#1 Home and other Remote Setups can be a Mess
Sure, the use of VPNs, firewalls, and intrusion prevention systems might be standard architecture for WFH-to-corporate network connections, but how do you know they are working properly across all corners of this significantly larger operating environment? Worse, what if your employees' home networks are already infected with malware or connected to other compromised machines?
Without reliable endpoint security and user authentication in place, at best, IT might be "winging it" when it comes to mitigating these new vulnerabilities. At worst, cyber threats may already be roaming your network, having piggybacked their way in through your "secure" VPN.
#2 Home Devices Expand the Attack Surface
Perhaps you had a tight security policy in place for personal devices on-site, but does it account for large swaths of WFH employees using whatever device they chose for the workday? This reality complicates efforts to protect your company since every device is a potential network entry point for attackers.
Employees must understand that many mobile devices lack the security software that their work machines have. If mobile devices are necessary, then every effort should be made to adequately protect them.
Contractors and employees should also be made aware of the danger that open networks at public places like coffee shops and airports pose. It is easy to understand how WFH employees may seek out a change of work scenery since so many hours are spent at home, but the security risk these excursions introduce must be understood and mitigated to the greatest possible extent.
#3 Increased Threats from Insiders
If you operate in an industry where employees have access to sensitive customer data or company intellectual property that could be devastating if intentionally or unwittingly leaked, then an Insider Threat Program should be a key component of your cybersecurity strategy.
Establishing an effective Insider Threat Program is difficult when most employees are on-site. Unfortunately, the WFH norm makes it that much harder. WFH significantly degrades your ability to detect potential insider threats because a greater portion of the behavioral activities used to identify insiders no longer traverses corporate-controlled assets. For example, in a WFH scenario, if a user wants to browse the internet, they can disconnect from the VPN and have unrestricted and unmonitored access.
Of course, these types of behaviors introduce gaps in your strategy and must be accounted for if you want to ensure your trade secrets are indeed protected. An Insider Threat program is still viable with WFH staff, but changes must be made to account for new behaviors.
Tips for Improving WFH Security
We paint a stark picture only to emphasize the different risks posed by the new WFH norm. Luckily, plenty can be done to mitigate the risks WFH presents. The key, as with anything security related, is to weed through the seemingly endless options and choose the ones that provide the biggest bang for your buck, given time and budget constraints.
With that in mind, below are a few best practices that companies should consider implementing:
Multi-factor Authentication (MFA). One of the most cost effective, easiest to implement, and effective tools at your disposal. However, it is also one of the least used due to the minor inconvenience it imposes on your workforce. Believe us, the return far exceeds the inconvenience.
Institute Proactive Defensive Measures. Over a long enough time horizon, cyber adversaries will find a way to hack into your network, especially if you are not actively testing your exterior and interior defenses. Incorporating active defensive measures is one of the best and most cost-effective methods for increasing security.
Red Team Assessments. Routinely test the effectiveness of your defenses to gain a firm understanding of the damage an adversary can do. Conduct assessments periodically, targeting a mix of WFH and on-site users with different levels of access to identify and mitigate any weaknesses, and train your defensive teams to better identify and root out threats.
Threat Hunts. No matter how many security systems organizations put in place, adversaries continue to successfully breach networks. How damaging that breach is depends on how long it takes to identify and eliminate. Routine threat hunting enables organizations to more quickly identify and eliminate advanced threats that have evaded your network defenses.
Insider Threat Program. Companies with valuable data and intellectual property should not neglect the security threat posed by its employees and contractors. Establish an effective Insider Threat Program to mitigate the threats posed by accidental and malicious insiders.
Employee Training. Train employees and contractors on basic security practices, including how to identify and report phishing attacks, along with the unique risks WFH poses such as use of public networks and personal devices.
Adapt Policies for the new WFH Paradigm. Review current policies and update to account for the WFH reality. This includes use of personal devices, use of public networks, and physical security of devices, to name a few.
Of course, not every company has the resources to have a full-time Chief Information Security Officer (CISO) to direct the strategies needed to safely work from home. In these instances, it might be worth looking to virtual CISO resources. This strategy provides expertise at fraction of the cost of an FTE, and can add tremendous value to your organization's security.
Regardless of what transpires with the COVID pandemic over the next several months, many companies have realized the benefit of allowing staff to work from home. Every company should think long and hard about the specific cyber risks a WFH norm poses, and implement appropriate controls to mitigate them.