Unprecedented numbers of people are working from home for the foreseeable future, and we are dealing with everything from childcare to simply trying to find a quiet space for a call or to get work done. Our homes have become our offices, and in the rush to keep things going, we are using new systems and adhering to security policies in a way that’s sketchy at best.
At the same time, the boundaries between work and private life are breaking down: Business is being done over home ISPs, with unmanaged routers and printers, home automation systems in the background and even partners and children listening in on conversations or sharing machines while working for different organisations.
And all the while, new security threats are surfacing. Some are old attacks brought back now that we’re more vulnerable, and others are new scams that prey on our desires to get news, buy basic supplies, avoid infection and recover quickly (if we do get sick). Traditional security measures that have been used daily for years cannot protect a fully remote staff without adaption. That means we need to rethink our mindsets and approach to security right now.
The most important element of effective security in a time of change is to realise that while you can do anything, you cannot do everything. The job of security is not to eliminate all risks, because all threats are not equally dangerous or likely, and they will not all be exploited at once. Discuss risk early and often, and revisit triage on a regular basis. The risks you face today will not be the ones you face next week or the week after.
These are four major risks businesses need to address to get ahead in this period of adjustment:
Hackers can manipulate VPNs without a view of the whole
Virtual private networks, or VPNs, have become the new lifeline for many businesses, extending encrypted networks to our homes. However, many home networks are already infected with malware or compromised hardware that can be exploited for staging attacks through machines with VPN termini. A compromised identity or a machine, especially when behavioural baselining on the back end is in flux, can allow hackers to piggyback through the VPN. It is critical to have endpoint integrity checking and strong authentication in place at this stage once the VPN is in place and active.
There are also vulnerabilities for VPNs that require really understanding and internalising rather than blindly trusting, and many applications that are becoming the new critical IT infrastructure will see new vulnerabilities. This is not cause for panic, but it does mean you need to talk to vendors and plan for patching and failover. Remember, vendors, too, are going through change and doing triage on their support and escalations but start the dialogue now. Contact your hardware or software providers to ensure configurations and policies are in order, starting with the VPN, endpoint, and identity solutions.
Endpoint first, then mobile
Although there are many endpoint challenges, the first priority is to ensure critical business processes recover. Then, make sure the new enterprise footprint is brought into the fold from a policy and control perspective. Next, focus on mobile, which is the most pervasive and ubiquitous platform in our personal lives. Employees who must learn new devices and applications will turn to their phones even more than usual because they feel familiar. Most companies have established policies defining what can and cannot be done with mobile phones but set these policies if you do not already have them. Cyber criminals will start with identity theft and classic machine exploits, but they will think of new ways to target them before moving on to other devices. Get ahead of mobile threats before dealing with other devices.
Information can be Weaponised
In the past few weeks, attackers have started taking advantage of human weaknesses. For example, hackers developed a malicious mobile application posing as a legitimate one developed by the World Health Organisation. A vulnerable person could easily mistake this malicious app for a real WHO app. Once installed, the application downloads the Cerberus banking Trojan to steal sensitive data. These types of attacks essentially weaponise tools and information because they can easily be done with applications that provide legitimate benefits, too. Before, attackers had to plan their cons for diverse interests and lures, but right now the entire world has a shared crisis. COVID-19 has become our common watering hole, but with the right awareness and education, we will be able to defend ourselves.
Physical location matters again
When employees take their machines home or use their home machines for work, those machines now sit in a physical and digital space unlike any within the office. Between routers, printers, foreign machines, devices, gaming consoles and home automation, the average home has a more complex and diverse communication and processing system than some small companies.
Employees might be taking conference calls within earshot of family members or even employees of other companies. Nothing should be taken for granted when it comes to the privacy of employee homes. Simple policies are important — these are relevant not only to security but also to privacy in general. Should employees have cameras on or off for meetings? Should they wear earphones? Should they take notes on paper or digital applications? How should they handle viewed or created IP or PII? What communications applications are acceptable? What happens when others intrude, see notes, or overhear discussions? These questions might seem trivial, but you need to address them up front. Above all, listen and adapt when things are not working.
These four areas are far from a complete list of the cyber-security concerns you need to address. If you have got these under control, enumerate the risks that remain, sort them by order of importance and deal with them methodically.
Security is never “finished” because the opponent is never finished; cyber criminals are endlessly innovative and adaptive. In the words of Winston Churchill, “Never let a good crisis go to waste.” Use this as the chance to start a new, ongoing security dialogue within your business.
Grant Stanley BSc (Hons) MA MCIM