Suddenly countless numbers of people are working from home. This massive shift in work processes can have huge repercussions from a security, privacy, regulatory and data governance standpoint.
The coronavirus crisis has greatly broadened the boundaries of the “enterprise” to an extent few could have imagined — in just a period of weeks. Suddenly, countless numbers of people are working from home and requiring access to company networks and data from remote locations.
This massive shift in work processes can have huge repercussions from a security, privacy, regulatory and data governance standpoint. And because this monumental change has happened seemingly overnight, many companies no doubt have been caught by surprise. IT, security and other business leaders in general could not have anticipated that they would need to quickly support so many remote workers at one time.
Among the key challenges IT and security leaders face is how to enforce or adjust telecommuting policies during the pandemic, how to safeguard against cyberthreats related to the crisis such as malware and ransomware, and how to make sure their companies are remaining compliant with data privacy regulations.
Here are some suggested best practices to help ensure that networks, applications and data remain protected in this new work environment.
1. Make sure all connections are secure
During this period it’s likely that more people connecting to company networks remotely than ever before. It’s a monumental networking and security challenge for organizations, but one you must meet in order to keep information resources safe.
The reality is, even before the crisis, the majority of collaboration applications started as “unsanctioned” applications that made it easier to communicate and collaborate, said Wayne Kurtzman, research director for social, communities, and collaboration at IDC. “The first business challenge in the COVID-19 era is securely connecting people to work,” he said.
The average smartphone user “already is well-versed in robust communication and collaboration applications on their phones, and now expects that same ease of use and productivity at work,” Kurtzman said. “Companies need to connect people to do what people do: collaborate with user-friendly applications, starting with videoconferencing, short-form chat and team collaboration applications.”
All of these applications must be able to meet the data security and privacy standards of the organization as well as government regulations. This will keep employees within the security, governance and compliance rules that already exists in most enterprises, Kurtzman said.
A corporate level VPN, single-sign on (SSO) and multifactor authentication are among the most common protections organizations use in their telecommuting policies, Kurtzman said. “With the exception of SSO, these add a layer of friction to working remotely,” he said. “In recent years, some enterprises cut down on the number of remote licenses, which are now a big priority to getting work done.”
Keeping network connections secure with such a large rise in remote workers will not be easy. With work-from-home mobilizations, IT security operations will be strained to ensure control, uniformity, visibility and support, said Frank Dickson, program vice president, security and trust, at IDC’s Cybersecurity Products research practice
“Lacking logical and physical control of end-user devices and their access networks [such as home Wi-Fi], remotely enforcing corporate-defined security policies at these control points is not possible Dickson said.
As for uniformity, before this mobilization end-user devices and networking components were standardized based on IT-defined specifications. “In post-WFH [work-from-home] mobilization, exceptions multiply and so too the challenges in maintaining a uniform level of security,” Dickson said.
Visibility is another challenge. “Absent a virtual presence on end-user’s devices and their access networks, security analysts are sensory deprived,” Dickson said. “Telemetry used to build storylines of multi-stage attacks and compromised systems is not as plentiful. Consequently, detection and response times lengthen, and post-incident, system-wide removal of adversaries’ silent malware and backdoors becomes less certain.”
Finally, the capability to support end-users will be stretched, as IT teams are also dislodged from their traditional work environments and routines, Dickson said. IT might not be able to provide the same level of hands-on support such as deploying security agents, patching systems, scanning for software vulnerabilities and configuring devices.
2. Communicate and collaborate at tactical levels
For cybersecurity executives, the work-at-home mandates are providing a big test for business continuity plans. CISOs need to recognize that many aspects of the shift to a work-at-home model are baked into business resiliency plans and should be straightforward in implementation, said Jim Routh, head of enterprise information risk management, enterprise technology & experience, at insurance firm MassMutual.
“However, very few large enterprises have ever tested capabilities for all employees working at home on a specific day simultaneously,” Routh said. “This highlights the balance between the known and the unknown risks of change at this scope during a specific timeframe.”
“The only way to mitigate this is with communication and collaboration at tactical levels, so that companies can raise their capabilities to meet the new requirements,” Routh said. These may originate in a business resiliency exercise, but have to evolve quickly to scale to the situation in reality.
At MassMutual, infrastructure leaders and cybersecurity professionals are working together every day to recognize new risks and make adjustments in resource assignments through a process called threat vulnerability assessment (TVA). “We use the TVA process to address configuration and implementation issues along with risk issues at the same time,” Routh said.
Crisis management requires practice, and enterprise resiliency is dependent on effective communication, Routh said. “It is the lubricant that enables highly responsive models to be put in place without a specific script. Past exercises help set up expectations for who makes decisions in a crisis event, and that lends itself to better response overall. It matters less which scenarios were practiced and matters more that there is practice for resiliency events of all kinds.”
3. Prepare to support and protect all employee devices
This sounds straightforward enough. However, the complexity of essentially moving an entire workforce from company offices to home workspaces is anything but simple.
“The problem is the speed at which COVID-19 forced the immediate closure of offices, leading to the frequent need to support BYOPC [bring your own personal computer], which until now had primarily been used to support Mac users,” said Rob Smith, research director at Gartner. “As such, there are two main answers here based on who owns the equipment.”
For corporate-owned devices, organizations need to make sure the equipment is manageable and updatable. “This way any required software and patches can be deployed no matter where the device is,” Smith said. “Also, connection software such as a remote VPN client can be deployed and configured without having to involve a support call with the end user.”
For a personally owned device, “the reality is you need to support what the user has, unless you can get them new equipment — which right now is not possible due to a shutdown of the supply chain,” Smith said. “This means first determining the kind of apps and content the user needs access to, as well as if these apps and data are in the cloud or on-premises.”
Applicable to both groups of users is knowing if the company’s infrastructure and the employee’s infrastructure at home can support the required amount of bandwidth, Smith said. “For example, if you have 100 employees each with 100 [megabit] access, you would need 10 [gigabit] access to support them, unless you implement bandwidth throttling on the connection,” he said.
It is also important to note whether any device in use is a high security risk, such those that hold sensitive data. “For high-security users, it is often too great of a risk to allow data to be stored locally, especially in a BYOPC environment,” Smith said. “As such, virtualization is the ideal solution, provided the company and user have enough bandwidth and the company has the resources to initially configure” the virtual desktop infrastructure.
Organizations need to decide whether remote access will be allowed from non-company owned assets and, if so, whether this will only be to terminal services or Web applications, said Doug Graham, CISO at Lionbridge, a provider of artificial intelligence, content and other services.
“For organizations that rely on on-premises workloads, will current bandwidth capacities accommodate an increased number of remote users? Have virtual desktop solutions been deployed? Can data legitimately be processed on off-site desktops? The answer to these questions dictates the degree of policy change that might become required,” Graham said.
If operational necessity dictates the use of personal computers, Graham said, companies need to decide whether data downloads should be restricted. “For example, can employees work using the Web access version of Microsoft Office 365 as opposed to downloading data to client applications?” he said.
Provisioning technologies such as virtual desktops “makes it easier to control the environment an employee is using to connect to work systems, and makes it simpler for staff to maintain a larger than normal pool of people working from home,” said Pratyush Rai, CIO at Kaplan Higher Education, a provider of educational services.
4. Be on the lookout for new types of threats
In some cases, the home environment may be less physically secure than the office environment, Graham said. Companies need to stress the importance of employees safeguarding company devices and data while they’re working at home.
Lionbridge is asking employees who telecommute to remember that the same precautions the company uses to protect sensitive data in the office also apply at home. “Lock your screen when you leave your chair, just like you would in the office,” he said. “If you need to print sensitive materials, dispose of them securely. Be careful when visiting informational sites that could be fake copies of common sites.”
The crisis itself may be new, Graham said, but basic, tried-and-true cybersecurity principles still apply. “Sticking to the basic skills that Lionbridge employees already have is what will keep our data safe and the business running smoothly,” he said.
There might be an increased likelihood of blending home and work activities on the same machines, Graham said. “Also, the sheer increase in communications that people may be receiving from their employer and seemingly every other company they have a relationship with primes the pump for phishing and other cyberattacks.”
Attackers often use notable events such as the COVID-19 virus as a veil for phishing attacks, Graham said. “There are already several active phishing campaigns in the wild leveraging COVID-19, coronavirus, and other words associated with the current situation,” he said. “As always, Lionbridge is asking all employees to exercise caution in opening emails from people they don’t know. But with COVID-relating content, we’re recommending they take extra caution.”
People are understandably concerned about their health, and the lack of clear information can make them hungry to learn more from whatever source they can, Graham said, which makes opening attachments or clicking on outbound links more tempting than they usually might be. “But it’s important everyone remain mindful and stay smart,” he said.
Continuing to educate employees on this is important, Rai said. “There has been a dramatic increase in phishing attacks, malicious texts and posts on social media regarding COVID-19,” he said. The FBI, Federal Trade Commission, and Cybersecurity and Infrastructure Security Agency all have good resources to help educate employees, he said.
Users might connect from home networks that might not be adequately secured, could be shared with other users, or might already be compromised. “Companies must take steps to secure data at rest — potentially on machines they don’t own, to secure data in transit over untrusted networks, and to increase their visibility into access logs and patterns in order to determine if user accounts have become compromised,” Graham said.
Security information and event management (SIEM) systems can be tuned to detect changes in users’ normal patterns, Graham said. “Yet in today’s environment, it’s harder to define what normal looks like,” he said.
5. Don’t waste peoples’ time
Companies are striving to maintain employee productivity, even as they shift to new working environments. The last thing they need to be doing is wasting workers’ time. “When enforcing a telecommuting policy, people tend to go overboard with meetings,” said Veera Budhi. “They schedule a daily standup or daily checkins, and then they are also in back-to-back meetings with everyone else.”
As a result, many are unable to finish their “other” work, Budhi said. “While making sure you have a healthy balance is important, it is more important to make sure that every meeting scheduled has a purpose and is a necessity,” he said. “Also, you need to make sure everyone included in the meeting absolutely needs to be there, otherwise you are just wasting their time.”
Another important thing to address is ensuring that no one on the team is creating a bottleneck. “Most things have to go through various levels of approval before work can move forward,” Budhi said. “If your manager is too busy to review your work for approval, your work comes to a standstill.”
At the beginning of each week, managers should meet with everyone on their team, have them discuss the work they plan to accomplish that week, and all deadlines and dependencies they have. “Afterwards, schedule time on your calendar to ensure all work is being approved, and anything you need to review, gets reviewed,” Budhi said.