With the number of COVID-19 cases in flux across the U.S., and autumn approaching fast, the work-from-home workforce now appears more permanent than ever, with many companies not expected to bring employees back until at least 2021 and possibly beyond.
And as employees settle into the reality of home office work, the conversation about securing those employees, protecting their data and guarding against threats (both external as well as internal) needs to be part of an organization's long-term planning.
While many enterprises excelled at getting employees the equipment and resources they needed in March and April, a long-term WFH situation requires serious strategic thinking about how organizations can provide security to their staff at a time when cyber-threats are increasing and cybercriminals and hackers have a bigger attack surface to target.
“Businesses have made quick and steady strides to react to this pandemic. Now, it is time to find a rhythm and settle in for the long run,” Heather Paunet, senior vice president of product management at security firm Untangle, told Dice. “The time for reactive decision making has passed, and business leaders, as 2021 looms in the future, need to weave cyber security awareness, employee engagement, and long-term programs into their company culture and missions. While many are home focused on making the best of the situation, cyber criminals are ready to use this time to prey on employees and businesses alike.”
The numbers, so far, paint a picture of challenges to come.
In time for the Black Hat 2020 virtual conference earlier this month, AT&T released a study about cybersecurity and working from home that included responses from 800 security professionals working in the U.K., France and Germany. Of those surveyed, 88 percent reported that, while they initially felt well-prepared for the switch to WFH, a majority (55 percent) now feel that ongoing remote working is making their companies more vulnerable to cyber-threats.
Digging further in, 25 percent of those surveyed noted that their organization has not offered additional cybersecurity training for employees. Another 24 percent note that their firms have not created secure gateways to applications hosted in the cloud or in a data center, while 22 percent report that there is little or no additional endpoint security to protect laptops and mobile phones.
A similar survey released by IBM earlier this year also found great confidence in the early switch to WFH, but that security precautions and training had not kept up with the possibility that remote work may become a permanent fixture of working life.
Now’s the Time to Think Security
With fall approaching, many believe that a second (or even third) wave of COVID-19 might cause large portions of the U.S. to go into lockdown again, meaning employees staying at home, often with school-age children who need internet access or time on a device to conduct their own studies.
As schools begin in many parts of the country, Paunet believes that organizations need to start enforcing network segmentation strategies now for home workers, such as ensuring they connect to work apps and systems through a VPN, in order to keep personal and work data separate and more secure.
“Because of this complexity, there needs to be a way where IT teams treat business network traffic differently than everyday traffic on the home network,” Paunet said. “It should be mandatory to connect to a VPN or secure gateway when using any work-issued device.”
Going beyond separating work from personal network traffic and data, Paunet believes that organizations should focus on a wide range of improvements to ensure security for the long-term, including network security system audits, remote device management and user access privileges. This also includes implementing scalable remote management tools and creating continuous employee training programs.
“Companies also have an opportunity to support their employees in new ways and ultimately increase productivity,” Paunet said. “Employers can provide technology tools, resources and stipends to help cover costs of tech related items and services, such as increasing bandwidth to their home, or a company excess device purchase program.”
Brendan O’Connor, CEO and co-founder of security firm AppOmni, notes that many organizations have used the COVID-19 pandemic to invest in an array of cloud services, especially SaaS tools, to give employees access to the applications that they need to work efficiently from home.
Now that SaaS and other cloud services have been established, it’s time for CISOs and security teams to think about the long-term implications of securing these tools, especially as data moves from corporate offices to the cloud to home offices and then back to the cloud again.
“In the current era of WFH, many enterprises are rapidly adopting SaaS services to offer the benefit of anywhere and any-device access to their employees,” O’Connor told Dice. “Unfortunately, the pace of adoption requires IT and SaaS administrators to focus on enabling data access even at the risk of providing too much access or creating over-privileged users. While these oversights may not necessarily create new insider threat actors, they provide new and easier ways for such actors to take advantage of the current climate.”
Beware Insider Threats
Several security experts warned against an increase in insider threats, whether malicious or unintentional, as WFH becomes the norm.
Steve Durbin, managing director of the not-for-profit Information Security Forum, is advising that CISOs and risk managers consider how employee behavior is changing as people work longer hours from home, and how that could lead to cyber threats if policies and procedures are not put into place soon.
“Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy,” Durbin told Dice. “These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization, resulting in occurrences of information leakage and theft of intellectual property.”
Joseph Carson, chief security scientist and advisory CISO at security firm Thycotic, sees that traditional technologies previously used to protect a company’s network and infrastructure, such as email gateways, web gateways, intrusion detection systems and firewalls, no longer matter in the WFH era.
This means increased threats from both outside and inside an organization.
Instead of older technologies, Carson recommends organizations look toward implementing and deploying Identity and Access Management (IAM) and Privileged Access Management (PAM) tools to combat insider threats, as well as creating better auditing of who is using privileged access for certain systems and applications. That could help cut down on abuse.
“As employees have moved outside the company perimeter and firewall, the criticality of IAM combined with PAM, will help organizations maintain a full audit trail,” Carson told Dice. “Once an audit trail is difficult to hide an employee’s tracks, they will have less motive for abusing privileges as they are unable to get away with the crime. Sometimes accountability and auditability [are] enough to force an employee into not committing any criminal activity rather than detecting it.”
Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.