Work-from-home security is possible, but it requires doing the basics
It is not news that in the ongoing conflict between online convenience and security, convenience seems to win most of the time. It’s been that way for decades.
Which is bad enough. But it is especially bad in a work-from-home (WFH) environment. And even though the pandemic lockdown that began in mid-March is slowly being lifted, a lot of WFH is likely to continue at least into the fall — maybe longer. Maybe forever.
“What was once seen as a temporary solution to slow the outbreak of COVID-19 is now being viewed as permanent,” said James LaPalme, vice president and general manager of authentication solutions at Entrust Datacard.
Of course the initial, sudden move to WFH was accompanied by a small flood of advice from security experts who warned organizations that if they didn’t up their security game with things like educating employees in the use of new collaborative tools and making sure they had a secure connection from their homes to the business network, their risks of being breached could multiply exponentially.
So, three months later, how are we doing? Not all that well, according to several surveys. In terms of expanding the attack surface, the pandemic looks like an ongoing hacker’s paradise.
Many more endpoints
To corrupt one of President George H.W. Bush’s most famous lines, it has created “a thousand endpoints of attack.” Many thousands, actually.
CyberArk polled 600 IT professionals and remote office workers in the UK and found that:
- 77% of remote employees are using unmanaged, insecure “BYOD” devices to access corporate systems.
- 66% are using “communication and collaboration tools like Zoom and Microsoft Teams, which have recently reported security vulnerabilities.”
- 93% have reused passwords across applications and devices.
- 29% admitted that they allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping.
- 37% insecurely save passwords in browsers on their corporate devices.
Igloo Software did a survey focused more on collaboration tools workers are using and found that as the number of those tools increases, so does the likelihood that some of them won’t be company approved. Specifically, the survey found that:
- 56% of workers use at least two company-approved apps daily just to do their jobs. But at the same time, 85% use at least one non-company-approved app.
- 39% of respondents have sent a message to a coworker that they regret, ranging from a mistakenly sent love note to sensitive company information shared with the wrong people.
- 34% have lost or had a piece of company technology stolen.
- 37% of remote workers take calls while in a cafe or restaurant, often from an unsecured network.
And Entrust Datacard, in a survey of 1,000 U.S. professionals, found that 42% of employees surveyed still physically write passwords down, 34% keep them on their smartphones and 27% keep them on their computers. Also, nearly 20% admitted to using the same password across multiple work systems.
All of which are understandable at one level, since they make things more convenient for individual employees. But they also raise the chances that things could become catastrophically inconvenient for their organization. Hackers are opportunistic, and practices like these increase their opportunities, as in “attack surface.”
So, not surprisingly, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued a joint alert early in April that they were “seeing a growing use of COVID-19-related themes by malicious cyber actors.”
- Phishing, using the subject of coronavirus or COVID-19 as a lure.
- Malware distribution, using coronavirus- or COVID-19-themed lures.
- Registration of new domain names containing wording related to coronavirus or COVID-19.
- Attacks against newly — and often rapidly — deployed remote access and teleworking infrastructure.
Since then, the number and variety of those attacks have only increased.
So what should organizations do to make themselves a less attractive portion of the attack surface? Ironically, it doesn’t require the security version of rocket science.
Indeed, if you looked at what the surveys found remote employees were doing, you could measurably improve security simply by shouting, “Stop doing all those things!”
Start doing security basics
Because while some risks are unique to the WFH world, it mostly means doing the basics — security fundamentals that were being regularly proclaimed in keynotes, workshops and panel discussions at any security conference in the world long before the pandemic. They include:
- Impose the “principle of least privilege.” Identify critical data and assets and restrict access to them only to those who need them to do their jobs.
- Prevent “privilege creep” — what happens when employees with high-level access leave a company and their privileged access is not revoked. Their credentials remain floating in the corporate infrastructure, unmanaged and unsecured.
- Force more rigorous password policies. Ban reuse across apps and devices. Or, as is being pushed by organizations like the FIDO Alliance, eliminate passwords altogether, and rely on biometric and token authenticators that stay on the user’s device.
LaPalme said provisioning a digital certificate onto a worker’s mobile device “transforms it into their trusted digital workplace identity. And no more password means no more password hacks and forgotten passwords.”
- Protect all access by multifactor authentication.
- Require employees to use only company-issued devices. Limit the use of those devices to work-related activities. Don’t let other members of the household use them — for anything.
- If you don’t have one already, establish and use a VPN. Also, antivirus solutions, firewalls and intrusion prevention should be mandatory.
While there have been some warnings that “legacy” VPNs can be vulnerable, Thomas Richards, principal consultant and red team practice leader at Synopsys said it is still much better than nothing. “While the single VPN device might not provide all the levels of security modern ones do, using it in a layered security approach can still achieve the desired results,” he said.
- Do endpoint integrity checks to see if a home network has been compromised.
- Don’t rush the use of new apps and services to enable remote work. Make sure those that are brought into use have secure connections.
- Keep all software up to date. That requires keeping track of all your software components, an inventory known as a bill of materials (BOM).
- Back up all important files
- Train employees to spot phishing emails from unknown sources — especially those involving the coronavirus.
LaPalme notes that a number of these are necessary because “the traditional network perimeter has collapsed. To protect an organization’s confidential information and employee identities, authentication and encryption are the most important safeguards,” he said.
Besides direct technology fixes, it is important to recognize the human element. Most of the recommended security measures require buy-in from workers to be effective. Richard Bejtlich, veteran cybersecurity author and principal security strategist at Corelight, said the first thing organizations should do is make sure that “whatever you choose to do is backed by a security policy. Ensure that employees know what’s in the security policy. Don’t introduce changes or security measures without transparency. Trust and cooperation are important.”
“Second, treat your employees like solutions to the problem, not as the problem itself. I like Cofense’s [a phishing defense firm] emphasis on enabling people to be part of the anti-phishing process, not ‘victims,’” he said.
Perhaps the most important reality is that this is unlikely to be a temporary thing. While there will always be a need for offices where employees can collaborate more easily, and safely, it is also clear that a significant percentage of workers can do so remotely without jeopardizing their productivity or the mission of the organization.
What is not as clear is whether they will be able to do so securely. Not because there is no roadmap to better security, but because it requires following it.
Those who don’t could be looking at their own pandemic—of data breaches.