Many companies, concerned for employees' health amid the rapid spread of coronavirus, have begun encouraging them to work from home. The shift, rightly done to protect people from infection, could also potentially expose organizations to cyberattack if precautions aren't taken.
Businesses ranging from tech giants to startups are clearing their offices in an effort to stop the spread of disease without interrupting day-to-day operations. Microsoft, Alphabet, Facebook, and Apple have all urged employees to work from home if they can. Several tech firms, including Google and Cisco, have begun to offer their collaboration tools for free as companies around the world quickly implement work-from-home policies and conferences are cancelled.
"The unfortunate spread of COVID-19 is forcing many employees around the world to work remotely," says Bret Hartman, vice president and CTO of Cisco Security Business Group. "While necessary, this new level of workplace flexibility is putting a sudden strain on IT and security teams, specifically around the capacity of existing protections in place given surge in demand." More than 30% of global enterprises have asked Cisco to help scale remote work, he says, and the company is seeing spikes in time spent in Webex across Japan, Singapore, and South Korea.
Security execs now have the issue at top of mind as companies move in the same direction, says Craig LaCava, global executive services director at Optiv Security. "Most CISOs are thinking about it, are being diverted to calls with executives briefing them about it, and just getting ready for worst-case scenarios," he says. The problem, LaCava adds, is not everyone has the right devices, processes, and infrastructure in place to support a fully remote workforce.
Remote work fundamentally changes the dynamic, especially for teams accustomed to working side-by-side every day. People forced to change their behaviors may experience loss in productivity, communication challenges, and other unexpected roadblocks as they shift from corporate offices to home offices. An unexpected environmental change can drive security risk.
A Rapidly Growing Attack Surface
Darren Murph, head of remote at GitLab, calls this trend "crisis-driven work-from-home," which he says is "vastly different" from an intentional approach to remote work. Employees are now being thrust into remote work without preparation, warnings, or documented processes to guide them. "Not everyone is going to adapt to remote as second nature," he explains.
Experts agree the attack surface will grow as more organizations encourage work-from-home policies. As workers start to connect from living rooms and coffee shops, they could be using personal smartphones, laptops, and tablets to send business data over unsecured networks. Those who prefer their home PCs might transfer critical data to them without considering the risk; those who visit other workspaces for a change in scenery may leave their devices unattended.
"More homes are becoming connected, and consumer IoT devices such as lightbulbs, refrigerators, Peloton bikes, and even Roombas are created without security in mind," explains Armis CISO Curtis Simpson. "Putting corporate assets on the same Wi-Fi networks as these devices creates a new entry point for attackers to reach corporate targets." Companies, which can't control their employees' home networks, are unprepared for these external challenges.
More than half (52%) of response in the "Cisco 2020 CISO Benchmark Report" said mobile devices are "very" or "extremely" challenging to defend. A Duo Security report found 45% of requests to access protected apps come from outside the business. "Organizations with increasingly remote workforces must support different types of users, including contractors, third-party vendors, and remote workers who connect to their corporate network," says Cisco's Hartman.
As employees bring corporate devices onto unsecured networks, they also face an increase in phishing attacks as cybercriminals bait them with coronavirus-related malware. Malware families, including Emotet and multiple RAT variants, are being sent with virus-themed lures.
What Security Teams Can Expect
A key challenge for IT and security teams is providing and protecting devices for employees to take home. Drex DeFord, strategic executive for CI Security and former CIO for Scripps Health and Seattle Children's Hospital, strongly encourages taking the time to ensure devices are properly configured. "In a crisis we have a tendency to take shortcuts," he says. Security pros who rush to get devices set up and deployed "may lay land mines [they] may step on later." It's often simple misconfigurations that accidentally leave data exposed on the Internet, he adds.
"The big message for senior healthcare executives, and executives in general, is just to watch your team closely, and when it comes to IT, everything is connected to everything, including all your partners and third-party vendors," DeFord says.
Infosec teams can expect additional challenges when employees neglect office habits outside of the workplace, says Mark Loveless, senior security engineer with GitLab, which has a remote workforce. Security basics, like using a locking screensaver or not writing down passwords, are "muscle memory" at work but may not feel as important when employees get home.
"At home there is a tendency to let one's guard down as people feel safer in their own homes, so any bad computer security habits from home might translate into insecure actions with work tasks," Loveless explains. "The biggest challenge is to remind and positively reinforce those good security habits while at home." Most bad habits and the problems they introduce at home are not major, he notes, but a lot of them can add up and expand the attack surface.
Employees working from home may not have the same firewalls, network-based intrusion detection, and other office defenses they have at work, Loveless adds. Security teams can expect they may access risky websites from their work devices, adding more attack vectors.
CISOs should assume identities will be targeted at a higher rate than usual by attackers who know their activities will be hidden in a spike of remote traffic, Armis' Simpson adds. Employees may also lose their credentials or accidentally share them on public Wi-Fi. If an attacker has them and logs into a business app, it will be difficult for security teams to determine inappropriate access.
"If an office is shut and there's a state of emergency, what's normal is now out the window … the SIEM might be seeing all sorts of things," Optiv Security's LaCava says. "How do I tell what's normal and what's not when nothing is normal?"
Steps You Can Take Right Now
GitLab's Murph and Loveless both agree documentation is critical. "It's essential to have a single source of truth," Murph explains. A distributed security team will spend their days implementing access requests and addressing alerts. If they don't have access to the same documentation on how they should address a situation, there's no guarantee the organization is secure. Murph also recommends a public security channel where remote infosec employees can communicate live.
"We document everything," Loveless says. GitLab's company handbook is public, as are its security policies, and it encourages active updates to improve security and productivity. Loveless also advises security teams to set up training materials designed for security and remote workers so employees know what to do and what to expect if they experience a security incident. If they do, employees should know to immediately share any security threats and concerns.
"Create a structure for people to report when things go wrong," CI Security's DeFord advises.
If your organization doesn't already use multifactor authentication (MFA), now is the time to start, Simpson says. MFA should be enforced for privileged users accessing sensitive Internet-facing business services, including HR platforms, code repositories, remote access interfaces and solutions, and Internet- and software-as-a-service admin interfaces. Those who don't already use MFA should prioritize its implementation among the highest risk users, not deploy for everyone at once.
Behavioral analytics tools for detecting suspicious activity should be optimized for admins and those who handle critical data. Organizations may also want to consider requiring remote staff to access legacy apps and services through a virtual desktop environment. Simpson advises testing the virtual desktop environment to ensure the user experience is as needed.
Businesses new to remote work should strategize how they will communicate, whether about security or any other topic. "Technology aside, it's the people elements that's really important," says Adam Holtby, senior analyst for workplace mobility at Omdia. This demands a conscious effort for managers, who will need to ensure communications channels are in place for remote employees to connect. "Make sure people are still social, still in touch with one another," he adds.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."