Work-from-home security is possible, but it requires doing the basics

Photo by Petter Lagson on Unsplash

It is not news that in the ongoing conflict between online convenience and security, convenience seems to win most of the time. It’s been that way for decades.

Which is bad enough. But it is especially bad in a work-from-home (WFH) environment. And even though the pandemic lockdown that began in mid-March is slowly being lifted, a lot of WFH is likely to continue at least into the fall — maybe longer. Maybe forever.

“What was once seen as a temporary solution to slow the outbreak of COVID-19 is now being viewed as permanent,” said James LaPalme, vice president and general manager of authentication solutions at Entrust Datacard.

Of course the initial, sudden move to WFH was accompanied by a small flood of advice from security experts who warned organizations that if they didn’t up their security game with things like educating employees in the use of new collaborative tools and making sure they had a secure connection from their homes to the business network, their risks of being breached could multiply exponentially.

So, three months later, how are we doing? Not all that well, according to several surveys. In terms of expanding the attack surface, the pandemic looks like an ongoing hacker’s paradise.

Many more endpoints

To corrupt one of President George H.W. Bush’s most famous lines, it has created “a thousand endpoints of attack.” Many thousands, actually.

CyberArk polled 600 IT professionals and remote office workers in the UK and found that:

Igloo Software did a survey focused more on collaboration tools workers are using and found that as the number of those tools increases, so does the likelihood that some of them won’t be company approved. Specifically, the survey found that:

And Entrust Datacard, in a survey of 1,000 U.S. professionals, found that 42% of employees surveyed still physically write passwords down, 34% keep them on their smartphones and 27% keep them on their computers. Also, nearly 20% admitted to using the same password across multiple work systems.

All of which are understandable at one level, since they make things more convenient for individual employees. But they also raise the chances that things could become catastrophically inconvenient for their organization. Hackers are opportunistic, and practices like these increase their opportunities, as in “attack surface.”

So, not surprisingly, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) issued a joint alert early in April that they were “seeing a growing use of COVID-19-related themes by malicious cyber actors.”

They included:

Since then, the number and variety of those attacks have only increased.

So what should organizations do to make themselves a less attractive portion of the attack surface? Ironically, it doesn’t require the security version of rocket science.

Indeed, if you looked at what the surveys found remote employees were doing, you could measurably improve security simply by shouting, “Stop doing all those things!”

Start doing security basics

Because while some risks are unique to the WFH world, it mostly means doing the basics — security fundamentals that were being regularly proclaimed in keynotes, workshops and panel discussions at any security conference in the world long before the pandemic. They include:

LaPalme said provisioning a digital certificate onto a worker’s mobile device “transforms it into their trusted digital workplace identity. And no more password means no more password hacks and forgotten passwords.”

While there have been some warnings that “legacy” VPNs can be vulnerable, Thomas Richards, principal consultant and red team practice leader at Synopsys said it is still much better than nothing. “While the single VPN device might not provide all the levels of security modern ones do, using it in a layered security approach can still achieve the desired results,” he said.

LaPalme notes that a number of these are necessary because “the traditional network perimeter has collapsed. To protect an organization’s confidential information and employee identities, authentication and encryption are the most important safeguards,” he said.

Besides direct technology fixes, it is important to recognize the human element. Most of the recommended security measures require buy-in from workers to be effective. Richard Bejtlich, veteran cybersecurity author and principal security strategist at Corelight, said the first thing organizations should do is make sure that “whatever you choose to do is backed by a security policy. Ensure that employees know what’s in the security policy. Don’t introduce changes or security measures without transparency. Trust and cooperation are important.”

“Second, treat your employees like solutions to the problem, not as the problem itself. I like Cofense’s [a phishing defense firm] emphasis on enabling people to be part of the anti-phishing process, not ‘victims,’” he said.

Perhaps the most important reality is that this is unlikely to be a temporary thing. While there will always be a need for offices where employees can collaborate more easily, and safely, it is also clear that a significant percentage of workers can do so remotely without jeopardizing their productivity or the mission of the organization.

What is not as clear is whether they will be able to do so securely. Not because there is no roadmap to better security, but because it requires following it.

Those who don’t could be looking at their own pandemic—of data breaches.



I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.