Some security issues never change: Human fallibility is always in play, even the most secure systems come with inherent risks, and bad actors will eternally seek out any and every chance to exploit vulnerabilities.
It makes sense, then, that cybersecurity sometimes feels like a long-term series of “the more things change, the more they stay the same” episodes. This is also why security advice tends to adapt to new environments rather than getting a hard reboot. Even with major shifts such as the widespread adoption of cloud, principles like least privilege don’t go away. (If anything, least privilege got a new turn in the spotlight.)
Yet we’re now living in a time where it seems as if everything has changed and nothing is the same. Are the same security challenges and mitigation strategies still relevant with so many people working from home indefinitely?
Yes and no: The challenges (and responses to said challenges) are evolving, albeit in sudden fashion. Is human error still an issue? You betcha, but your previous definition of human error probably didn’t account for an employee also helping their kids navigate distance learning, or checking on a vulnerable neighbor, or the general COVID-19-related anxiety so many people are currently feeling.
[ For more advice, read Remote work security: 5 best practices.]
So while you probably don’t need a reminder about the need for strong passwords, bear in mind that even in “normal times,” we’re regularly presented with evidence that many people do still need to be told that “0000” or “1234” is a pretty flimsy lock on their phone’s home screen. Password strength, as with many other basics of online security hygiene, were problems in halcyon days. People probably aren’t becoming online security ninjas while they’re balancing remote work with myriad other issues.
“Anytime an attack surface increases, as it does when people are working remotely, individuals and companies become more vulnerable,” notes Vikram Chabra, director of the cybersecurity practice at NetEnrich.
4 remote security challenges
The more applicable saying here is “everything old is new again,” because while the security fundamentals still apply, how you apply them may need reinforcement or revision for our current moment. Let’s look at four challenging areas that might require attention while your organization’s employees work remotely.
1. More security responsibility shifts to individual employees
The idea that “security is everyone’s responsibility” circulates across business, government, education, and other types of organizations. Versions of this concept come up regularly in DevSecOps contexts, for instance, or wherever the “shift left” mentality might manifest.
But even in forward-thinking companies, most security pros know this: “Security is everyone’s responsibility” might be the ideal goal, but it’s rarely the everyday reality. The sales team? They’re concerned with sales. Finance? They’re concerned with… well, you see the pattern.
With many people now working remotely from a home office – which might be a kitchen table, a living room couch, or wherever they can plausibly get work done – security responsibility has more literally shifted more to the individual, even though the individual might not realize it. We’re talking home networks, ready access to personal devices and services, and a host of other vectors that are now part of the ordinary day-to-day.
“In the office, we are protected by a corporate security bubble – our employers invest heavily to ensure that the right solutions are in place to protect data and keep threats on the outside,” says Laurence Pitt, global security strategy director at Juniper Networks. “As home workers, our corporate device will still carry a level of protection, but the risks are heightened by the environment.”
An unexpectedly remote workforce requires rethinking some things and adjusting the best you can. Chabra from NetEnrich notes that while external threats such as malware are as present as ever, internal risks are also growing. Shadow IT might be about to experience a renaissance of sorts, too.
Primers and reminders to your organization about the basics of home network security, for example, are the new “use strong passwords.” If people are still using the default network name and password that is, quite literally, on a sticker pasted to their router, well, they’re doing it wrong. Ditto for the router’s admin credentials, which are notoriously well-known for most major hardware brands.
“The onus is on us to take extra responsibility applying corporate awareness to our own environments,” Pitt says.
[ Want a real-world example of how CIOs train? Read also: How to fight deepfakes and ransomware: Better security training. ]
2. People are more susceptible to scams
Human error is a constant, but it’s more likely to occur in this time when nearly everyone’s daily routines are disrupted in some way. Remote work can be enormously productive, yet the formula for work-from-home success has had a bunch of new variables added to it. (Not the least of which: “Work-from-home” means you really have to work from home. No coworking spaces, coffee shops, or the like.)
“There are plenty of distractions when working from home [right now]: children, deliveries, a sunny patio, or a walk with the dog at lunchtime,” Pitt says. “The bad guys know this and will have malware targeted toward broadband connections, looking for remote workers on their home network.”
This is why COVID-19-related phishing scams and other attacks are prevalent. Pitt notes that phishing is not just an email game; text messages, social media, and other spaces where people connect online are fertile ground.
“Watch for scam text messages with seemingly helpful links to more information. If you were not expecting the message and do not recognize the number, never click on the link,” Pitt says.
We recently shared tips and debunked some myths about phishing scams during this crisis. This is as high a risk as ever while people are working from home.
Make sure your employees feel comfortable reporting a possible incident if they do get duped by a phish. SAS CISO Brian Wilson recently shared that advice with us, noting that phishing attacks start compounding rapidly when people fear retribution or embarrassment for becoming victims.
It can happen to anyone, as Red Hat chief security architect Mike Bursell recently pointed out.
3. Your VPN isn't a superhero
A virtual private network (VPN) has long been a mainstay for remote-work access, but it’s not a masked crusader that can clean up every blight. The underlying issue here is that even people who are used to periodic or regular remote work may now lean too heavily on VPN as a safeguard.
“When we work from home, most of us will use a VPN,” Pitt says. “It makes our work computer behave as if we are in the office, saves on extra authentication, and in some cases, is the only way to access corporate information. However, a VPN is also a chokepoint into the network, and too many users can slow down access.”
Indeed, Chabra from NetEnrich points out that some VPNs have recently been put through an unexpected stress test. “Often, there are limited licenses and throttling issues due to either less bandwidth at [the] VPN server or home ISP,” Chabra says. “Companies need to ensure workers can connect through VPNs and that there are sufficient licenses and bandwidth.”
Someone who’s paying their personal bills, reading the news, or doing a Zoom happy hour doesn’t need to be logged into the corporate VPN. And even some corporate accounts, such as cloud-based email and other SaaS applications, are probably better served with multi-factor authentication and other protocols outside of VPN. In general, VPN shouldn’t be viewed as a catch-all sentry guarding against external threats.
“As a reminder, in most organizations, the VPN is designed to protect access to business services,” Pitt says. “General online activities, such as banking and social media, are not affected. If your corporate policy allows it, don’t automatically load the VPN when you start work – use it when needed and unload when you don’t.”
4. Security priorities get scrambled
One of the biggest challenges is that “normal” is not really a tangible concept at the moment. Even organizations with strong security programs can struggle with this paradigm. This isn’t the time to abandon your playbook, however. Security awareness training is as important as ever, for example, for all of the reasons above. How, when, and where you create that awareness might shift, but it’s still needed.
Patching is another example; it might be tempting to postpone, but unpatched systems will continue to be welcome mats for the bad guys. While there may be triage work in the short-term, don’t lose sight of it long-term.
“As IT teams have quickly shifted priorities to help employees take on remote work, patching might be forced to take a backseat,” says Shai Toren, CEO of JetPatch. “This can leave organizations open to vulnerabilities that would normally be patched rapidly.”
Another critical area that probably isn’t getting enough attention: User privileges might need to be revised on the fly.
“Permissions that were once designated for IT are now necessary for other departments, like finance and legal, who need access to cloud consoles, RPA consoles, and orchestration tools,” says Adam Bosnian, EVP at CyberArk. “As the definition of a privileged user evolves, security teams often struggle to maintain visibility of what these users access – at what time and for how long – from various remote work locations.”
Bosnian adds that some people’s day-to-day responsibilities are evolving with little advance notice as organizations adapt, whether to address pressing priorities or fill in gaps where they may be short-handed.
“In some cases, employees require elevated privileges beyond what they usually have, and are often given them without the requisite security policies in place,” Bosnian. “This makes it [easier] for attackers to exploit the access typically granted to a powerful insider, using it to launch and execute attacks and potentially gain control over all infrastructure.” That means extra vigilance is in order.
[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]