months, remote work posed numerous cyberthreats. In its annual security assessment, security firm FireEye found that technology used to connect employees, especially IT staff, to resources and systems such as Remote Desktop Protocol and VPNs were frequently targeted by cybercriminals and nation-state hackers alike.

“Threat actors capitalized on infrastructure deployed to support a remote workforce by exploiting new and old vulnerabilities for initial access,” the FireEye report notes. “These trends underscore the importance of sound fundamentals such as vulnerability and patch management, least privilege and hardening.”

These types of issues around remote work are driving the Defense Department, along with a myriad of other organizations, to consider new approaches to security such as zero trust.

“The DoD is already looking into zero trust architectures,” Holland said. “Remote working should drive this further; however, procurement cycles must be more agile to bring appropriate new technologies. Remote working could help the Department of Defense fight against brain drain to the private sector as well.”

Tim Wade, the technical director for the CTO Team at security firm Vectra, notes that the work-from-home experiment created tension between the Defense Department’s desire to be forward-thinking regarding remote work and the issue of legacy systems and ways of conducting day-to-day operations that affect how IT and security teams work.

“Remote work has acted as a forcing function to break some of these cultural norms, disrupting where some of these non-productive bureaucratic tendencies would have otherwise continued to stifle forward progress. That’s a net positive, but the downside is that in the federal sector especially there is the need to maintain and support legacy systems whose security design and architecture places expectations around access that may be broken in the face of remote work,” Wade, who served in the Air Force, told Dice.

“This creates tension where, on one hand, real net productivity may be a perceived benefit of remote work even as there are highly operational security costs elsewhere that must be carried,” Wade added. “Nonetheless, despite this risk, this is fundamentally a step in the correct direction and exposes key areas of additional opportunity both from the standpoint of future system and security architecture as well as the sector’s total workforce productivity.”

Silver Lining

Even with IT and cybersecurity concerns, the Defense Department report does note that many employees found benefits to working from home, which could help shape how the so-called hybrid workforce develops over the next six to nine months.

The IG found that about 88 percent of those surveyed reported their productivity level remained the same or increased during this time, and that over 37,000 respondents wanted to keep teleworking into the future. Some of the reasons included less commuting, work-life balance and flexible hours.

Joseph Carson, chief security scientist and advisory CISO at security firm ThycoticCentrify, suggests that even with the desire to stay remote, employees remain at risk and security needs to remain part of the conversation.

“For federal employees, sensitive government data, along with privileged access on those systems, are more exposed than ever before, making new targets for cybercriminals to take advantage of unsuspecting victims’ trust or curiosity,” Carson said.