COVID-19 and Computer Security, Part 1: Telecommuting Risks: Shoring Up Systems for Remote Workers
As companies send employees home in an effort to curb the spread of COVID-19, cybersecurity experts are warning that telecommuting could be putting company assets and data at risk.
There are a number of precautions that employees working from home should consider to ensure that sensitive data isn’t compromised by cybercriminals taking advantage of the health crisis.
One of the biggest problems is that employees working remotely often become relaxed and can let their guard down. In other cases, workers wrongly assume that when they work at home they have the same level of security protection as in the office.
“Typically when employees are inside of the corporate network, the enterprise security stack will protect them,” said Matias Katz, CEO of Byos.
“But working from home exposes the employee’s devices — and through them, the company’s network — to threats that exist on dirty public WiFi networks,” he told TechNewsWorld.
New Opportunities for Cybercriminals
One significant security problem is that with so much data hosted in remote server farms or the cloud, that data is only as safe as the connections that can gain access to it. In an office the systems can be better hardened, but allowing staff to work remotely can be akin to opening the gates to the barbarians.
“There’s no question that working outside the workplace can increase cyber risk,” said Elad Shapira, head of research at Panorays.
“For example, there will likely be more unmanageable devices being used to access company assets, which raises the likelihood of introducing compromised devices into a company’s network,” he told TechNewsWorld.
In addition, by having more credentials that can access company assets, including the company’s virtual private network, there’s an even greater risk for every credential-related attack, such as credential stuffing and brute force.
For these reasons, ensuring that security policies are consistent and applied throughout can be extremely challenging.
“If procurement and security somehow were able to handle securing the few devices used for occasional remote work, they now have hundreds, if not thousands of devices they need to secure,” warned Shapira.
Companies may need to enforce two-factor authentication across all assets and for all employees.
“Furthermore, many essential tasks are performed in the workplace face-to-face, including requests for financial transactions or IT service,” said Shapira. “By moving these in-person transactions to email, the organization becomes much more susceptible to phishing and email scams.”
Mitigating the Risks
During emergencies that may take the staff out of the office, the first thing an IT department should ensure is that employees are prepared and understand the risks of working remotely.
“It is always best practices to anticipate remote workers and have policies, procedures, and governance to help mitigate risk,” said Lou Morentin, VP of compliance and risk management for Cerberus Sentinel.
“Many standards — including HIPAA, ISO and HITRUST, for example — require controls for remote workers,” he told TechNewsWorld.
“Anytime a remote workforce accesses company resources, it is recommended that a VPN connection be used to secure data in transit,” Morentin added. “If possible, segregation of work connections from family traffic is recommended. Many modern consumer routers allow for segregated networks.”
The situation could be made worse if a home computer is being used to do office work remotely.
“It depends, of course, on a number of factors,” said Mark Foust, vice president of marketing for CloudJumper.
“Microsoft’s Windows Virtual Desktop functions as a Desktop as a Service secondary desktop from the Azure cloud — and it’s surfaced as a Platform as a Service and has a greatly reduced security footprint,” he told TechNewsWorld.
This could allow a way for the IT department to make separate company data from personal data on a personal computer.
“This presents an ideal solution for many remote work scenarios,” added Foust. “A secondary desktop, in WVD Azure, for example, is ideal for security and business continuity.”
Tools to Protect Employees and Data
A number of tools and protocols are worthy of consideration to help remote workers protect sensitive data.
“Single sign on and multifactor authentication are critical technologies for the remote workforce, as well as minimizing risk for the business,” said Ralph Martino, vice president of product strategy at Stealthbits.
“These together allow the remote workforce to connect to business applications in the cloud, or on-prem using one password,” he told TechNewsWorld.
“When the remote worker is terminated, the business can terminate access across a series of applications, minimizing the risk of misuse of an account that doesn’t get de-provisioned, and this provides greater security and compliance for the enabling the remote workforce,” Martino added.
As someone who has been working remotely for nearly a decade, Paul Bischoff, privacy advocate and researcher at Comparitech suggested a number of tools.
“For digitizing physical paperwork and getting signatures, I use a document scanner (TinyScanner), PDF editor (Adobe Fill and Sign), and DocuSign,” he told TechNewsWorld.
“Wave is my preferred accounting and invoicing tool, while Slack is my day-to-day office chat room,” Bischoff added.
“A good backup service is essential so that remote employees don’t lose work, and Zoom is a solid professional-grade video conferencing tool,” he noted.
To VPN or Not to VPN
Many corporations may want to roll out VPNs to more employees to access office resources and secure storage, but this shouldn’t be seen as a hardened defense. There are many shortcomings to VPNs that users may not readily consider.
“Some of the many device threats that VPNs can’t protect against are eavesdropping, exploits, and lateral spreading of attackers and malware,” said Byos’ Katz.
“That’s because VPNs only encrypt data in transit, but don’t protect where the data is residing — the user’s device,” he explained.
“Once an attacker or malware gets into a device, they often go undetected, seizing or manipulating data with the ultimate goal of moving from the single remote laptop or tablet into the big prize: the company network and servers,” warned Katz.
Even with the best security in place, employees are just one of the many potential weak links in a chain.
“It’s one thing if a large organization, presumably with robust security processes in place, implements a work-from-home policy for its employees,” said Panorays’ Shapira.
“What happens, however, when one of its supply chain partners does the same? In that case, the organization needs to be able to also check that its supply chain partners adhere to that same high level of security,” he added.
For this reason a comprehensive plan needs to be drawn up. While it could be too late for the current COVID-19 crisis, forward thinking will make it easier to send teams home to be safe from illness and secure from cyberthreats.
“With the right tools, policies and procedures in place,” said Shapira, “organizations can be assured that the cyber posture of their company and third parties remains strong, even outside the workplace.”