Jim Hebler has worked in cybersecurity for nearly 18 years. He started out covering technology as a journalist for two daily newspapers, The Detroit News and USA Today, then got into private sector communications. After that, he trained with HP Vistorm, a special security operations department, and got his CISSP. He is now the Americas Cyber-Security Solutions Director for Pulse Secure, and was drawn to the company because, as he says, “At each step of my career, Pulse Secure was always at the forefront of providing encryption, single sign-on additional context, two-factor authentication and the ability to encrypt and authenticate securely from a mobility perspective."
Read on to learn more about Jim’s insights into how to transition to remote working at this particularly challenging time.
Q: I'm imagining you're fielding lots of interest in secure access as companies move to remote work at this time?
A: Yeah, our partners and our distributors are overwhelmed with requests right now, both from existing customers and new customers, but we are facilitating till May 31st that we will get organizations connected with VPN licensing right away as you work towards what would be a good permanent solution. This could include In-Case-of-Emergency-Licensing, which is “burstable” for as many users as an organization needs for eight weeks or, if they want to be even more long-term-secure and more cost-effective, a one-year subscription. This enables organizations to purchase additional licensing for the increased workloads of folks working at home, as human beings and organizations practice social distancing. We’re getting organizations onboarded right away and then figuring out on the back end what makes more sense for them in terms of a permanent solution post-coronavirus.
Q: It sounds like you have regular clients who either already have a full remote workforce or part of their workforce is remote sometimes—and then you also deal with the kinds of situations where maybe companies are not set up necessarily to work remotely or they're not set up for the kind of scale needed. So, you’re saying you can give them the option to transition permanently to work remotely or just allow them to set up an interim solution if they need that?
A: All true. In most enterprise organizations, the percentage of those who work remotely and need the best-in-science support that Pulse Secure provides tends to be around 30 to 50 percent of the workforce when in what we will call normal “non-pandemic” times. However, when a natural disaster like this occurs—whether it's a pandemic, whether it's an earthquake, whether it's a hurricane situation, floods—cause a business outage for business continuity and disaster recovery purposes, Pulse Secure is able to go “burstable” with the In-Case-of-Emergency provisioning for eight weeks, basically enabling organizations to double or triple their mobile workforce. In-Case-of-Emergency Licensing is a digital cybersecurity insurance policy that allows the time and the wherewithal to strategize a good permanent solution coming out of the eight weeks. Right now, hearing journalists and prognosticators and the government, it seems like the length of term for this disaster is anywhere from two months to six months. And so, organizations that may have to move forward with a more mobile, separated social distancing-type work provision may need a full year of additional licenses or six months. Pulse Secure has tried to craft—and I think we're very successful—flexibility and dexterity to keep businesses moving forward with sustained collaboration, enabling them to make progress serving their customers. Once we past the “peak” of this pandemic and we've got it quantified and quarantined, we can return to normal life from both the business and personal perspective. Right now, we have this special no-questions-asked program until May 31st. If this situation continues beyond May 31st, I would anticipate we’d be flexible and would probably address it at that time.
Q: Great! So obviously there can be challenges in transitioning to remote, like offering an opportunity for hackers. Are there other dangers that companies should be thinking of as they transition their workforce?
A: Absolutely. In fact, if you look at what happened in recent news, the Federal government's healthcare and Coronavirus website was hacked. Hackers are trying to create confusion and slow government response. And from a personal computing perspective, often times if you're not used to working at home, it's very smart aid to have leading-edge secure access provisioning on your laptop so that every time you sign into the office and enterprise applications, you're encrypted and authenticated.
The other recommendation that I would make is to frequently change your passwords. For example, instead of changing your Microsoft Office 365 account password every quarter or every three months, maybe now you want to be changing those passwords every week or two. Hackers will try to exploit and get records, databases, personal information, financial information—and this is a ripe time with people adjusting to the need to be cyber-aware when they work at home. It's very important that you make your attack surfaces and attack vectors invisible, so changing passwords for Microsoft and for office enterprise email accounts is mission critical. It’s also crucial to update and patch all of your antivirus software.
We've got to look out for each other. Some of our competitors have solid secure access solutions as well. So, if they're not leveraging Pulse Secure, there are other methodologies to make sure that there is additional context to two-factor authentication, such as encryption, single sign-on, and extra layers of protection so that hackers can't see where you're going, what applications you're accessing, etc. All those cyber hygiene recommendations I just made are mission-critical to ensure productivity and to ensure that your people working at home are managing their business and their mission-critical assets, people processes, financial records, and other data-devices to the best of their ability.
Q: That's great advice. Obviously, there's a lot of concern about business failure in general, so how can someone be proactive about protecting their business?
A: The way to be proactive is to use common sense and be ultra-aware. Also, there are ways to encourage true business collaboration and productivity. We can still have face-to-face meetings via our laptops with Zoom calls, WebEx, and FaceTime. Collaboration software enables us to share screens, to share data. Microsoft teams is another great resource.
But there are other things to do when you work at home that are not related to cybersecurity. A lot of people like going to an office, they feel more productive when they go to a place with structure, when they are working face-to-face or having lunch with their colleagues or working in an office environment with their own dedicated space. Even though you're working at home, you should still wake up and be structured when you go to work remotely. Make sure that you're getting out of your sweats or your pajamas or your casual wear and going through the process of actually putting on something that's crisp or just your company shirt. Make sure that you still apply the same structure and attention to detail as you would at the office so that you don't get overwhelmed by the change in how you work and how you connect digitally.
The best way to pursue business continuity is to pursue the same outcomes, the same activity list to be truly detailed in your hours and how you're spending today. I also think a great piece of advice I’ve heard is to make sure that you don't rely only on email and nothing else. Colleagues should call each other and get on the phone. If you're close enough and you want to keep six feet apart, walk your dogs with a colleague at lunch. Anything that you can do to retain that sense of normalcy and collaboration, especially for those that are not used to working from a remote environment, is mission-critical to get through this crisis and keep things as normal and expedited as they would be if you were going to the office every day.
Q. Do you have any examples of mistakes you've seen? You know, cautionary tales, such as things that executives should avoid?
A. The biggest mistake that we see is not making sure your security solutions are updated. And let's say that speaking from a Pulse perspective, if your secure access software or your platform is on the end-of-life MAG or SA platform, while you're preparing and we can still protect a MAG platform, this is a great time to work with your Pulse and Cadre specialists. If you're using another provider, make sure that you use this as an opportunity to upgrade and update all of your software so that you're using the latest and greatest tools. One of the biggest areas of concern that executives and organizations have is if point solutions and/or their software is out of date and not speaking to each other in the latest, greatest software configurations, it’s a perfect time for hackers to exploit that lack of updating and upgrading. So, this is a chance, even in the short term, to update and upgrade and do necessary patching as you develop your work-at-home secure access solutions.
Q. If execs want to be as strategic as possible while making this transition, what advice would you give to them? What should they be thinking of?
A. What they should be doing is asking the basic question, “What is the worst thing that's going to happen?” And, putting on my disaster recovery hat, having worked at SunGard and in the authentication space and building a security practice around disaster recovery, 60% of businesses that suffer a major outage that lasts more than a week are damaged permanently and/or are affected for up to two years and/or lose their business. A lot of times, small to medium businesses don't survive—and so what executives and leaders have to do is prepare for the worst-case scenario. As of right now, we're operating like this is going to be at least two to three months.
Make sure you ask questions like, what is mission critical? Who really needs to be connected to the network? What activities and disciplines need to be maintained? What productivity needs to be insured? How do we prioritize the mission critical so it keeps moving forward? What are your Recovery Time (RTO) and Recovery Point Objectives (RPO)?
As I mentioned before, ensure to keep structure and collaboration going by using video conferencing tools and using the shared collaboration offered by Microsoft teams, Zoom, and WebEx. And the other thing is, I would be adding a weekly or bi-weekly call with my security providers to make sure that we're doing solution health checks, talking about our security roadmap, and reviewing our technology availability plan within our business continuity plan.
Make sure that you're getting and gaining the insights of the experts around you to do a checklist. You can't be expected to focus on your core business and also think about these nuanced issues that could affect and damage your business long-term if you make a mistake. Then, upon doing all of those things, relax, keep working, keep focusing on your core business and know that we'll get through this if we focus on the attention to detail and work collaboratively together in the hopes that we return to normal in the next couple of months.
Q: In the type of scenario where a company has plenty of lead time to sort of think through their strategy to go remote, what's the best way to approach that?
A. The best way to be prepared and think about doing that is to conduct a prioritization. This is a real short and sweet overview of what I would call a technology availability plan. Who are the most important people and, and what functionality do they bring to the table that is mission critical to keep our business moving forward and healthy? How do they move key activities forward, even in a reduced or strained state until this crisis comes to a conclusion? You need to prioritize who really needs to be connected to the business. You also need to plan for more communication because the one thing that’s guaranteed is change, right? So, you almost have to incorporate and manage to a change strategy. And if you're managing to a change strategy and, your chief people aren't seeing each other face-to-face, working in conference rooms or going out on company lunches, you need to be doing that virtually.
Q. I just am curious if there's anything else that you feel clients are bringing up as a big concern that I didn't ask about that you think would be relevant?
A. The constant theme that I keep sharing is communication and attention to detail. In that spirit, I encourage organizations that go to Pulse Secure or another secure access to over plan and have more licenses than you think you need. It’s easier to fall short of your ceiling and still stay connected than it is to come up against the wall. We’re doing orders around the clock, weekends, 15-hour days. You don't want to order your provision, then fall short and then have to go back and bump it up again.
For more information on Secure Access, working remotely and ensuring best-in-science cyber-hygiene, contact firstname.lastname@example.org, email@example.com or call 888.TO.CADRE.
Interview edited for conciseness.