Saryu Nayyar | Forbes.com »
As the delta variant prolongs the Covid-19 pandemic, many organizations have opted to delay their long-awaited return to the office for their workforce. Instead, work from home (WFH) will continue to be a prominent work model for at least several more months, and some companies are considering it as a permanent option.
When pandemic lockdowns first took place in March and April 2020, companies all around the world made an overnight shift to remote work models. With the emphasis on simply helping workers gain network connectivity so they could remain productive, IT teams overlooked many of the necessary requirements to ensure an adequate security posture of these changes. The rushed response to WFH resulted in gaps in cybersecurity protections by introducing a new set of identity and access issues.
While the workers themselves may feel safe at home, their devices are actually more exposed, often through the use of consumer-grade technologies on their personal computers or unauthorized shadow IT tools used to share company data. Even corporate-provided VPNs have their shortcomings, such as weak user authentication and excessive user permissions. And with workers spread far and wide outside the usual constraints of the office environment, the attack surface area has grown huge.
Cyberattacks have surged during the year of WFH.
Cyberattackers have taken notice of these weaknesses and have ramped up their offenses. The anti-malware company Malwarebytes claims that phishing campaigns have surged during the pandemic, often using Covid-19 subject lines to lure their victims in. Ransomware attacks, too, have found their way into networks through poorly secured personal devices.
These attacks are taking a tremendous financial toll on companies. The Cologne Institute for Economic Research estimates that WFH during the pandemic cost German companies some $62 billion worth of damages from cyberattacks. The attacks are blamed, in part, on the use of personal equipment, a lack of security training for workers, the ease of hacking home Wi-Fi connections and companies failing to increase spending on needed security.
Now, as many companies consider implementing permanent WFH arrangements to offer employees more flexibility, more must be done to ensure a secure borderless work environment.
Conventional security controls are only a starting point.
Numerous conventional controls are only a starting point for securing remote workers and their home-based offices. Some are incumbent on the workers themselves, while others must be facilitated by IT processes and procedures.
It starts with educating remote workers about security best practices, such as:
- Don’t allow family members to use company-issued computers.
- Safeguard your password and change it often.
- Adopt multifactor authentication.
- Disconnect from the VPN when using the computer for personal tasks.
- Don’t use public or unsecured Wi-Fi networks.
- Be aware of phishing campaigns and scams and don’t click on unsolicited or unexpected links or files.
Another safeguard is to configure home wireless routers and personal firewalls to keep the home network secure. Workers will likely need some help from their IT department or their local internet provider for this. Tasks on this list include:
- Create a strong and unique password for the router rather than using the default password.
- Change the default network name (SSID).
- Enable WPA2 encryption for the home network.
- Limit home network access to specific MAC addresses (i.e., those devices you explicitly identify).
Additional controls should be spearheaded by the company IT department, including:
- Provide a hosted VPN for workers to access company resources.
- Ensure that workers use antivirus and other internet security software at home.
- Set up a centralized storage solution for work files and prohibit local storage of files.
- Protect video meetings so that they can’t be hacked or joined illicitly.
- Ensure that all software is patched and up to date.
- Prohibit use of unauthorized software for work purposes.
- Enforce multifactor authentication to validate credentials.
Evaluate risk based on adaptive models.
These conventional controls should be considered table stakes for WFH. As people continue to work remotely — and even when they work in the office — the best approach is to use model-driven security that adapts to threats and attack tactics.
Model-driven security uses numerous information sources about a system to calculate the amount of risk of a specific action and then automates a response based on security policy. The technique uses machine learning and data analytics to rapidly assess the current risk level before executing the response. That’s a complex definition, but it can be easily demonstrated with an example.
Consider access control for a computer system or application. Whether entry is allowed or denied is often determined by a person remembering a simple password. It’s a poor control at best, given the number of stolen passwords and the existence of brute-force programs that can try numerous passwords until one works.
What if the system, in addition to asking for a password, also looked at many other attributes around that access process? These might include the geographic location of the user, the time of day they are logging in, the cadence of their keystrokes, the information about their device, an IP or MAC address and so on. If those attributes can be collected and compared to a baseline profile of that particular user and their typical actions, we can get a clearer picture of whether we believe the user really is who they say they are. If the risk of giving access to the wrong person seems low, we can allow them to log in. If the risk seems high, they can be denied access.
The beauty of model-driven security is that it has many applications and it adapts well to emerging threats. What’s more, it’s effective regardless of where a person works – at home, in the office or elsewhere. The use of model-driven security and unconventional controls represents a new take on traditional approaches to cyber defense and is our best hope for getting in front of new threats instead of playing catch-up.
External Link: As Work From Home Becomes The Norm, You Can’t Sacrifice Security