Remote work: 6 common misunderstandings about online security threats

Remote work: 6 common misunderstandings about online security threats

VPN, cloud, and phishing misunderstandings show up in myths about security and remote work. Security experts break down the truth about how to stay safe

266 readers like this
remote work security best practices

4. False: We're in the cloud, so we're all good

Organizations that lean heavily on cloud services for everything from infrastructure to applications may have had an initial leg up in terms of continuity. And services like cloud-based email are usually a good example of where logging in via VPN isn’t actually necessary.

Just don’t make the mistake of thinking that cloud platforms automatically ensure your security. Josh Stella, cofounder and CTO at Fugue, notes that key changes in how your teams may be accessing cloud environments might throw your previous security posture out of whack.

Visibility remains a principal need for security and other reasons, especially across distributed environments.

“If your engineers typically access cloud infrastructure through your corporate networks and now they’re working from home, you may be exposed to new threats you’re not used to managing,” Stella says. “Malicious actors are using automation tools that specifically search the internet for virtual servers, networks, and identity and access management services aren’t configured securely when accommodating these new remote access patterns. And your engineers are probably changing cloud resource configurations often in order to do their work.”

Visibility remains a principal need for security and other reasons, especially across distributed environments.

“Set up notifications so you know when configuration changes are made to security-critical resources, such as IAM, security groups, object storage services, and database services,” Stella advises. “Quickly identify and remediate dangerous misconfigurations when they occur, before malicious actors can find and exploit them.”

5. False: Our people know how to spot a scam

We recently covered the resurgence of phishing attacks and why they remain so effective. Here’s the cheat sheet version: We humans are not, in fact, very good at spotting bogus emails, text messages, and similar threats. And that’s true in normal times, never mind stressful ones. That’s why phishing can happen to anyone, as Red Hat chief security architect Mike Bursell recently pointed out.

People aren’t good at spotting “dodgy” emails, Chabra says. We won’t belabor the point, but act accordingly.

“Ensure email security controls are implemented to block phishing attacks and detect and quarantine malware threats,” Chabra advises.

[ Read also: Remote security: 5 common myths about phishing scams.]

Even security tools such as secure email gateways can be fallible. So this is not the time to let up on awareness programs and other forms of education and communication. Make sure you’ve got an authoritative two-way channel for employees to report suspicious messages, links, and the like.

6. False: This shift to remote is a short-term issue

We might want this to be true, but that’s what makes it dangerous from a security standpoint. In all likelihood, the sudden shift to remote work will have lasting impacts in many organizations, according to Steve Durbin, managing director of the Information Security Forum. Durbin views the work-from-home shift as a “new business normal.”

From a security standpoint, Durbin thinks we’re in the midst of a three-phase evolution. Phase one, Durbin says, is all about technology: Getting a suddenly remote workforce up and running with the tools people need to stay connected and do their jobs from home.

Phase two brings a rise in direct attempts to breach an organization via its employees now working from home.

“[We] will see targeted threats on organizations where the remote worker is seen as potentially being the weakest link in the security chain, not necessarily in their access to their own corporate interface, but via the third-party access routes that they will unavoidably be keeping open in order to fulfill their roles,” Durbin says.

Most of the above issues, from Zoom security to targeted phishing attacks and more, fall under phase one, phase two, or perhaps both. (They’re certainly related.)

We’re probably on the precipice of phase three – and IT leaders and security pros will need to be mindful of it: Complacency.

“[This] will come about through increased stress and cyber-anxiety, which will result in a lowering of vigilance and frankly, the sheer boredom of having to work remotely when the normal routine has been built around social interaction,” Durbin says. “My biggest concern is when remote workers enter phase three since it is unlikely that remote team leaders and managers will identify these signs until it is upon them.”

[ How do containers help manage risk? Get the whitepaper: Ten Layers of Container Security. ]


IT leadership in the next normal report

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Melissa Swift
April 14, 2021

You may read the list and think, "wow, haven't met too many of those folks" – and you'd be right. But you can learn from their digital transformation style.

Submitted By Carla Rudder
April 13, 2021

Each month, through our partnership with Harvard Business Review, we refresh our resource library with five new HBR articles we believe CIOs and IT leaders will value highly.

Submitted By Bob St. Clair
April 12, 2021

When you're in the same role for several years, it's easy to become complacent. But once a CIO recognizes complacency – in themselves or team members – they can shape a positive outcome. 


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.