Security becomes a greater challenge as more people work from home due to the coronavirus. Learn how to better protect your organization and employees.
The ongoing spread of the coronavirus is prompting more employees to work from home, either of their own volition or as required by their employers. Handling internal security for an organization is tough enough, but when you must also deal with a soaring remote workforce, the security demands can become even more difficult.
What are some of the security challenges involved with remote workers, and how can you ensure that your organization stays strong and protected against cyberthreats during this time? Here are the thoughts and recommendations of several security experts.
SEE: IT pro's road map to working remotely (free PDF) (TechRepublic)
What are some of the threats that organizations should watch for given the increase in remote workers?
Paul Lipman, CEO of consumer cybersecurity firm BullGuard: We're seeing a rise in phishing attacks as a result of the rapid move to remote working for a large number of people. This is especially problematic for small- and medium-sized businesses that don't have the advantage of full-time IT and security staff to monitor and enforce adequate protection.
Large enterprises typically have established work-from-home practices and the infrastructure and systems to support this. The same is not true for smaller organizations that have had to make an abrupt transition without the requisite training, technologies, or procedures. This opens small to medium businesses up to potential compromise from hackers who are looking to take advantage of the uncertainty and instability inherent in this transition.
Dr. Sundeep Oberoi, global head of cybersecurity services for Tata Consultancy Services: People accessing applications that were hitherto not accessible remotely. The risk here is that the applications being accessed are not enabled for strong authentication and encrypted communication.
Also, people accessing applications using their own personal or unmanaged devices. In the case of remote working, so far the best practice was to have managed devices with appropriate controls such as data loss protection, updated anti-malware controls, and a capability to be centrally monitored. With this sudden huge increase in numbers of remote workers, the lesser security of the endpoint devices that they use may prove to be a significant risk.
Ben Goodman, CISSP and senior vice president of global business and corporate development at digital identity company ForgeRock: Organizations, especially those that predominantly operate with onsite workforces, may not be able to allow remote access to corporate systems. This is because traditional perimeters, such as firewalls, that are designed to block bad actors can also block a company's remote workforce from accessing the resources to do their job.
To accommodate remote work, IT teams may need to open up gaps in their corporate network and security policies to allow the entire workforce to access certain apps and services remotely. This could leave holes for bad actors to exploit and compromise business-critical data in on-prem apps that were previously inaccessible from the public internet.
What are some of the risks to the remote workers and to the larger organization?
Oberoi: When people who are not used to remote working begin to work remotely, they might be a bit careless in ensuring they follow security precautions carefully. This is because they usually work within the "perimeter," and that gives them a higher degree of protection. Therefore, good security practices must be reinforced by awareness programs that enable them to work remotely in a secure manner.
Carelessness can lead to liability for some remote workers, depending on the conditions of their employment. For a larger organization, a significantly enlarged remote workforce increases the attack surface and hence the risk of a breach.
SEE: Managing remote workers: A business leader's guide (free PDF) (TechRepublic)
Sam Roguine, director at data protection provider Arcserve: Remote workers bring laptops into their home environment, and tons of devices outside of IT teams' control are suddenly in the same network. This significantly increases the attack surface and the possibility of being crippled by ransomware or other malware. When IT teams provide employees access through a VPN, those extra devices may inadvertently be given access to the organization's data center as well. IT teams and CISOs need to prepare for an influx of inside attacks, coming not from external, but internal sources.
Lipman: Organizations will be exposed to a higher level of risk as a result of cybercriminals attempting to capitalize on the weaknesses in defenses as companies adjust to the "new normal" of remote work. IT organizations will be distracted for the weeks and months to come as they address operationally-pressing issues--whether it is ensuring adequate communication and connectivity for employees, implementing collaboration tools, or ensuring that existing systems and processes can scale. While cybersecurity will be on their list of priorities, it will be competing for attention with many other balls that have been unexpectedly thrown up in the air.
What are some mistakes organizations might make dealing with remote workers?
Ed Bishop, CTO and co-founder of email security firm Tessian: One mistake businesses could make is putting in place security solutions and policies that restrict the ways people want to work. While blocking access to data or putting rules in place to limit employees activity could help stop data falling into the wrong hands, such measures can impede productivity if too restrictive. Businesses need to empower employees to work securely, without security getting in the way of them doing their jobs.
Goodman: VPNs, virtual desktops, and other methodologies that businesses traditionally use are not easy to scale for large companies as they are driven by compute power, and they don't provide the same scalability and flexibility as cloud services. Companies will quickly learn that trying to find secure ways to provide access with these types of traditional remote strategies won't be possible, and IT teams will inadvertently create several security gaps for threat actors to exploit.
Ori Bach, CEO of security firm TrapX Security: Some mistakes that organizations might make when dealing with remote workers include not enforcing security policies and role-based access control across the corporate domain. Also, if comprehensive logging and monitoring solutions are not in place or endpoint protection and MDM (mobile device management) are not deployed across the organization.
Security measures can also be weakened if non-compliant devices are permitted inside the perimeter. Another potential weakness for organizations is not enforcing the use of two-factor authentication to validate access privileges.
How can organizations protect themselves with the rise in remote work?
Avi Shua, CEO of cloud security firm Orca Security: Whenever possible, WFH (work from home) should be done from work-provided and secure laptops, via secured mechanisms that organizations typically use (encrypted and authenticated using corporate credentials and multi-factor authentication). If not possible, and work from personal machines is a must, access must be limited to the information absolutely necessary. For the necessary cases, consider even buying an ad hoc low-cost laptop that shall be used solely for work purposes rather than using personal machines at home that may be already infected and can't be wiped later on.
Goodman: The solution is to shift to a perimeter-free style of work for the long run. Authentication decisions must take into consideration the sensitivity of the data being accessed, the context of the request, and the level of assurance that an action is originating from an authorized device. These capabilities can be fulfilled with a well-designed identity platform that can not only make these decisions quickly and decide if another layer of identity validation is needed through multi-factor authentication, but it can scale with large enterprises and reduce friction in the long run.
Lipman: Develop a plan and communicate this clearly and repeatedly to your organization. This should include standards for security software that should be run on every device on which work is being done, policies and procedures for keeping company data secure, escalation processes when issues arise, and an overall refresh on cybersecurity awareness and training.
Ensure that your employees' devices are running endpoint security software and that this is continuously updated. This must include anti-phishing capabilities. Ideally, this software should be centrally managed through a cloud portal. This will enable IT staff (or managers who have IT responsibility) to monitor and control the organization's cyber posture, even when employees are remote.
Every employee should be connecting to the internet through a VPN. This is especially important if employees are connecting through public internet connections, although it's generally good cyber-hygiene to keep the VPN active at all times when accessing work data or services.
- The latest cancellations: How the coronavirus is disrupting tech conferences worldwide (TechRepublic)
- The tech pro's guide to video conferencing (TechRepublic download)
- Coronavirus domain names are the latest hacker trick (TechRepublic)
- Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
- As coronavirus spreads, here's what's been canceled or closed (CBS News)
- Coronavirus: Effective strategies and tools for remote work during a pandemic (ZDNet)
- How to track the coronavirus: Dashboard delivers real-time view of the deadly virus (ZDNet)
- Coronavirus and COVID-19: All your questions answered (CNET)
- Coronavirus: More must-read coverage (TechRepublic on Flipboard)