In the rush to maintain business continuity, while still keeping customers and employees safe, many organisations have shifted to a remote working pattern. While the speed at which they have adapted should be applauded, this dramatic transformation requires more than ensuring everyone has a device from which they can do their jobs at home.
In fact, the pace at which businesses have moved could well leave them exposed to security risks, both internal and external.
External threats evolve
We’re already seeing bad actors posing as health departments, or other government entities and sending out files or links they claim will have vital information about the coronavirus. At a time when we are all desperate for news, it can be tempting to click on something that purports to offer some sort of hope.
Yet such an action could prove more damaging than had it happened previously. Many businesses still operate highly centralised IT systems and security solutions. This is fine when you can protect the full system behind firewalls in a private network. But this is no longer the case – now tens, hundreds, even thousands of devices are trying to connect.
Suddenly overstretched security teams are trying to keep everything secure, just as an unwitting employee clicks on a link. In such circumstances, the results could be devastating.
A greater risk of shadow IT
From an internal perspective, the risk of shadow IT is even greater than it was in the past. Employees are working hard to keep up with their rigorous job responsibilities while managing their new realities. To meet the demands of their position, they create shortcuts to quickly accomplish their tasks and not get mired in the details.
Relatively few IT functions configure security settings, permissions and policies with an understanding of the needs and priorities of the individual employees, or the tasks they have. The result is that employees may not have access to the right applications. Having suddenly start working remotely, they may need to share large files. Do they have a good enough connection at home to run a VPN (or do they even know how to)? If the right provisions haven’t been made, free consumer offerings such as Dropbox or Google Drive start to become very attractive to stressed employees.
Great usability, poor security
We’re seeing it with the expediated uptake of consumer-grade communication platforms in business settings. While the likes of WebEx and Microsoft Teams were built for the enterprise, other services, such as WhatsApp, were not. Organisations are also using free or freemium conferencing tools as a means of easily conducting remote meetings, complete with live audio and video feeds, as well as screen sharing and file transfers.
Those tools automatically create random meeting room IDs. In some cases, researchers have found that they could generate links to meetings without password protection. While this trick couldn’t be used for targeted attacks against a particular organisation, if attackers found a room of interest, they could keep returning, unless a password was added later.
There’s also privacy concerns, with Zoom recently admitting that it had been sending device information data to Facebook after the conferencing tool implemented a ‘Login with Facebook’ feature. This underlines the fact that the data privacy regulations for these consumer apps are not nearly safe enough for enterprise use.
Why you need good cyber hygiene
So, how can businesses protect themselves, both from external threats and internal mistakes? Fundamentally, it comes down to good cyber hygiene, based on four critical elements:
- Leadership: Leaders must signal to employees that security is a top priority if they want employees to adopt the appropriate practices. If a manager sends a file via Skype, or opts for a free conferencing tool, employees will assume similar approaches are fine for them as well.
- Training: With remote working potentially new ground for many, ensuring teams are fully equipped and appropriately trained is critical. The learning methodologies deployed have to be open-ended, multifaceted, and varied in their methods to convey understanding and spark swift adoption.
- Security updates communication: It’s crucial for an organisation to communicate and have up-to-date security throughout their environment, which inevitably means running up-to-date operating systems. This can be a daunting task if businesses don’t have a good handle on every single device being used, which is why trying to identify what people have and being able to map every employee’s home set up is vital.
- Zero trust model: Based on the principle of “never trust, always verify,” zero trust helps secure corporate resources by eliminating unknown and unmanaged devices and limiting lateral movement. Implementing a true zero trust model requires that all components—user identity, device, network, and applications—be validated and proven trustworthy.
As the dust settles, now is the time to secure
These principles are all interlinked – if leaders demonstrate the right behaviours, employees with a good understanding of what’s expected of them will be able to act appropriately, support IT in capturing every device in use and will also know to interrogate all sources, even if they appear to be genuine.
None of us know how long the current state of affairs will last. Organisations are only just coming out of the first phase – that of getting everyone safe and keeping the business running. As the dust settles, it’s imperative they ensure that their newly remote operations stay secure, that their employees know what’s expected of them and that bad actors do not cause untold damage in what is already a stressful and uncertain time.
By Francois Rodriguez, chief growth officer, Adeya
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.