If Remote Working is the New Norm, How Do We Do it Securely?

The concept of the agile and remote worker has become more prevalent in recent years, as consumer Wi-Fi becomes more faster, we carry corporate laptops or BYOD-permitted smartphones, and realize we don’t all need access to a printer and fax machine. That’s been good preparation for the current COVID-19 lockdown, where remote working has moved from being something that you may do one day a week to something that is the new norm for many people.

According to Scott Crawford, research vice-president for the Information Security Channel at 451 Research, the widespread move to home working for many organizations has direct implications on security. In particular, and in addition to the multitude of new phishing attacks and attempts to exploit, “organizations are now faced with a fundamental change in how they manage secure remote access, as well as how they can maintain visibility and control over security concerns.”

Rick Holland, CISO and VP of strategy at Digital Shadows, said that remote work and risks associated with this new workforce won't end when the pandemic is over, and whilst the mass move to remote working will inevitably create challenges, he recommended security teams conduct risk assessments and red team exercises of the remote workforce “once they have had an opportunity to come up for air.”

Security teams should conduct risk assessments and red team exercises of the remote workforce “once they have had an opportunity to come up for air”

From a technology perspective, there are unique challenges when it comes to the use of SaaS and cloud services, particularly when teams can no longer work in a physical location together. Crawford said that each of these applications may have its own point of access, and when users reach them directly from their home networks, enterprise visibility and policy-based control for each of these connections may be lost and difficult to regain.

Bob Post, managing principal, Cyber Risk Advisory at Coalfire, argued that considerations have to be made on how secure the networks are that remote workers are connecting from, and what kind of security they have on their cable modems.

Post said: “Do they know how to use a VPN? How many will take short cuts and email sensitive information across unsecured networks? So there are both technology and training issues at play here, and we know there are people out there who are ready to take advantage of the situation.”

“We know there a people out there who are ready to take advantage of the situation”

A number of people Infosecurity spoke to highlighted the issues of misconfiguration and orchestration. Dave Weinstein, CSO at Claroty, said that VPN vulnerabilities are coming into view again, typically for larger organizations that have remote access infrastructure policies in place.

Meanwhile, Richard Hughes, head of Technical Cyber Security Division at A&O Cybersecurity, said that in the rush to facilitate remote working and deal with the immediate challenges, businesses will be concentrating on purely functional requirements with less focus on the longer-term impact of such decisions. “Misconfigurations will likely be introduced and regular patching may be interrupted,” he said.

“This will be like a candy store for malevolent actors who will seize the opportunity to target these weaknesses in what may be a not so temporary solution. Although it appears that this situation calls for a tactical solution, businesses need to think strategically to avoid introducing future risks.

“Companies may feel that they should postpone vulnerability assessments or penetration tests while systems are perhaps in a more fluid state than usual, but this would be ill-advised. The need for security assessments is perhaps greater during this time of potential instability.” 

Also, Ed Williams, director EMEA, SpiderLabs at Trustwave, said that, in the accelerated rush to the cloud (to enable remote working), “poor planning and improper testing will lead to misconfigurations and as a worst case scenario, leave the organization vulnerable to attack from a malicious third party.”

“Increased stress and cyber-anxiety will result in a lowering of vigilance”

The other challenge of having a workforce so distributed and not physically seen is around the security of data, as this will be a time when employees are more easily distracted and working unusual hours. David Greene, chief revenue officer at Fortanix, said that this should be a time to push for a data security consideration.

He added: “You need to know that data is safe at all times wherever it is currently being used and it needs to be as automated and transparent as possible, as stressed out employees will actively work around anything that interferes with getting their work done.”

Greene said that the greater stress of everyone being in their house together is of course an entirely separate issue, and that leads to the mental health consideration. Steve Durbin, managing director of the Information Security Forum, explained that the human element is the third phase of security, with phase one being about the technology and ensuring remote workers are equipped, while phase two is about targeted attacks on organizations where the remote worker is seen as potentially being the weakest link in the security chain.

“Phase three will come about through increased stress and cyber-anxiety which will result in a lowering of vigilance and frankly, the sheer boredom of having to work remotely when the normal routine has been built around social interaction,” he said.

“My biggest concern is when remote workers enter phase three since it is unlikely that remote team leaders and managers will identify these signs until it is upon them.”

Wellness expert Orion Talmay told Infosecurity that many of her clients work in high-powered and intensely stressful roles, and since the remote working restrictions came into place, she had experienced a dramatic surge in requests for stress and anxiety management

“As we make the shift towards remote working as the new norm, more and more people are experiencing the negative effects of working in isolation,” she said. In particular, there are two key contingents regarding people seeking help for stress and anxiety: the first are those who experienced issues at home already, perhaps with their partner or children, and are now forced to deal with those issues with greater frequency and intensity, while for those individuals who live alone, they might have anxiety disorders which are heightened as a result of spending so much time alone at home.

“Also, there are others who might not have experienced any issues at home before but, having been thrown into an enforced remote working routine, are experiencing the boredom of home working,” she said. “They feel unchallenged and not stimulated, and there’s only so much one can do at home when left to their own devices.

“It’s vital that businesses, managers and colleagues alike, pay close attention to their teammates’ mental health in the coming months. Sufferers rarely ask for help outright, and a simple ‘how are you?’ can start a dialogue that is a lifeline for struggling employees.”

The remote working factor has hit companies with an unexpected blow, and many were unlikely to be so prepared for this to happen. Now we have to consider that this situation will remain for some time, and the onus is on businesses to ensure that the technical and communication channels remain enabled.

What’s Hot on Infosecurity Magazine?