Field workers don’t need more access, they need better security

In this Help Net Security interview, Chris Thompson, CISO at West Shore Home, discusses least privilege and credential hygiene for a field-based workforce. He covers access management, authentication practices, and data risk processes that support employees in the field. Thompson also outlines security awareness efforts and how field teams are integrated into an organization’s security posture.

How do you think about least privilege when your workforce is mobile and time-pressured rather than desk-based?

There is no distinction between the field worker and a corporate worker when it comes to least privilege. If least privilege is defined as having the access you need, but nothing more, it becomes clear that the principles are largely the same for both environments. The assumption that a field worker needs access to “everything” to avoid issues in the field has been moved away from.

The focus is on ensuring the field worker has the access necessary to support their work, while maintaining safeguards against granting excessive privileges. Knowing where the employee will be and what data they need to access allows roles to be built in identity and data systems to support their fieldwork, along with a support process they can easily use if issues arise.

What does good credential hygiene look like for a field workforce, and how is it different from what works in a corporate environment?

The traditional model for supporting field workers often allowed for the use of generic shared accounts with passwords that would never change. The idea was that logging in needed to be fast, easy, and very low friction for the field worker. In today’s environment, however, threats such as ransomware make this kind of account management unacceptable. Field workers are given individual accounts rather than relying on shared generic access, and multifactor authentication is used to protect them.

Moving away from generic accounts being considered acceptable to being forbidden is probably the biggest change seen over the years, when field workers were allowed to operate at lower levels of security for the sake of convenience. The technology that implements MFA is easier to use, and it is widely adopted. There is no longer a distinction between field and corporate employees with respect to account security.

Home services companies hold a pretty sensitive combination of customer data. How do you think about communicating that risk internally to get the right prioritization?

The cybersecurity program and associated risks are routinely reviewed with the Chief Technology Officer and the Chief Compliance and Risk Officer on a bi-monthly basis. These discussions focus on technology and data risks, along with mitigation efforts. Topics range from technical concerns to legal and regulatory requirements. These meetings help ensure focus on the correct “big picture” issues and steady progress in addressing them.

In addition to executive level discussions, the cyber security team is continually engaged with the technical teams that create and maintain our environment. The purpose of these discussions is to review technical configuration risks at a tactical level and to get the necessary mitigations designed and implemented. The key takeaway is this process is continual. We focus on risk mitigation every day/week, not quarterly or annually as older, more traditional risk management frameworks might have worked in the past.

What does security awareness look like for a workforce that’s largely field-based? What works versus what sounds good on paper?

This is a great question. On paper, the security awareness programs would look very similar for field and corporate employees, but the reality is field workers often do not get the chance to view the training materials. This is purely a logistical challenge, as they are not online as often as the corporate worker sitting at a keyboard all day.

It has been found that field workers are more easily reached during the daily “toolbox talks” that take place before they leave the warehouse. This creates an opportunity to highlight the most significant cyber risks they may encounter and provide practical guidance on how to avoid or report issues. By periodically incorporating security topics into these discussions, relevant information can be delivered quickly and far more effectively than through email-based training links.

How do you get field teams to see themselves as part of the security posture, not separate from it?

We are a company that seeks to use technology every step along the way and that includes our field workers. Understanding and utilizing technology is necessary for them to be successful in their roles, therefore, it is easier to make the connection between the technology they use, the potential risks they face, and how they can protect the company while using technology.

I think it would be much more difficult to convince field workers that are never expected to use technology to see that connection. The goal is to create a culture where security is just part of what we do. By eliminating generic shared accounts, using modern protection schemes such as MFA, and including everyone in our training program, we hope to establish that connection and embed it in our normal experience.