Mitigating the Risks of Remote Work
As part of its response to the COVID-19 pandemic, TenFour has asked some leading team members to explore how our business partners and colleagues can overcome this challenging time. In the piece below (part two of two), Matt Jonson, TenFour’s Vice President of Design Engineering, looks at how remote work can expose businesses to increased threats of intrusion, and recommends some key ways IT organizations can mitigate the risks.
Hackers don’t sleep during crises; they continue to threaten the ability of business to operate.
As I explored in my previous article, businesses and their IT departments have encountered a new challenge to business resilience that was not typically foreseen. The current COVID-19 crisis has shown a gap in many IT resilience plans, which have typically been about data continuity, because what matters right now is “people continuity.” This has changed IT’s most important objective to be ensuring that their business continues to operate in as virtual a way as possible, as great numbers of people work remotely.
The scale at which workers are now conducting business entirely virtually is unprecedented. For many organizations this leads to numerous new security variables, including where their workers are connected, how workers communicate, and how they reach the data on which their work depends. Unfortunately, all of these changes create an increased “attack surface area” for malicious actors. As a result, numerous watchdog organizations have issued numerous warnings, including the U.S. Cybersecurity & Infrastructure Security Agency (CISA), about the types of threats individuals and businesses should keep in mind.
Clearly, many of the remote work scenarios in which people now find themselves were not pre-planned. A 100-person company, for example, now may suddenly have 90 new “locations” where work is being conducted from home. At the onset of the pandemic IT organizations reacted quickly to facilitate remote work and have been willing to cut corners to keep the business functioning. There may be new devices, data access methods, and communications methods introduced without fully vetting them. But each newly introduced device or method has increased the attack surface area and the company’s exposure to threats.
One communications method that has rapidly increased in use is video meetings, which are being conducted on a wide array of devices, many of which are no longer corporate-provided ones. Most users of video wouldn’t think of the meeting as a data set, nor think to protect it. However, just like a phone call, it can be recorded or listened in upon. Information gained from that could be a critical enabler for a malicious actor.
As is evident from recent, well-publicized “Zoombombing” incidents, supposedly private company rooms have been infiltrated by uninvited guests during meetings. Additionally, some virtual conference providers, including Zoom, maintain all the encryption keys for meeting sessions, which means they can allow “official” tapping of a meeting. Unfortunately, official tapping can create a slippery slope to unofficial tapping and provide another means for a breach. Zoom is still a popular virtual meeting application, but as a result of these recent events some companies have taken steps to avoid its use, with some suing the company, and others, such as Google, banning its usage entirely.
When dealing with a sudden shift in security needs, I think it’s most useful to look at solutions for what has changed rather than the entire universe of usable security applications. The majority of corporate workers who can do their job remotely are now a form of mobile worker. We have known for a long time that a great many breaches are begun through a socially-engineered root: personal information that is freely available or easily obtained via the internet. An email may appear to be from your boss, or you may click a link that appears to be provided by a trusted organization like your bank. One of the most effective ways to mitigate this problem is through education, but it isn’t failsafe. Protecting information that may be useful to a bad actor is very important, and that includes keeping business meetings private.
A former coworker of mine used to effectively demonstrate social engineering techniques. One memorable incident occurred at a meeting we attended together. He texted me and surreptitiously watched me unlock my phone, from which he got my unlock code. Later in the day during the same meeting he used my phone when I went on a break without it, got in and emailed the rest of the team in the room (from me) to ask if anyone had seen my car keys. After I sorted out the situation—and everyone had a good laugh at my expense—the incident became a sobering reminder of how easy some malicious activities can be.
While this simple example relied on in-person manipulation, the reality is that today there are more uncontrolled factors in play, more points of vulnerability. People are mobile, working on home networks and with personal devices that don’t have the protections afforded in an office environment. And people will make mistakes. The question for the IT security team is “What can be done to mitigate the risks?”
Luckily, there are numerous tools and practices that can be put into place to help, and quickly. Any one of the following techniques can reduce your attack surface, and a combination of all of them provides good safety for the mobile worker. Any organization can benefit from implementing these and TenFour supports both on-premises and cloud-deployed security solutions for the following:
Central Secure Identity & Access Management – This ensures access to corporate resources is allowed only to identifiable workers and removes suspicious connections based on other security telemetry.
Virtual Private Network (VPN) Clients – This securely bonds the end user into the corporate network.
Mobile Device Management (MDM) – This ensures access to corporate resources is allowed only to devices with a certain profile.
Advanced Endpoint Security with Malware Protection – This eliminates local threats on the endpoint in case the user does click on a malicious link.
Secure Domain Name System (DNS) – This ensures that malicious websites are black-holed before a link to one of them can be employed to download malware exploits.
Strong Web Meeting Protection – This links corporate Identity & Access Management to the meeting provider, and we encourage you to look for the ability to employ end-to-end encryption using private keys when creating meetings.
It’s essential for the IT organization to set a strong foundation for operational resilience, and today that is, first and foremost, to facilitate remote work and keep the business moving. However, as the dust is settling, it’s just as important to review the security posture of the remote worker and take steps to enhance it. As I pointed out, there are numerous new risks that come from virtual work methods that need to be considered. Thankfully, there are solutions that can be implemented now that will reduce those security risks.
As we all learn to work together amid the COVID-19 pandemic let’s clamp down now on malicious actors before they take further advantage of the crisis and, by doing so, improve our remote work environments in the process.
Copyright © 2020 TenFour