Why working from home is an enormous unplanned stress test for security

Quite suddenly, hundreds, if not thousands, of organisations in areas around the globe affected by COVID-19 coronavirus are suspending office work and mandating that their employees work remotely. While some companies may have solid disaster recovery plans in place, few are likely equipped for a large-scale shift to telecommuting that could extend well beyond weeks. 

It is an enormous, unplanned stress test for remote access. This situation has created an immense, rapid demand for secure remote access tools due to the need to protect employee health and network security, as well as ensuring business continuity.

Except for a small sliver of companies that are either 100% telecommuting or have at least embraced remote work options for a significant part of their workforce, most organisations lack the infrastructure to effectively and securely go remote en masse. This model shift strains the networks, applications, and services structure.

Then, there are the cybersecurity implications. Do these newly telecommuting employees have the right remote tools for remote work, or are they compelled to quickly stitch together shadow IT applications to maintain productivity? Do they have work-provisioned laptops, or are they forced to use personal laptops, devices for work-related activities?

Shadow IT has long been a mixed blessing, but the move en masse to so many applications and devices outside IT control creates considerable risk. In most organisations, personal laptops probably lack the security software safeguards and policies that protect hardened, company-provisioned devices.

Many employees are now forced to use their own devices with corporate issued VPN or other remote access technology. This situation poses a threat when they are connected to the corporate network.

Of course, as organisations and localities are grappling with how to maintain normalcy while taking precautions, cyber threat actors have not skipped a beat in exploiting the crisis. The World Health Organisation WHO has issued multiple reports of hackers leveraging exploits as part of coronavirus-related scams. 

Sometimes, they pose as business partners or public institutions in an effort to phish users when they open messages infected with malware.

How can organisations and their workforces remain as productive as possible during this crisis without creating unacceptable security risks in the process? 

Unprepared organisations forced to go remote may feel compelled to broadly loosen security policies to enable productivity. Obviously, this is not an ideal situation, particular for global enterprises. Loosening the standards for just one user or device could jeopardise data privacy and security across the entire global network.

One of the most pressing of these security issues involves the technology to enable telework in the first place. If organisations are unprepared to roll-out a secure remote access technology, employees, including even IT staff, may feel forced to download free tools to get their work done. 

However, these tools will almost invariably have a combination of monitoring, authentication, and security deficiencies that can put the entire organisation at-risk of a breach, as well as failed compliance audits.

In haste, many organisations may have remote workers and vendors VPN into the corporate network, but VPNs are not ideal. First, they lack the scalability needed to accommodate a surge of remote workers. And, perhaps more concerning, is that the VPN technology, while providing some protections such as against man-in-the-middle attacks, itself suffers many security shortcomings.

VPN security concerns are particular heightened when they are used for privileged users and third-party vendors. For instance, VPNs typically lack granular permission setting options, firewall settings are weakened, visibility and reporting options are poor, and the principle of least privilege may be unattainable.

If, in the short-term, BYOD is the only feasible option to allow remote work, it is advisable that you ensure your remote access technology absolutely does not use a VPN, does not use any local clients, does not perform any protocol tunneling, and renders all remote sessions in a browser.

While vendor access has long been a weak security link, typical office staff are now essentially forced into working as pseudo-vendors, coming from off-network devices and networks, and potentially BYOD. Of course, true vendor access itself may be expected to increase in the coming months as organisations turn to IT service providers and other third-parties to help them manage the growing IT workload and new challenges in the face of the coronavirus. 

And, it is particularly important that the vendor access is not as simple as on or off, it needs to be tightly controlled and audited.

Here’s a challenge exercise to evaluate your current remote or vendor access system and policies:

• Challenge 1 – Can you set granular access? 

• Challenge 2 – Do you have one single path for approvals and notifications? 

• Challenge 3 – Do you know when your network is being accessed, by whom, and for what purpose? 

• Challenge 4 – Do you securely manage privileged credentials for employees and vendors that are used for privileged remote access? 

• Challenge 5 – Are you able to capture detailed session data for all remote access sessions?

Key takeaways

• Do these newly telecommuting employees have the right remote tools for remote work.

• Are they compelled to stitch together shadow IT applications to maintain productivity?

• Do they have work-provisioned laptops, or are they forced to use personal laptops, devices for work-related activities?

• The move en masse to so many applications and devices outside IT control creates considerable risk. 

• In most organisations, personal laptops lack security safeguards that protect hardened, company-provisioned devices.

By Karl Lankford, Director Solutions Engineering, BeyondTrust.