As companies send employees home in an effort to curb the spread of COVID-19, cybersecurity experts are warning that telecommuting could be putting company assets and data at risk.
There are a number of precautions that employees working from homeshould consider to ensure that sensitive data isn’t compromised bycybercriminals taking advantage of the health crisis.
One of the biggest problems is that employees working remotely oftenbecome relaxed and can let their guard down. In other cases, workerswrongly assume that when they work at home they have the same level of security protection as in the office.
“Typically when employees are inside of the corporate network, the enterprise security stack will protect them,” said Matias Katz, CEO of Byos.
“But working from home exposes the employee’s devices — and throughthem, the company’s network — to threats that exist on dirty publicWiFi networks,” he told TechNewsWorld.
New Opportunities for Cybercriminals
One significant security problem is that with so much data hosted inremote server farms or the cloud, that data is only as safe as theconnections that can gain access to it. In an office the systems canbe better hardened, but allowing staff to work remotely can be akin toopening the gates to the barbarians.
“There’s no question that working outside the workplace can increasecyber risk,” said Elad Shapira, head of research at Panorays.
“For example, there will likely be more unmanageable devices beingused to access company assets, which raises the likelihood ofintroducing compromised devices into a company’s network,” he toldTechNewsWorld.
In addition, by having more credentials that can access companyassets, including the company’s virtual private network, there’san even greater risk for every credential-related attack, such ascredential stuffing and brute force.
For these reasons, ensuring that security policies are consistent andapplied throughout can be extremely challenging.
“If procurement and security somehow were able to handle securing thefew devices used for occasional remote work, they now have hundreds,if not thousands of devices they need to secure,” warned Shapira.
Companies may need to enforce two-factor authentication across all assets and for all employees.
“Furthermore, many essential tasks are performed in the workplaceface-to-face, including requests for financial transactions or ITservice,” said Shapira. “By moving these in-person transactions toemail, the organization becomes much more susceptible to phishing andemail scams.”
Mitigating the Risks
During emergencies that may take the staff out of the office, thefirst thing an IT department should ensure is that employees are prepared and understand the risks of working remotely.
“It is always best practices to anticipate remote workers and havepolicies, procedures, and governance to help mitigate risk,” said LouMorentin, VP of compliance and risk management for Cerberus Sentinel.
“Many standards — including HIPAA, ISO and HITRUST, for example –require controls for remote workers,” he told TechNewsWorld.
“Anytime a remote workforce accesses company resources, it isrecommended that a VPN connection be used to secure data in transit,”Morentin added. “If possible, segregation of work connections from family traffic isrecommended. Many modern consumer routers allow for segregatednetworks.”
The situation could be made worse if a home computer is being used to do office work remotely.
“It depends, of course, on a number of factors,” said Mark Foust, vice president of marketing for CloudJumper.
“Microsoft’s Windows Virtual Desktop functions as a Desktop as aService secondary desktop from the Azure cloud — and it’ssurfaced as a Platform as a Service and has a greatly reduced securityfootprint,” he told TechNewsWorld.
This could allow a way for the IT department to make separate companydata from personal data on a personal computer.
“This presents an ideal solution for many remote work scenarios,” added Foust. “A secondary desktop, in WVD Azure, for example, is ideal for security and business continuity.”
Tools to Protect Employees and Data
A number of tools and protocols are worthy of consideration to help remote workers protect sensitive data.
“Single sign on and multifactor authentication are criticaltechnologies for the remote workforce, as well as minimizing risk forthe business,” said Ralph Martino, vice president of product strategyat Stealthbits.
“These together allow the remote workforce to connect to businessapplications in the cloud, or on-prem using one password,” he told TechNewsWorld.
“When the remote worker is terminated, the business can terminateaccess across a series of applications, minimizing the risk of misuseof an account that doesn’t get de-provisioned, and this provides greatersecurity and compliance for the enabling the remote workforce,” Martinoadded.
As someone who has been working remotely for nearly a decade, PaulBischoff, privacy advocate and researcher at Comparitech suggested anumber of tools.
“For digitizing physical paperwork and getting signatures, I use adocument scanner (TinyScanner), PDF editor (Adobe Fill and Sign), andDocuSign,” he told TechNewsWorld.
“Wave is my preferred accounting and invoicing tool, while Slack is myday-to-day office chat room,” Bischoff added.
“A good backup service is essential so that remote employees don’tlose work, and Zoom is a solid professional-grade video conferencingtool,” he noted.
To VPN or Not to VPN
Many corporations may want to roll out VPNs to more employees toaccess office resources and secure storage, but this shouldn’t be seenas a hardened defense. There are many shortcomings to VPNs that usersmay not readily consider.
“Some of the many device threats that VPNs can’t protect against areeavesdropping, exploits, and lateral spreading of attackers andmalware,” said Byos’ Katz.
“That’s because VPNs only encrypt data in transit, but don’t protectwhere the data is residing — the user’s device,” he explained.
“Once an attacker or malware gets into a device, they often goundetected, seizing or manipulating data with the ultimate goal ofmoving from the single remote laptop or tablet into the big prize: thecompany network and servers,” warned Katz.
Even with the best security in place, employees are just one of the many potential weak links in a chain.
“It’s one thing if a large organization, presumably with robustsecurity processes in place, implements a work-from-home policy forits employees,” said Panorays’ Shapira.
“What happens, however, when one of its supply chain partners does thesame? In that case, the organization needs to be able to also checkthat its supply chain partners adhere to that same high level ofsecurity,” he added.
For this reason a comprehensive plan needs to be drawn up. Whileit could be too late for the current COVID-19 crisis, forward thinkingwill make it easier to send teams home to be safe from illness andsecure from cyberthreats.
“With the right tools, policies and procedures in place,” saidShapira, “organizations can be assured that the cyber posture of theircompany and third parties remains strong, even outside the workplace.”