Managing Security for a Remote Workforce: Mimecast IT’s Experience

For Mimecast, like many other organizations, the COVID-19 pandemic created the challenge of managing an unprecedented expansion in the number of employees working remotely. In this post, two of Mimecast’s key internal technology leaders—Rich Arsenault, VP of Infrastructure and Services, and Neil Clauson, Senior Manager, Security Operations—share what they’ve learned about managing and securing a remote workforce during this extraordinary time.

Q: How do you manage technology strategy at a time like this, when the situation is continually changing and the future looks so uncertain?

Arsenault: We’re continually making decisions about the unknown. We’re collecting far more data about what we’ve done, where our employees are, and how we feel about where we are. In IT organizations, you typically had an end result in mind: you knew what you needed to deliver, and when. But we can’t know how long COVID-19 will last. At first, we thought we’d be back in the office in June. Now, we don't know.

So we need to manage on a shorter-term basis, understand our business requirements even more closely, and drive toward accomplishing them as securely and thoughtfully as possible. We know our goals for the current fiscal year and our requirements for our customers. And we’re executing to that plan.

Q: Can you give us an example of how you’re doing that?

Arsenault: For one thing, we’re even more focused on how we engage with customers. Our people need technology to be productive in conversations with new customers, and keep collaboration moving forward in a sales cycle. And we need to strengthen relationships with existing customers. How do we provide tech to individuals in our large support organization, so they can not only engage with customers, but also with their peers? Previously, a call center rep could just lean over and ask their neighbor: I have this problem, have you seen it, and what did you do?

We’ve seen a 1000% increase in Slack utilization. We went from 1,500 Zoom calls a week to 2,000 a day, 80% of them video. It’s not just having those tools; it’s making sure people know how to use them. It’s understanding: is the tool efficient? Does it meet business requirements?

Q: How do you discover whether the tools are working for people and the company, and what do you do about what you learn?

Arsenault: We survey people constantly. We’re running another IT survey right now to collect feedback on the workplace environment: how we’re working, what IT can provide to them. We’ve also provided additional funding to help employees get comfortable in their home workspaces.

Even simple home working needs can require new solutions. Let’s say an employee has buy a ream of paper for their home printer. Before, they might have taken a ream home from the office. Now we need tech to help people get that paper and correctly expense it. There can be a lot of process involved in that.

Q: You’ve been leaders in transitioning to cloud. How is that working, in terms of managing a remote workforce?

Arsenault: We’ve led the organization as a cloud-first business: 90% of our business applications are cloud-based today. And we’ve seen that linear scalability in these platforms without a corresponding increase in resource allocation on our side. For us, cloud has scaled the way it was supposed to.

We’d planned for high utilization peaks, but nobody expected what those would look like in a work-from-home scenario like COVID-19. And honestly, some estimates were off by magnitudes. Think about email increasing by 300%. It’s great we had Mimecast cloud technology to scale that, but we never expected that kind of increase. Our Exchange environment was challenged. Was it without pain? No. Was it successful? Yes.

Q: What about the security implications of depending on cloud applications?

Clauson: The more cloud-based resources you have, the less people need to VPN into the network. Without cloud-based patching, vulnerability scanning, and endpoint systems, you could lose visibility of devices that aren’t coming back in as often. So security also needs to move towards the cloud, as well, to maintain that visibility.

We’ve done well in avoiding use of unsanctioned services, but many companies do face that problem: people use some unsecured web app because it’s easier. Now that they’re not VPNing in, traditional firewalls don’t prevent that. We set ourselves up for success because we use our Mimecast cloud-based security agent. But companies that haven’t invested in cloud security can lose assurance.

As for cyberattack forensics, if you hadn’t invested in a cloud-based endpoint detection and response tool, and your incident response solution was to walk up to the affected individual and take their laptop, security for remote employees would be a real challenge.

Q: What are you hearing from your peers?

Arsenault: The peers I’ve spoken with who’ve leveraged cloud have had similar experiences. They’re generally happy. Others are still fighting fires, still getting the business operational. One peer has call center operations in Las Vegas. They had to go buy every laptop at Best Buy to enable their call center people to operate from home. Fortunately, 90% of Mimecast’s employees had done some work from home already.

Q: Can you talk a bit more about the security implications of working from home?

Clauson: Part of the challenge is that your computer is always on. What happens if your kid hops on and starts browsing inappropriate sites? It’s a traditional problem, but now it’s magnified, because people are working from home more, and they’re in and out of the house during the day.

Arsenault: We’ve made a concerted effort to use Mimecast products like awareness training. So employees are getting very targeted awareness training to focus on challenges like: don’t leave your laptop somewhere. In practice, we’ve had a bigger problem with people spilling things. We’ve lost more laptops from accidents than ever before.

Clauson: There’s also backup. How do you make sure laptops are backed up, and privacy controls remain in place? We follow a defense-in-depth strategy, but all the tools need to work together to seamlessly integrate IT functionality, security, and productivity.

Users are stressed. The more pressure you put on them for stuff they may not consider critical, the higher your risks. So, avoid friction wherever possible.

Q: Mimecast’s business is security. How does that affect the way you manage remote staff?

Arsenault: Security is baked into everything we do and every employee knows their responsibilities. We send them updates from our CISO about what to be aware of—not only for their corporate world but for their personal world. We all know spam and phishing volumes are through the roof right now, and we want to protect our people completely, not just their work environments.

Q: This raises the issue of making security part of the organizational culture.

Arsenault: We say security is a team sport. It should be baked into your culture—and if it isn’t, this is a great time for a culture change. COVID-19 is changing almost everything about how companies operate, why not make security a stronger part of your culture?

I see my peers saying: now is the time to make strategic changes in how we interact with employees and what our expectations are. Employees are much more open to it. We used to see cultural differences based on geography, but we don’t see that with the Coronavirus. Worldwide, everyone wants the same result, and everyone wants to be part of the team.

Clauson: In the midst of adversity lies opportunity. Enlightened companies lean into the pain a little.

As we discussed before, we’ve been good about asking employees to participate – asking them how they’re feeling, what they’re struggling with, what’s painful. The more you involve people, the more likely they’ll adopt the changes you want. We say: we’re all in this together. Help us help you.

Arsenault: Working at home, we don’t fire as many Nerf guns at each other. That face time always helped us build relationships and culture. Now, we’re bringing on new staff that hasn’t had that opportunity.

Clauson: Many of the people we’ve hired in the last 90 days have never been to a Mimecast office. So we’re teaching our culture remotely, through extensive onboarding, and through Zoom.

Q: How is that working?

Clauson: It’ll take a while before all the data comes in. As an operations person, I’m comparing productivity. Yes, it’s taking a few more resources to get this year’s new people up to speed, but the data so far suggests that within weeks they’re showing the same efficiencies as last year’s new hires.

Q: Is there anything else you’d like to say about securely managing a workforce in the current environment?

Clauson: The organization needs to be fully aligned. Rich and I get along great. In a lot of companies there’s a great deal of headbutting between IT and security. If you have the two competing, it’s time to bury the hatchet. It’s Rich and I against the world, not against each other.

The Bottom Line

The pandemic-driven shift to remote working has created unprecedented technology and security challenges for many organizations. Success depends on smooth integration of cloud applications and security, extensive communication both internally and externally, and using remote tools to strengthen culture as well as productivity. The shift to remote working presents an opportunity—and means it’s even more important—to make cybersecurity a key element of organizational culture.