When the COVID-19 quarantine hit in mid-March, it created an unprecedented situation in which the number of remote workers skyrocketed beyond anything anticipated.
“The only analogue of this scale I would say is 9/11, and that was fairly regional,” says Sean Gallagher, a threat researcher at Sophos. “It wasn’t a national thing like this is, and it wasn’t nearly for this period of time.”
Gallagher was working remotely from Baltimore for a New York company. All his fellow employees in New York were displaced for several weeks.
“We had to figure out how to operate without the office for nearly a month,” he says. “But that was very regionally specific. This is a much broader problem.”
Regional vs. global
The nearest thing most companies may have experienced to COVID-19 is something like a hurricane or other natural disaster, all of which are regional. This crisis has scaled beyond any plans companies had in place to deal with remote workers—and with that has come a level of insecurity that has also been unimaginable.
“It’s not something that might’ve been in most companies’ disaster recovery continuity business plan,” says Gallagher. “But it is certainly not unprecedented in terms of the need to be able to flexibly handle ongoing operations with employees not in the office.”
Moreover, the vast move to remote work is an exacerbation of the human element that “is often—frankly always—the most uncontrollable component of cybersecurity risk,” says Bob Moore, director of server software and product security at Hewlett Packard Enterprise.
All large organizations can arrange for some users to work from home, but until recently, few ever tried to have nearly everyone work from home. If existing security tools and procedures are inadequate, what do you really need to do to make the situation acceptable?
We asked a handful of security experts three questions. Here are their answers.
What can you do to secure your own remote working space? VPN, antivirus, two-factor authentication
Common instructions came from every computing security specialist we spoke with, starting with the need to equip your computer with a virtual private network (VPN) so that all of your activities are done on your company’s network, not on your own, looser, more vulnerable one. This is just one difference between office security and remote security.
“In a workplace environment, you typically have a well-structured, highly controlled work environment where there are tight measures and controls on the type of traffic that can flow, what type of authentication is used, and what type of data can be stored,” says Tim Ferrell, cybersecurity architect at HPE.
Others agree. “At most enterprise or business locations, there are firewalls and the network is monitored by a networking team,” says Mick Wolcott, partner at Goldman Lockey Consulting in San Francisco. “Whereas at home, you’re basically just either doing Comcast or AT&T or something like that, and you don’t get the behind-the-scenes where we examine the traffic that’s coming in. We can’t tell if there’s malware that’s been downloaded or where it’s been clicked, and we can’t keep an eye on events in the background.”
So antivirus and malware protection is not enough. You also need regular updates to your protection. And just like always, you need to guard against phishing. You should always be at maximum awareness when dealing with messaging vulnerability on your remote connection and your private computer, especially when the computer is shared with other family members or used for your personal business as well.
Finally, you should have two-factor authentication, something that has become more common but could hardly be called de rigueur. This is a tough time to institute two-factor authentication, but think about it anyway; it’s the best way to prevent phishing and other authentication attacks.
Gallagher suggests another possibility, one that seems common sensical yet surprising: online versions of the tools you use at work.
“If you’ve got the ability to use online services through a browser to do most of your work, that helps you segment the corporate data away from personal data,” he says. The big example would be to use the browser-based versions of the Microsoft Office programs (now Microsoft 365 apps) rather than the locally running programs.
But between VPN, two-factor authentication, and regularly updated antivirus, you’ve covered a large chunk of the threat model for people working from home. Most of the rest, Gallagher says, is “gilding the lily.”
But the overall attitude in company security, he says, must be an industry-wide move to a zero trust model.
“Assume that both your corporate and your end-point systems are operating in hostile waters and that there’s some sort of compromise going on at any given time,” he says.
We have traveled “a long way from the old days of a hard perimeter and a soft inside,” Ferrell says. “The perimeter has become so porous that it’s more a checkpoint on the way in and out. But you have to assume that everything that connects to your network is hostile and treat it as such. You assume every remote device is potentially hostile.”
What should your company do to secure its employees? Establish central control
“As a long-term strategy, you want to make sure that people have access to a device that is corporate-managed and is locked down for specific use,” says Gallagher. “Or, you move to a model where everybody has a virtual machine that they can install that is remotely managed. So that gives them the ability to do work stuff on their home compute, but you can isolate the home computer from the virtual device. And I think that’s something that a lot of companies are moving towards.”
This is an expense, especially in the smallest and the largest companies. But the time for cost cutting may have come to an end.
“One of the big things I think that I have not covered because we were mostly talking about network security is the importance of backups,” says Wolcott. “We’ve had quite a few horror stories where somebody has clicked on a malicious link, downloaded it, and it has encrypted their entire computer [and] obviously held it for ransom.” In fact, while industrial espionage may be rare, ransomware is so common there are named ransomware gangs, like Maze, REvil, and Ragnar Locker.
How can you plan for the unplannable? Process, policy, and threat modeling
“Don’t let the business dictate the security policies to you,” warns Simon Leech, senior adviser for security and risk management at HPE Pointnext Services. A lot of companies will be in a rush to adapt to remote working very quickly, but they shouldn’t be, says Leech. “The security team shouldn’t allow an opportunity for a weakness to be introduced by deploying a technology quickly and insecurely.”
Nor should it gather shiny things at the expense of solid process, according to Ferrell.
“Everybody looks at product because product is the shiny object,” he says. “And so they’ll go buy a fancy new modern tool to deal with some of these issues, but they will totally overlook process and they’ll overlook policy. The most expensive, beautiful tool in the world isn’t worth a damn if it’s not wrapped around a process that makes it work right.”
Enterprise IT security: Lessons for leaders
- Organizations that follow best practices are in the best position to handle quarantines securely.
- If security is a priority, there’s no way around spending money now to mitigate work-at-home problems.
- If your employees have a VPN, two-factor authentication, and regularly updated antivirus, you’re in good enough shape.