As companies send employees home in an effort to curb the spread of COVID-19, cybersecurity experts are warning that telecommuting could be putting company assets and data at risk.
There are a number of precautions that employees working from home
should consider to ensure that sensitive data isn’t compromised by
cybercriminals taking advantage of the health crisis.
One of the biggest problems is that employees working remotely often
become relaxed and can let their guard down. In other cases, workers
wrongly assume that when they work at home they have the same level of security protection as in the office.
“Typically when employees are inside of the corporate network, the enterprise security stack will protect them,” said Matias Katz, CEO of
Byos.
“But working from home exposes the employee’s devices — and through
them, the company’s network — to threats that exist on dirty public
WiFi networks,” he told TechNewsWorld.
New Opportunities for Cybercriminals
One significant security problem is that with so much data hosted in
remote server farms or the cloud, that data is only as safe as the
connections that can gain access to it. In an office the systems can
be better hardened, but allowing staff to work remotely can be akin to
opening the gates to the barbarians.
“There’s no question that working outside the workplace can increase
cyber risk,” said Elad Shapira, head of research at
Panorays.
“For example, there will likely be more unmanageable devices being
used to access company assets, which raises the likelihood of
introducing compromised devices into a company’s network,” he told
TechNewsWorld.
In addition, by having more credentials that can access company
assets, including the company’s virtual private network, there’s
an even greater risk for every credential-related attack, such as
credential stuffing and brute force.
For these reasons, ensuring that security policies are consistent and
applied throughout can be extremely challenging.
“If procurement and security somehow were able to handle securing the
few devices used for occasional remote work, they now have hundreds,
if not thousands of devices they need to secure,” warned Shapira.
Companies may need to enforce two-factor authentication across all assets and for all employees.
“Furthermore, many essential tasks are performed in the workplace
face-to-face, including requests for financial transactions or IT
service,” said Shapira. “By moving these in-person transactions to
email, the organization becomes much more susceptible to phishing and
email scams.”
Mitigating the Risks
During emergencies that may take the staff out of the office, the
first thing an IT department should ensure is that employees are prepared and understand the risks of working remotely.
“It is always best practices to anticipate remote workers and have
policies, procedures, and governance to help mitigate risk,” said Lou
Morentin, VP of compliance and risk management for
Cerberus Sentinel.
“Many standards — including HIPAA, ISO and HITRUST, for example —
require controls for remote workers,” he told TechNewsWorld.
“Anytime a remote workforce accesses company resources, it is
recommended that a VPN connection be used to secure data in transit,”
Morentin added. “If possible, segregation of work connections from family traffic is
recommended. Many modern consumer routers allow for segregated
networks.”
The situation could be made worse if a home computer is being used to do office work remotely.
“It depends, of course, on a number of factors,” said Mark Foust, vice president of marketing for
CloudJumper.
“Microsoft’s Windows Virtual Desktop functions as a Desktop as a
Service secondary desktop from the Azure cloud — and it’s
surfaced as a Platform as a Service and has a greatly reduced security
footprint,” he told TechNewsWorld.
This could allow a way for the IT department to make separate company
data from personal data on a personal computer.
“This presents an ideal solution for many remote work scenarios,” added Foust. “A secondary desktop, in WVD Azure, for example, is ideal for security and business continuity.”
Tools to Protect Employees and Data
A number of tools and protocols are worthy of consideration to help remote workers protect sensitive data.
“Single sign on and multifactor authentication are critical
technologies for the remote workforce, as well as minimizing risk for
the business,” said Ralph Martino, vice president of product strategy
at
Stealthbits.
“These together allow the remote workforce to connect to business
applications in the cloud, or on-prem using one password,” he told TechNewsWorld.
“When the remote worker is terminated, the business can terminate
access across a series of applications, minimizing the risk of misuse
of an account that doesn’t get de-provisioned, and this provides greater
security and compliance for the enabling the remote workforce,” Martino
added.
As someone who has been working remotely for nearly a decade, Paul
Bischoff, privacy advocate and researcher at Comparitech suggested a
number of tools.
“For digitizing physical paperwork and getting signatures, I use a
document scanner (TinyScanner), PDF editor (Adobe Fill and Sign), and
DocuSign,” he told TechNewsWorld.
“Wave is my preferred accounting and invoicing tool, while Slack is my
day-to-day office chat room,” Bischoff added.
“A good backup service is essential so that remote employees don’t
lose work, and Zoom is a solid professional-grade video conferencing
tool,” he noted.
To VPN or Not to VPN
Many corporations may want to roll out VPNs to more employees to
access office resources and secure storage, but this shouldn’t be seen
as a hardened defense. There are many shortcomings to VPNs that users
may not readily consider.
“Some of the many device threats that VPNs can’t protect against are
eavesdropping, exploits, and lateral spreading of attackers and
malware,” said Byos’ Katz.
“That’s because VPNs only encrypt data in transit, but don’t protect
where the data is residing — the user’s device,” he explained.
“Once an attacker or malware gets into a device, they often go
undetected, seizing or manipulating data with the ultimate goal of
moving from the single remote laptop or tablet into the big prize: the
company network and servers,” warned Katz.
Even with the best security in place, employees are just one of the many potential weak links in a chain.
“It’s one thing if a large organization, presumably with robust
security processes in place, implements a work-from-home policy for
its employees,” said Panorays’ Shapira.
“What happens, however, when one of its supply chain partners does the
same? In that case, the organization needs to be able to also check
that its supply chain partners adhere to that same high level of
security,” he added.
For this reason a comprehensive plan needs to be drawn up. While
it could be too late for the current COVID-19 crisis, forward thinking
will make it easier to send teams home to be safe from illness and
secure from cyberthreats.
“With the right tools, policies and procedures in place,” said
Shapira, “organizations can be assured that the cyber posture of their
company and third parties remains strong, even outside the workplace.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.