14 Apr Remote Work Leads to New Cybersecurity Challenges
By Dan Chandler, CISO
Remote work brings new challenges for cybersecurity. Criterion has a great deal of experience in supporting secure remote work, as many of our teams follow this protocol in normal times. Here are some tips to aid organizations to stay strong and protected against cyberthreats when the vast majority of their employees are working from home.
What Threats Should Organizations Watch for Given the Increase in Remote Workers?
We are seeing a rise in phishing attacks, including an increase in coronavirus-related ones, as a result of the rapid move to remote working for many people. Remember, phishing messages try to create an impression of urgency in order to panic the employees into clicking on a link. Therefore, we recommend, as far as possible, that employees try to not mix work and leisure activities on the same device and be particularly careful with any emails referencing the coronavirus. Here are some more tips we share with our employees:
- Be suspicious of any emails asking you to check or renew their passwords and login credentials, even if they seem to come from a trusted source. Try to verify the authenticity of the request through other means.
- Do not click on suspicious links, open any suspicious email attachments, and be suspicious of emails from people you do not know, especially if they ask you to connect to links or open files.
- Emails sent from people you know but asking for unusual things are also suspicious, so you should double check by phone if possible.
A second emerging cybersecurity risk is that employees are now using applications that were previously not accessible remotely. The risk here is that the applications being accessed are not enabled for strong authentication and encrypted communication. Furthermore, people are now accessing applications using their own personal or unmanaged devices. To date, the best practice for teleworking was to have managed devices with appropriate security controls such as data loss protection, updated anti-malware controls, and a capability to be centrally monitored. With this sudden huge increase in numbers of remote workers, the lesser security of the endpoint devices that they use may prove to be a significant risk and companies should seek to mitigate it.
New Risks for Remote Workers and the Larger Organization
When employees who are not used to remote working begin to do so, they might be a bit careless in ensuring they follow security precautions. This is because they usually work within the “perimeter,” which gives them a higher degree of protection. Therefore, organizations should reinforce good security practices via awareness programs. Remember, carelessness can lead to liability for some remote workers, depending on the conditions of their employment.
A significantly enlarged remote workforce has organizational risk impacts as well, including:
- Remote workers bring laptops into their home environment, and tons of devices outside of the IT department’s control are suddenly in the same network. This significantly increases the attack surface and the possibility of being crippled by ransomware or other malware.
- Organizations will be exposed to a higher level of risk as a result of cybercriminals attempting to capitalize on the weaknesses in defenses as companies adjust to the “new normal” of remote work.
- IT organizations will be distracted for the weeks and months to come as they address operationally pressing issues, including providing adequate communication and connectivity for employees, implementing collaboration tools, or ensuring that existing systems and processes can scale.
While cybersecurity will be on an IT organization’s list of priorities, it will be competing for attention with many other balls that have been unexpectedly thrown up in the air.
Mistakes Organizations Might Make Dealing with Remote Workers
There are some common mistakes organizations might make when dealing with remote workers. These include:
- Not enforcing cybersecurity policies and role-based access control across the corporate domain
- Neglecting to put in place comprehensive logging and monitoring solutions
- Not deploying mobile device and application management across the organization
- Permitting non-compliant devices inside the perimeter
- Not enforcing the use of two-factor authentication to validate access privileges for all users in the organization
Virtual Private Networks (VPNs), virtual desktops, and other methodologies that businesses traditionally use are not easy to scale for companies as they are driven by compute power and they do not provide the same scalability and flexibility as cloud services. Companies will quickly learn that trying to find secure ways to provide access with these types of traditional remote strategies will not be possible, and the IT department could inadvertently create several security gaps for threat actors to exploit.
How Can Organizations Protect Themselves with the Rise in Remote Work?
Whenever possible, work from home should be done from work-provided and secured laptops, via secured mechanisms that organizations typically use (encrypted and authenticated using corporate credentials and multi-factor authentication). If not possible, and work from personal machines is a must, then access must be limited to the information necessary. For the necessary cases, consider buying an ad hoc low-cost laptop that will be used solely for work purposes rather than using personal machines at home that may be already infected and cannot be wiped later.
Ensure that your employees’ devices are running endpoint security software and that this is continuously updated. This must include anti-phishing capabilities. Ideally, this software should be centrally managed through a cloud portal. This will enable the IT department (or managers who have IT responsibility) to monitor and control the organization’s cybersecurity posture, even when employees are remote. All employees should be connecting to the internet through a VPN. This is especially important if employees are connecting through public internet connections, although it’s generally good cyber-hygiene to keep the VPN active always when accessing work data or services.
To truly address cybersecurity challenges, the organization should consider a shift to a perimeter-free style of work for the long run. Authentication decisions must take into consideration the sensitivity of the data being accessed, the context of the request, and the level of assurance that an action is originating from an authorized device. These capabilities can be fulfilled with a well-designed identity platform that can not only make these decisions quickly and decide if another layer of identity validation is needed through multi-factor authentication, but it can scale with large enterprises and reduce friction in the long run.
Finally, organization should develop a plan and communicate this clearly and repeatedly to employees. The plan should include standards for cybersecurity software that should be run on every device on which work is being done, policies and procedures for keeping company data secure, escalation processes when issues arise, and an overall refresh on cybersecurity awareness and training.
- CIS Controls Telework and Small Office Network Security Guide
- NIST ITL March 2020 Bulletin: Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions