Before the COVID-19 pandemic, most organizations viewed working at home as a perk, a nice-to-have, bait to dangle before a prospective employee. Now, with many workers confined to their homes to avoid the spread of the coronavirus, it's become a necessity.
That change in the way employees work can create security problems for the businesses that employ them. In many cases, workers are moving from environments secured by firewalls, network monitoring, event and information analytics, and other security systems to a home network.
Meanwhile, businesses suddenly have to deal with an avalanche of endpoints with sketchy security, said Stan Wisseman, chief security strategist at Micro Focus.
"Within a month, the pandemic has forced a complete change in how we do work. A lot of times organizations don't monitor endpoint event data because it could overwhelm their systems. Now they do."
—Stan Wisseman
What can businesses and employees do to make their new working relationship more secure? Here are nine ways to operate more securely. To cover all of the ground here, we've included what security teams need to mandate, as well as what end users should do to stay safe as a remote worker.
Raise employees' awareness
Chances are you already have some kind of security awareness program in place in your organization. With your workforce at home, you have to expand that to consider additional threats facing a remote worker.
Employees need to practice good digital hygiene. That shouldn't be hard, since good digital hygiene is the same at work as it is at home. Employees shouldn't be shy about asking for help from their employer, either, said Nick Drage, cyber security strategist at Path Dependence Limited.
"Push your employer to advise you. Use your IT and security people at work for advice. Then do what they say."
—Nick Drage
Choose remote desktop tools carefully
When employees need to work from home, their productivity may suffer because they don't have access to the full set of tools they had at the office. To address that problem, an organization may allow employees to use Remote Desktop Protocol to access the office network.
But that's a dangerous practice because threat actors can easily probe open RDP connections.
In a study last year, Check Point Software Technologies, a network security company, found multiple critical vulnerabilities in RDP that would allow a malicious actor to reverse the usual direction of communication and infect the user. An attacker could then use that infection to penetrate your organization's network.
Make sure access privilege is appropriate
In the rush to enable remote workers with access to an organization, the assignment of privileges can get botched. Often, employees end up with either too much access or too little, which could lead to either a significant security breach or a loss of productivity, said Arun Kothanath, chief security strategist at the independent cybersecurity advisory firm Clango.
He recommended that cybersecurity directors focus on increasing audit frequency and access certification activities to increase visibility and accountability. That way your organization won't be harmed by an employee having inappropriate access.
Teach employees about online meeting security
When a physical meeting is held, it's easy to authenticate who's attending. That's not always the case with an online meeting, so some precautions need to be taken.
For example, when holding conference calls, reuse of access codes should be limited. One-time PINs and multi-factor authentication should be used, if possible, to ensure that only authorized people attend the meeting.
For virtual or web meetings, dashboards and waiting rooms can be used to monitor and screen attendees. If you screen people in a waiting room, you can also forgo issuing passwords to attendees, which is one less thing they have to bring to the meeting.
Keep your team's software current
Many organizations have paid the price for failing to update their software. Updates often contain security fixes that plug vulnerabilities in software.
You might not pay attention to the latest fixes for programs you're using, but hackers do. When they see a patch released to address a software flaw, they'll design malware to exploit that flaw because they know organizations and users are slow to upgrade their systems.
While organizations may avoid automatic software updates because they need to know the impact of an upgrade on their environment, a home worker need not exercise that level of caution. If an individual's system starts misbehaving after an upgrade, it can be rolled back to a version of the system that worked before the upgrade was made using services such as Apple's Time Machine for Macs. However, backups on Windows are more technically challenging.
Require two-factor authentication
Advice about how to make a good password has been pounded into users' heads ad nauseam. At work, an employee may have the annoyances created by password proliferation handled by technologies like single sign-on. Outside of work, those password challenges persist, but on your own.
I addition to using strong passwords (consider a password manager) is two-factor authentication. It creates a second layer of defense should a password be compromised. So after entering a user name and password, a second authentication factor comes into play. It may be a code sent to a cell phone, but preferably a random number generated by an authenticator app (because even SMS verification can be hacked.)
Organizations should make two-factor authentication a requirement. Those that don't use multi-factor authentication are more susceptible to phishing attacks, according to the US Cybersecurity and Infrastructure Security Agency.
Use a VPN when not on your home network
A VPN—virtual private network—should be used with RDP to secure the communication channel between a home user and the office. Because VPNs encrypt all of the user's traffic, traffic that's intercepted is useless to the interceptor.
There are some drawbacks to VPNs. For example, they can slow down the speed of an Internet connection, which will hamper the ability to hold online meetings.
In addition, an organization may have a limited number of VPN connections, according to CISA. As a result, critical business operations may suffer, including the ability to perform cybersecurity tasks.
VPNs are most useful when working on unsecured networks, such as those at hotels, cafes, and airports, Wisseman said. But those options are not in the picture much during the COVID-19 crisis.
"Because of the pandemic, you should be working at home. Unsecured Wi-Fi networks shouldn't be an issue."
—Stan Wisseman
Exercise caution with email
Email remains one of the prime attack surfaces for threat actors. Some of the most elaborate attacks typically begin with the click of a malicious link or attachment.
"Be wary of incoming emails you weren't expecting," Path Dependence's Drage said. One of the simplest precautions you can take when receiving a suspicious email—one coming from a colleague acting out of character, for instance—is to place your cursor on the "from" line of the message. More often than not, it will reveal that the message came from an address alien to the name on that line.
Make backups
At many offices, data is backed up automatically. That's not the case when you're working at home.
But making backups should be routine because things break. Hard disks crash. Files get deleted accidentally. And you might get infected with ransomware, which will scramble the data on your hard disk and receive a demand for payment to unscramble it.
If you have a backup, you'll be able to recover your data without paying for the privilege.
Assess risk, not headlines
COVID-19 is bound to create hysteria. However, that hysteria shouldn't be allowed to blot out the real risks when making decisions about or by work-at-home employees.
Rick Holland, chief information security officer and vice president for strategy at the digital risk protection firm Digital Shadows, points to the recent controversy about Zoom, a popular application among home workers and students, and its routing of user traffic through China.
"Some organizations may want to reconsider the deployment of Zoom, but this should be an internal decision, not one led by Twitter pundits."
—Rick Holland
Organizations need to conduct a risk assessment on their use of Zoom and need to look at using it within the context of their broader threat model, he said. "It would also be useful to give the same level of scrutiny to other critical business applications that have grown in adoption since the COVID-19 pandemic began."
Path Dependence's Drage agreed that extreme caution about actions was warranted:
"Beware what you see in headlines. Be aware, be sensible, and don't rush into decisions."
