As the COVID-19 coronavirus continues to spread around the globe and social distancing becomes the order of the day, businesses are increasingly initiating work-from-home policies – at least for jobs that can actually be done from home. Obviously there are numerous business challenges to remote working for everyone involved, from the videoconferencing platforms and network providers struggling to handle the sudden extra load to the employees themselves adjusting to working in a home environment, which is more challenging than it sounds.
As it turns out, another crucial challenge with remote working is cybersecurity.
Naturally this isn’t a surprise for CIOs and CSOs who deal with select employees who spend a lot of time on the road. However, that process typically involves a configuring a laptop, smartphone or tablet to access company data via a VPN, whether it’s a company laptop issued to the employee, or the employee bringing in their own device to the office for set-up – after which there’s usually some basic training to teach employees how to use the VPN properly and observe security protocols (strong passwords, 2FA, never leave your laptop in the car, etc).
That’s fine for a limited number of designated road warriors. But when something like, say, a global pandemic forces your entire workforce to become remote practically overnight – either by company edict or governmental order – it becomes problematic. It’s not feasible to issue everyone company devices (like anyone would use them anyway), and you can’t have everyone bringing their devices in at the last minute. Even if the majority of employees don’t need much more than access to company email and a collaboration platform like Slack, Zoom or Webex, security can still be an issue if, for example, their devices aren’t password-protected, or their Wi-Fi router password is their birthday or “password”.
In other words, remote working isn’t a straightforward plug-and-play procedure when it comes to ensuring security. It’s not necessarily a hard slog, either. Just like with enterprise security, remote working security requires employees and IT managers alike to take steps to protect themselves. The difference is that IT managers have no direct control over whatever network employees use from home, so there’s an added emphasis on making sure employees are doing their part.
Security starts at home
For employees, a key thing to remember is that whatever security best practices you do at work, you should also do at home. Dean Coclin, senior director at DigiCert, offers a list of examples: check websites you visit for TLS/SSL, keep work email and personal email separate, secure physical devices (i.e. don’t leave them lying around, PIN/password protection, use separate devices for work and personal stuff if possible), don’t click suspicious attachments, keep your anti-virus software up to date, etc.
In other words, says Coclin, “Company guidelines should always be followed, but it’s especially important when working from home. Report any suspicious behavior to your IT security department.”
However, there are other things that remote workers need to do that they don’t normally think about, such as taking extra steps to secure their home network, which hackers could exploit as an entry point into the enterprise network.
“After all, the home network when compared to an enterprise network is generally less secure because often there is a lack of intrusion detection systems (IDS) and intrusion prevention systems (IPS) in a home environment,” says Coclin.
While enterprises can mitigate this by using multi-factor authentication (MFA) to ensure that only authorized users can access controlled systems, Coclin also advises employees to use a strong password for their home Wi-Fi router, and if possible, try to separate their personal computer network from their IoT devices network.
Coclin also warns enterprises and their employees not to take the security of online collaboration tools for granted, pointing to the news earlier this year that Check Point Software found a flaw in Zoom that allowed bad actors to eavesdrop on private Zoom meetings.
“While the flaw has been resolved, it’s important to remain vigilant when using online collaboration tools and to monitor the news for any developments,” Coclin says. “Online video conference platforms like Zoom often have an authentication functionality for each meeting. Make sure you use this functionality to prevent open meetings where anyone without authentication can join.”
Coclin says that while this isn’t a comprehensive list of best practices, it’s a good start. “Simply being aware that working from home can increase your risk of cyberattacks can help employees be on guard. And if employees learn best practices for working remotely now, it may help keep the workplace a little more secure both during the COVID-19 pandemic and always.”
Make it easy
Meanwhile, CISOs will need to take some steps on the enterprise side of the equation to not only ensure the network and data are protected, but also to enable employees to do their job at home without encountering well-intentioned security roadblocks.
In fact, says Paul Ducklin, principal research scientist at Sophos, the first priority is to make it as painless as possible for employees to get started working from home via self-service portals (SSPs).
“Many SSPs allow users to choose between different levels of access, so they can safely connect up either a personal device – albeit with less access to fewer company systems than they’d get with a dedicated device – or a device that will be used only for company work,” Ducklin says.
For this, he says, the three things you want to get right are encryption (making sure it’s turned on and activated), protection (ani-virus software configured to your specs) and patching (ideally automated). Ducklin also recommends IT managers not only ensure each employee can access everything they need to do their job, but also test the remote access solution on themselves first to make sure it works properly before making employees use it.
Once you’ve ensured they can connect, don’t leave them to their own devices (so to speak) – make sure you have good visibility of what they’re doing to provide fast and sufficient tech support, Ducklin says.
“If you’ve set up automatic updating for them, make sure you also have a way to check that it’s working, and be prepared to spend time online helping them fix things if they go wrong,” he says. “If their security software produces warnings that you know they will have seen, make sure you review those warnings too, and let them know what they mean and what you expect them to do about any issues that may arise.”
That also means making sure employees have somewhere to report security issues, he adds. “If you haven’t already, set up an easily remembered email address where users can report security issues quickly and easily. Remember that a lot of cyberattacks succeed because cybercriminals try over and over again until one user makes an innocent mistake – so if the first person to see a new threat has somewhere to report it where they know they won’t be judged or criticised (or, worse still, ignored), they’ll end up helping everyone else.”
Ducklin warns that shadow IT is not limited to the enterprise LAN. It’s also a potential problem for remote workers, especially those who collaborate in teams and will seek and use the most convenient tools to enable online collaboration – to include tools they’ve never tried before.
“The first risk everyone thinks about in cases like this is, ‘What if they make a security blunder or leak data they shouldn’t?’ But there’s another problem that lots of companies forget about, namely: what if, instead of being a security disaster, it’s a conspicuous success?” says Ducklin. “A temporary solution put in place to deal with a public health issue might turn into a vibrant and important part of the company’s online presence.”
Security at scale
One specific challenge with remote working during COVID-19 is the sheer scale. According to Jean-Yves Bisiaux, CTO and co-founder of EfficientIP, while most companies have policies, technology, and procedures in place to allow remote working, they lack the digital infrastructure to enable this at a large scale.
Typically, he explains, companies expect that only around 15% or their employees will be connecting remotely at a given time. That means their VPN and VDI infrastructure is usually designed to handle that level, which in turn means they’re not architected to handle a situation like COVID-19 where most of their employees need dynamic remote access to network services.
“The drastic shift to mass remote work therefore brings additional security risks for companies,” Bisiaux says. “As devices are installed outside a company’s network infrastructure and connected to new networks and WLAN, the potential attack surface for cybercriminals expands exponentially.”
The size of the remote workforce also means that the default solution for remote access security – VPN – would be a complex and expensive undertaking. A viable alternative, says Bisiaux, is to use Secure Access Service Edge (SASE) platforms offered by telcos and ISPs. This would provide not only network-as-a-service (NaaS) to enable remote connections, but also network-security-as-a-service (NSaaS) offerings such as VPN, firewall as a service (FWaaS) and cloud secure web gateways (SWG).
This is particularly useful to protect enterprise apps, data users and remote workers from DNS attacks, as SASE offerings typically include a secure and high-performance DNS service, he adds.
One sobering tip to keep in mind: whatever solution enterprises adopt to enable and secure remote working, don’t assume you’ll only need it for a few weeks, after which everything will go back to normal. A number of experts have already warned that the social distancing measures required to flatten the curve of COVID-19’s spread may have to be kept in place for a year or more, depending on how long it takes for a vaccine to be developed (or for the human race to achieve herd immunity). By then, the habits of remote working may be so ingrained that it could conceivably become the new normal.
“Bar a readily available vaccine, we are set to see the true litmus test for remote work,” Bisiaux says.
