Well past the initial rush, work-from-home has established itself as a long-term sustainable model that is likely to stay here. Even as companies plan their unlock strategies and facilitate ‘return to work’ for at least parts of their workforce, it’s clear that the global pandemic may permanently allow some of us to work from home.
A Gartner CFO survey revealed that 74% of CFOs polled will move at least 5% of their previously on-site workforce to permanently remote positions post-COVID 19. Many employees are expecting to continue to have the flexibility and safety of work-from-home (WFH) model in the post-Covid-19 world.
While WFH has turned out to be a win-win for both the employers and employees in many aspects, it has literally opened a can of worms for the enterprise security experts.
Millions around the globe shifted to a remote working model in a span of few days. As enterprise perimeters further blurred, many security leaders are forced to throw their previous strategies out of the window.
Unforeseen Cybersecurity risks
For the modern tech firms, probably, adopting the new work model have been relatively easier as they already had the right policies and infrastructure in place. But remote working was nearly an alien concept for many businesses. A sudden transition to the WFH model was a massive hurdle for such organizations. Enabling thousands of employees to work remotely required them to go against the established practices.
Many were caught unawares by the new requirements to ensure business continuity. They scrambled to enable their corporate networks and provide new devices and remote collaboration tools to employees. Most networks were not equipped to handle the scale. Many employees did not own corporate laptops and were accessing corporate data from their own personal devices (most of them unprotected and unpatched), through their home networks (probably unprotected).
Once this transition happened—effectively or ineffectively—firms realized that their exposure to cyberthreats is at its peak. CISOs understood that they have plenty of gaps to deal with, such as:
- Weak end point security coupled with direct internet access without VPN
- Surge in cloud-based tools & data transfer to cloud without proper visibility
- Inadvertent data leakage
- Increased phishing attacks that use Covid as a bait
Some new lessons
Close to 50 percent of employees are less likely to follow cyber security practices while working from home, according to some recent reports. Many admit to bypassing security policies that are perceived to impede productivity. Clearly, legacy, on-site approach to security wouldn’t work in the new world of work.
Security practitioners need to focus on following some of the best practices suited for the Covid-induced remote working ecosystem, including:
- Improving visibility of all remote endpoints: It’s important to get a clear understanding of the company’s digital footprint, which are now spread across numerous locations. Security teams also need to ensure that all devices are patched and protected to minimize the attack surface. Employees and security teams together should audit their home environment for potential vulnerabilities such as those arising from IoT devices.
- Reviewing access control policies: Organizations are now forced to reconsider their access control policies. Access and identity management can’t be static and needs to be reviewed depending on whether the employees are on-site or off-site and whether they are using corporate owned devices or personal devices. Multifactor authentication is increasingly being looked upon as an effective mechanism to ensure authorized access to data.
- Awareness programs to deal with phishing attacks: Security awareness training for employees is critical to fight against the rising phishing attacks. Many organizations conduct phishing simulation to educate employees to recognize and report phishing attacks and social engineering threats.
- Protecting cloud-based tools: Zoom-bombing has taught us some valuable lessons on getting back to the basics of security and privacy. The sudden upsurge in cloud-based collaboration and video conferencing tools also led to significant shadow IT within organizations. Security teams need to ensure that employees adhere to basic security policies and hygiene. Also, security has to be the paramount criterion while choosing any cloud-based tool.
Employees are equally, if not more, responsible to ensure security of corporate data and devices in this context. They are expected to be in charge of security instead of leaving everything in their systems admins hands.
Here are some Security tips to follow while working from home.
- Install reliable antivirus solutions to all the devices that handle corporate data—even if it is your personal device. Lack of a security solution will not be considered as a valid excuse in the event of data loss! Additionally, update your operating systems and software on a regular basis to ensure your systems are patched.
- Protect your Wi-Fi network with strong passwords. Some of the encryption standards are already outdated. So choose WPA2 is a widely accepted method to endure prevent unauthorized network access. It is critical that your change the default login credential that come with your router.
- Always use corporate email accounts and company-recommended messaging/collaborations tools to communicate—anything that’s configured by your company’s IT team.
- If you happen to use a public network to access your corporate data, ensure that you’re connecting through a virtual private network (VPN) so that all the data you transfer will be encrypted.
Summary: A highly volatile crisis like Covid-19 calls for a highly adaptable security framework that constantly responds to emerging risks. Security leaders and their teams need to work closely with key business functions and include cybersecurity into crisis management procedures. An effective cyber risk mitigation measure is critical to strengthen enterprise resilience in these challenging times.
