COVID-19 has arm-twisted every prepared and unprepared company to operate remotely. With or without any prior business continuity planning, employees are suddenly evicted from the office and told to operate from home with a hastily assembled bag of available tech tools to make that work.
The stack of Whatsapp and Gmail tethering off Starbucks’ free wifi may work for the digital nomad but it is a huge security risk for enterprises, especially when they are dealing with sensitive information that could lead to a paralysing penalty. With traditional office-based workforces going remote, the number of attack surfaces went up as endpoints proliferated.
New network behaviors not only add load to the server but also present instances that are never stress-tested from a security angle.
What can businesses do right now to identify and mitigate such risks?
Let us first understand the said security risks that arise with working remotely.
Given the increase in non-physical communication, the following risks are expected to go up:
-
Spear Phishing: This is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. Since one is expected to receive more emails than usual, negligence in double-checking the sender’s actual email address and verifying its authenticity could occur. The likelihood of one disguised as a COVID-19 email is significantly higher.
-
Bring-Your-Own-Devices: For employees who are using their own devices, the same hardware could be running personal software next to company sanctioned ones. How do companies ensure they remain separate and company information does not get picked up by other software?
-
Erratic user behavior: User behavior may change. They may be on their report this minute and bounce over to the food delivery website to order lunch the next. Would this new behaviour confuse the User and Entity Behavior Analytics (UEBA) in differentiating between legitimate and malicious behavior?
-
Lack of support: Security teams may not have access to their usual equipment to maintain their top performance and the increased number of remote workers will lead to a surge in alerts and triggers. End user support would take significantly longer just like how your Foodpanda deliveries are now taking more time.
-
Insecure locations: Home or cafe network connections will not have the same security standards as enterprise ones. You and the company assets that are residing in your computer may be at the risk of prying eyes.
Enterprise versus consumer tools
With many of these technology related risks, it is crucial that companies look into their current technology stack to ensure that they are of enterprise level. Whatsapp may offer end-to-end encryption but that can be easily circumvented as adding new members to a group can be done by any admin. An enterprise version like Zippi would provide super admin access with pre-integration with Active Directory or Office365. Over and above, anything that is shared through Zippi cannot not be forwarded to other apps nor can you take a screenshot when the app is running on your screen.
The other aspect to focus on would be database security and uptime. Enterprise software is usually hosted on the cloud at data centres with the highest security accolades and backup protocols. Zippi for example is hosted on AWS and undergoes yearly penetration tests by Ernst & Young. To ensure the data centre is secure, look out for SSAE 18 certification. SSAE stands for Statement on Standards for Attestation Engagements.
SSAE 18 governs the way organizations report on their various compliance controls. It imposes greater scrutiny on how companies evaluate and report on their third-party vendors. It requires companies to apply the same risk assessment standards to vendors they work with both directly and indirectly. When an organization contracts with a vendor to provide a service, that service provider potentially subcontracts some of its services out to another provider.
Other immediate steps
Beyond picking the right enterprise solutions, policies would play a big part in covering any gaps that technology simply cannot tackle. This would include educating your users about the kind of threats that might occur with remote work and what they should be looking out for. Even though they might be working in the safe haven of their home, practices such as locking your screen when you walk away from your computer should still apply. Provide only a single source of truth when it comes to information related to remote work and/or COVID-19.
This will help prevent spear phishing or malicious social engineering from taking advantage of employees’ anxiety at this moment in time. Facilitate authorized platforms to aid employees in calling, video conferencing and file sharing. If VPN is required, ensure it can take the load as there would be more dialing in. Frustrated users would simply gravitate to consumer tools that are usually easier to pick up. And don’t just set these in place and pray things will not happen. Theory needs to come with practice and it will be necessary to hold regular drills to determine the comprehensiveness of the security plan.
The bottom line
With WFH going to be a regularity, it is important for companies to take a proactive approach in preparing against further catastrophic predicaments that could impact their operations. And, only by taking the right policy, can future unforeseen circumstances be readily taken care of.