One of the easiest security risks to overlook? Thinking there is no risk.
That’s true when it comes to tools, people, and processes. When you think there’s little to no chance of something going awry, your risk exposure often expands. Complacency can cause this mindset and may be a growing risk factor, but we’ll get back to that later. Simple misunderstandings are often the root of security overconfidence. We might think we know something, but what if that knowledge is off-base or outdated?
[ For more advice, read Remote work security: 5 best practices.]
Or what if our environment suddenly changes?
Just about everyone is living that scenario right now as a result of the global pandemic. The most obvious change in many organizations is a rapid shift to remote work. That has had broad impacts, including on your company’s security posture, which might need some realignment.
We’re here to debunk some common misconceptions about online security specifically for the remote workforce:
1. False: Zoom is end-to-end encrypted
Let’s start with one that has already garnered a lot of attention: Zoom security. Use of the videoconferencing platform has skyrocketed, which makes it a juicier target for malicious actors. There have been plenty of headlines about various security risks in Zoom, many of which the company has addressed.
As noted in our recent post on how to improve your Zoom meetings, you’ll need to evaluate the right security settings for your own organization. But here’s the thing: Your video conferences are not completely encrypted in a failsafe fashion - yet. Zoom announced last week its intention to acquire Keybase, a startup, to add end-to-end encryption to its product. Zoom also outlined a 90-day plan to tackle security concerns.
“Zoom is not end-to-end encrypted, even if meetings remain encrypted on their whole route across the internet, because Zoom could use the keys it holds to decrypt the data during that journey,” says Vikram Chabra, director of the cybersecurity practice at NetEnrich. That’s going to matter more or less depending on your risk tolerance, regulatory needs, and other factors.
The same principle potentially holds true for any new-to-you service your team is now using to stay connected and productive. There might be risks or privacy issues you’re not aware of. Zoom just happens to be one of the highest-profile platforms. Again, the recent spate of headlines about the service is actually a good thing for promoting awareness and improvements. Chabra points to the revelation that Zoom’s iOS app could send data to Facebook without explicit consent as an example of a previously unknown privacy issue, something the company has since addressed.
2. False: Personal devices are just as secure as corporate devices
Not to wax nostalgic about BYOD, but we’ve been down this road before. In all likelihood, organizations of all kinds – across business, government, education, and more – are going to see an increase in people accessing services and data with personal devices right now. One basic reason: They’re always within arm’s reach.
Again, this isn’t a new issue. But it’s a reminder that you’ll need to take steps to ensure that the use of personal devices by remote workers requires some extra layers of security, because the devices themselves probably aren’t as locked down as your company-issued hardware.
“Companies must enable two-factor authentication, and use content filtering and IAM solutions,” Chabra says. “When creating new accounts for home workers, companies must encourage strong passwords and adhere to the principle of least privilege.”
It might not even be that employees will use personal devices more often, but that they will be accessing corporate data and services more often from those devices.
“As more employees work from home, the demand for content availability from BYOD systems and devices increases,” says Cliff White, CTO at Accellion.
This can force IT leadership to walk a trickier balance between ensuring access for business continuity and security. Granting access too widely (in the interest of enabling unfettered business operations) could introduce unwanted risks.
“Enterprises that create or handle sensitive information or IP – which is every organization – must take distinct precautions to ensure that their data is not shared with or transmitted to unsanctioned or compromised endpoints,” White says. “This includes tools like encryption and two-factor authentication but also granular policy controls like role-based permissions and access controls for internal and external users.”
3. False: I'm logged into VPN, so we're all good
Your corporate-owned laptops and other devices might already be outfitted with VPN access, and that’s generally a good thing. Just remember that a VPN connection is not a panacea. And if you’ve been leaning on older software that wasn’t in heavy-duty use previously, you might need to revisit it for security, licensing, bandwidth, and other configurations.
“A remote, unauthenticated attacker may be able to compromise a vulnerable VPN server,” Chabra says.
In that scenario, the attacker could potentially gain access to all active users and their plain-text credentials, for example. Chabra adds that it may also be possible for the attacker to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.
“Companies must make sure VPN software is patched and the latest version is installed,” Chabra says. “They should also ensure procedures are in place to keep the software updated.”
This isn’t to say don’t use VPN. Rather, make sure it’s up to date and that you’re using it for its intended purposes. As Laurence Pitt, global security strategy director at Juniper Networks, reminded us recently, that usually means you’re using it to protect business services, not for all online activity.
Let’s debunk 3 more myths: