With the Prime Minister signalling the start of a return to work, many companies are busily trying to create ‘Covid-secure’ workplaces, triggering a rush to sanitise places of work and procure PPE for returning staff. But what about PPE for IT?
Hundreds of thousands of devices will be re-entering the workplace after a prolonged period spent who knows where, connecting to who knows what. IT departments are understandably concerned about the inevitable widescale infection by malicious malware and many other threats due to the inadequate protection whilst people have been working from home. So, no sooner could a business be back up and running in the wake of the enforced coronavirus lockdown, it could just as quickly be taken down by a computer virus!
Are You Drip-feeding Threats Back into Your Network?
The threat posed to IT networks and enterprise systems by returning employees and their personal/company-provided work tools and devices should not be underestimated; nor should business leaders blithely assume that things like firewalls and endpoint antivirus will automatically ‘clean up all the mess’.
The security posture of home networks vary greatly and it would require a relatively high level of technological understanding to configure them to be as secure as possible. Trust is often placed in default configurations of home routers, and there is nothing the employer can do about that. In any case, home networks are often crawling with malicious software carried by devices that are not adequately protected. This creates a major security concern as people begin to return to work; a potential blind spot that might be overlooked.
Attackers Know How to Exploit This Opportunity
Laptops, PCs and other devices may not represent a substantial threat while isolated on a home network – but once attached to the company network it could be a different story. Increased efforts by the cybercrime community to capitalise on this threat vector are much publicised. They have literally had months to cook up all manner of bots and trojans to lie dormant; patiently biding their time for the right moment to execute a more lucrative attack that uses the device as a mere steppingstone to penetrate the corporate mothership.
Build-Your-Own PPE Kit
Organisations can take control of this situation with a few important changes to processes and controls. The list below is not exhaustive, but potentially decisive in protecting the health and wellbeing of data, digital assets, applications, services and software.
- Rogue Devices
Scan your networks for unknown devices. We are all creatures of habit and many users may accidently bring in devices they’ve become comfortable with and assume there’s no problem. Remind users that this is not allowed without prior clearance and be prepared to ban such devices being attached to the network.
- External Drives
Users may have used external thumb drives and devices for storage, etc. while at home. Again, re-enforce the message that these are forbidden and deploy device control to block them.
- Not Updated OS and Software
Out-of-date operating systems and software could have vulnerabilities ready to be exploited. Similarly, devices left on premises during lockdown may have been shut down and will be out of scope. Auto-update settings may even have been turned off! As soon as you are able – make sure everything is patched. Now’s the time to check that all endpoint protection is on and up to date.
- Non-Approved Software and Apps
Everyone will have downloaded new apps during lockdown – Zoom being one of the obvious ones. Can you guarantee that each and every one was pre-approved by your IT team? It is essential to check what risks these apps and other software present to the company by some sort of application risk service.
- Password Reset
A refresh and reset of passwords should be mandatory – being at home with family members and housemates for weeks on end may have lulled users into a false sense of security, particularly with the likelihood that device access has been shared at some point. Existing passwords may also have been used on new sites and services that are insufficiently secure.
- Review Asset Registers
In the rush to react to the impending lockdown, users may have been able (or actively encouraged) to disconnect devices and peripherals to take home. Have they all come back? Check this by employing asset tracking and conduct an inventory stock take.
In a similar vein, you may have purchased licences for things like MS Teams, and quickly deployed them to allow users to be productive at home. Is this licence coverage still necessary? Assuming you’ve used a monthly subscription platform, this could be an opportunity to save money as well as shrink your attack surface.
What of the Future – the Next Normal?
In the rush to respond to an unprecedented crisis by supporting immediate mass-homeworking among as many users as possible, organisations can be forgiven for quick fixes followed by best efforts to optimise what was dynamically provisioned and holding it all together. They cannot afford to turn a blind eye to the risks of returning to work – they will be doing everything possible to protect employee wellbeing and the same duty of care should apply to their technology.
We are heading to ‘the next normal’, but what will it look like? Everything points to a hybrid work-life balance future, so consider what that looks like from a provisioning and protection perspective, and perhaps a rethink will be needed sooner rather than later.
By Andy Travers, EVP Sales & Marketing, Exclusive Networks
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/