The pandemic has pushed disruptive trends into overdrive. Legacy organizations are vulnerable to disruption - but can use their advantages to fuel innovation efforts.
Remote work: 6 common misunderstandings about online security threats
VPN, cloud, and phishing misunderstandings show up in myths about security and remote work. Security experts break down the truth about how to stay safe
4. False: We're in the cloud, so we're all good
Organizations that lean heavily on cloud services for everything from infrastructure to applications may have had an initial leg up in terms of continuity. And services like cloud-based email are usually a good example of where logging in via VPN isn’t actually necessary.
Just don’t make the mistake of thinking that cloud platforms automatically ensure your security. Josh Stella, cofounder and CTO at Fugue, notes that key changes in how your teams may be accessing cloud environments might throw your previous security posture out of whack.
“If your engineers typically access cloud infrastructure through your corporate networks and now they’re working from home, you may be exposed to new threats you’re not used to managing,” Stella says. “Malicious actors are using automation tools that specifically search the internet for virtual servers, networks, and identity and access management services aren’t configured securely when accommodating these new remote access patterns. And your engineers are probably changing cloud resource configurations often in order to do their work.”
Visibility remains a principal need for security and other reasons, especially across distributed environments.
“Set up notifications so you know when configuration changes are made to security-critical resources, such as IAM, security groups, object storage services, and database services,” Stella advises. “Quickly identify and remediate dangerous misconfigurations when they occur, before malicious actors can find and exploit them.”
5. False: Our people know how to spot a scam
We recently covered the resurgence of phishing attacks and why they remain so effective. Here’s the cheat sheet version: We humans are not, in fact, very good at spotting bogus emails, text messages, and similar threats. And that’s true in normal times, never mind stressful ones. That’s why phishing can happen to anyone, as Red Hat chief security architect Mike Bursell recently pointed out.
People aren’t good at spotting “dodgy” emails, Chabra says. We won’t belabor the point, but act accordingly.
“Ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats,” Chabra advises.
[ Read also: Remote security: 5 common myths about phishing scams.]
Even security tools such as secure email gateways can be fallible. So this is not the time to let up on awareness programs and other forms of education and communication. Make sure you’ve got an authoritative two-way channel for employees to report suspicious messages, links, and the like.
6. False: This shift to remote is a short-term issue
We might want this to be true, but that’s what makes it dangerous from a security standpoint. In all likelihood, the sudden shift to remote work will have lasting impacts in many organizations, according to Steve Durbin, managing director of the Information Security Forum. Durbin views the work-from-home shift as a “new business normal.”
From a security standpoint, Durbin thinks we’re in the midst of a three-phase evolution. Phase one, Durbin says, is all about technology: Getting a suddenly remote workforce up and running with the tools people need to stay connected and do their jobs from home.
Phase two brings a rise in direct attempts to breach an organization via its employees now working from home.
“[We] will see targeted threats on organizations where the remote worker is seen as potentially being the weakest link in the security chain, not necessarily in their access to their own corporate interface, but via the third-party access routes that they will unavoidably be keeping open in order to fulfill their roles,” Durbin says.
Most of the above issues, from Zoom security to targeted phishing attacks and more, fall under phase one, phase two, or perhaps both. (They’re certainly related.)
We’re probably on the precipice of phase three – and IT leaders and security pros will need to be mindful of it: Complacency.
“[This] will come about through increased stress and cyber-anxiety, which will result in a lowering of vigilance and frankly, the sheer boredom of having to work remotely when the normal routine has been built around social interaction,” Durbin says. “My biggest concern is when remote workers enter phase three since it is unlikely that remote team leaders and managers will identify these signs until it is upon them.”
[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]