With more people working from home, it raises issues for information technology (IT) and information security (IS) staff. Some of these issues can be addressed by making changes to technologies and applications, but some will likely require an increased awareness and some security-minded behavior from remote workers themselves, which organizations will need to promote. This is an opportunity to build better relationships with employees. Those who are unfamiliar with working from home may be especially unsure about best practices to protect themselves and business information. Additionally, IT/IS professionals may have some concerns about the sudden expansion of the edge of the enterprise network—from the circle seen in the middle of Figure 1 to the larger cloud containing all of the remote workers.
Figure 1: Remote workers in relation to the enterprise
It’s important at this time for business leadership and security management to be doing what they can to help all of the people who aren’t used to working from home better protect themselves and, by extension, protect the business. How can IT/IS staff help them out?
This blog post explores several good practices to share with all new remote workers that go beyond the traditional security awareness training. That said, reiterating the key points of these trainings to employees who already work remotely is a good idea as well.
Communication is an important first step. Bring employees into the conversation and provide them with awareness of several concepts. The first thing to make them aware of is which company resources are the most important or valuable. This includes any sensitive information, including intellectual property, financial records or customer information. There may be a lot more on this list depending on the company, but this is a good start. More than just information, though, any computer is a potentially valuable resource. If one of the bad guys gets onto a system and doesn’t find anything, they probably aren’t going to leave. If nothing else, laptops and desktops have computing resources for cryptomining or a botnet.
Credentials are a common way for attackers to get into business systems. There are a number of ways to do this, including credential stuffing, meaning reusing credentials from other, previously compromised services to attempt logins. If an organization has critical business services such as email or shared resource access (e.g., file sharing sites like Google Drive or OneDrive) where multifactor access is currently optional, consider making it mandatory and explaining to staff members why—multifactor authentication can significantly increase the bar for attackers getting access to systems. So long as tokens are being allowed as the additional factor—either hard token or app-based token—and not SMS message, multifactor is an important security control, especially for any remote access to company data and resources. SMS messages have been hijacked by attackers to defeat multifactor, which is why we don’t recommend it.
Virtual Private Networks
Virtual private network (VPN) resources are being strained since most businesses are not used to so many people working from home. Many workers may not really need to use a VPN, however. If they are primarily using either local native applications and email or even web-based applications and email, they may not need a VPN. This is where understanding threats is helpful. As long as they are only performing business functions and not browsing arbitrary websites, most web-based business resources will protect confidentiality, as will cloud-hosted business email such as Google’s Business Suite or Microsoft’s Office 365. This is another case of communication and education. As long as they understand the parameters, IT/IS staff can reduce the strain on VPN infrastructure and still protect the business.
It may go without saying, but anti-malware is essential. Many businesses are doing a form of anti-virus through their mail transfer agent (MTA) and email is a common vector for attack, but that shouldn’t be a reason to forego anti-malware on desktop systems. This is especially true if employees are now using their own devices to access business resources that may be housed with a cloud-based provider. However, anti-malware is not perfect—users must protect themselves and their systems using common computer hygiene practices. Organizations should be helping employees understand that even if they have anti-malware software, they are not completely protected. They still need to practice safe computing—always validate attachments, website links and requests for money transfers by making a phone call. If there is any doubt, employees should feel encouraged to contact the help desk.
Shadow IT is a problem for many organizations. IT-approved resources need to be available for employees, and they need to know how to get to those resources from home. This will short-circuit people making use of unauthorized IT-style resources such as file sharing sites, for instance. People use shadow IT because they either don’t know that there is an approved resource available, there isn’t an approved resource available to meet their needs, or because it’s too difficult to get access to it. Organizations should make sure all of those concerns are addressed and their shadow IT problem can be decreased or eliminated completely. Communication is essential and it should be provided in a helpful tone. Security can be seen as an enabler and should be an enabler rather than something that is restrictive. As soon as doing something right becomes too onerous, people will find ways around it, defeating the security control from the outset.
Working from home can be a very productive time. Studies have shown that remote workers are more efficient or at least can be more efficient than their co-workers who are in offices. It doesn’t have to be painful or impossible to get work done, nor does it have to generate a massive increase in information security risk. There are a handful of things IT/IS staff should be doing to help employees navigate this difficult time. First, make sure staff is using the company-provided VPN, but also that they have some guidance about when it is essential and when it can be skipped to reduce the strain on resources. If organizations are using a service such as Office 365 or Google Business Suite, email is encrypted without the VPN—and should require multifactor authentication. So, if all that is being used is email or other encrypted web services, a VPN may not be needed. Additionally, employees should understand why a security control is in place—such as anti-malware—and what threat it is trying to counter. For anti-malware, if a business-controlled repository for signature updates is being used, make sure staff understands how to keep the anti-malware up-to-date since phishing attacks are increasing at this time. Finally, the message needs to be spread to avoid using shadow IT resources. Make sure employees understand how to use internal, corporate-controlled resources and make it easy for them to use those resources.