Remote working used to be a trend; Covid-19 has made it an imperative
As the world fights the spread of the novel coronavirus (Covid-19), many companies are developing or rolling out home working policies.
Growing numbers of employees in office-based environments are being encouraged or mandated to work from home and communicate with colleagues via email, instant messaging, and teleconferencing applications.
Tech giants like Google and Microsoft, which long ago established the infrastructure for remote working, are well prepared to adapt to the new imperative for social distancing (although Microsoft’s software is already buckling under the strain).
But for smaller organizations that are unaccustomed to their workforce being dispersed, remote working will entail new security risks that they might not be prepared for.
With this in mind, here’s what you need to know about the security implications of your business joining the mass migration to a home-based workforce.
New malware targeted at remote workers
“In the environment created by coronavirus, malicious actors are taking advantage of every opportunity to attack, and traditional security policies are no longer sufficient in many cases to provide protection once employees are working off the premises,” Dave Waterson, CEO and founder at SentryBay, told The Daily Swig.
The past few weeks have seen more than a dozen new malware or phishing campaigns that are targeted at remote workers. Emotet, Agent Tesla, NonoCare, LokiBot, Ursnif, FormBook, Hawkeye, AZORult, TrickBot, and njRAT are just a few examples of the malware being deployed to exploit the health crisis.
“What characterizes these malware is that they have keylogging functionality, which is why endpoint security against keyloggers for home workers is so essential,” Waterson said.
“People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” Colin Bastable, CEO of security awareness training company Lucy Security, told The Daily Swig.
“This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links.”
The extended corporate network
In recent years, much effort has gone into securing data transmission and storage in on-premise and cloud servers as well as corporate network perimeters. But work-from-home policies are effectively extending the activities of companies beyond the secure confines of corporate networks.
“Essentially, your network perimeter now includes all of your employees’ homes or the coffee shops they are working at,” Chris Rothe, chief product officer and co-founder of Red Canary, told The Daily Swig. “Some security programs are ready for this, some aren’t.”
“With remote workplaces, there is a significantly greater risk of data breach because companies have limited control of the security profile of unmanaged endpoints, whether these are mobile phones or personal laptops – or even corporate devices – that are only using conventional security software,” Waterson said.
Rothe pointed to two key security challenges: first, the security team loses control over the environment in which the user is working. “Have they secured their home WiFi? If they’re using a personal computer, what mechanisms do you have to ensure that device isn’t compromised?” he asked.
Second, companies will face a challenge providing their employees with secure access to IT resources. “In a world of growing SaaS [Software as a Service] and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users [with] a secure way to access those systems,” Rothe explained.
Working from home: Security best practices
- Use VPNs to avoid exposing the corporate network to the public internet and secure it against eavesdropping
- Migrate all login details and passwords to a remotely-accessible password manager ahead of the transition
- Ensure operating system, apps, browsers, and other software are up to date with the latest version
- Set employees up with virtualized operating environments to access sensitive resources in order to isolate sensitive data
- Use quickly deployable and configurable security solutions, such as anti-keylogging software, to protect data entry on BYOD and unmanaged applications
- Promote and enforce crystal-clear security hygiene rules such as enabling two-factor authentication and avoiding clicking on suspicious links
Security risks of shadow IT solutions
Inefficient management of IT resources can push employees to adopt their own ad-hoc solutions. For instance, a team of employees used to working together in the office might stay in touch remotely using free online collaboration tools such as Slack and Google Drive, or low-priced whiteboarding services.
Some companies might welcome and encourage this kind of behavior since it’s a cost-effective way to preserve team dynamics during times of crisis.
But again, this can create new security risks, since the companies don’t have control over the data being stored on these cloud applications. Also, they won’t be able to enforce security policies (like MFA or strong passwords) or detect and handle potential security incidents, such as phishing attacks and account takeovers.
Working from home security tips
“Companies need to use security solutions that are specifically designed to protect data entry on BYOD [Bring Your Own Device] and unmanaged devices, particularly into remote access apps like Citrix, VMWare, WVD [Windows Virtual Desktop], web browsers, and MS Office applications,” said SentryBay’s Waterson.
Given the urgency of the situation, organizations must find products that can be deployed quickly and without special configuration. “This means selecting proven anti-keylogging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing credentials and sensitive corporate data,” Waterson adds.
“It is also important to have access to a portal that allows simple configuration by administrators.”
Many of the experts The Daily Swig spoke to endorsed corporate VPNs (virtual private networks) as an important layer of protection. VPNs will equip organizations to give employees access to company apps and resources without exposing the corporate network to the public internet. It will also make sure that communications remain secure from eavesdroppers regardless of home network configurations and security.
But even the strongest endpoint security tools can’t replace employee awareness and education. It is now more important than ever to promote and enforce security hygiene rules such as enabling two-factor authentication on business accounts.
“Now is a great time to warn people to be ultra-cautious, hover over links, and take your time,” Lucy Security’s Bastable explained. “With disrupted management communications and fewer opportunities to check with the CEO and CFO, expect remote workers to fall victim to these attacks too.
“Have crystal-clear policies, never let the C-suite override the rules, and check for personal emails and spoof emails. If an unusual request is made – phone a friend! Call the boss.”
Tal Zamir, co-founder and CTO of Hysolate, recommended that organizations provide their employees with dedicated operating systems to access sensitive resources.
“Some organizations do this already today with dedicated hardware, but it’s not necessary to purchase hardware to follow this best practice,” Zamir told The Daily Swig.
“Leveraging virtualization, IT teams can achieve the same result of providing employees with a separate and isolated operating system to access sensitive resources while enabling them to operate in a single physical device.”
As the physical boundaries of personal and professional life dissolve, organizations must make sure the digital lines remain firm.
“The best recommendation is actually to follow the same protocol that we’re following to stop the spread of coronavirus: isolation,” Zamir suggested. “Just as social distancing is being practiced, organizations need to employ isolation to secure a corporation’s sensitive data.”