Security Considerations in the New Era of Remote Working
Enabling staff to work from home has been one of the biggest focuses for most businesses since the onset of COVID-19. But this also has created new cybersecurity threats.
Since the outbreak, there has been a significant increase in spam emails and phishing attacks. In March, Google reported seeing and blocking more than 240 million daily spam emails and 18 million malware and phishing emails related to COVID-19. According to Reed Smith, scams increased by 400% in March, which made coronavirus the largest-ever security threat.
What makes the situation even more critical is the fact that many organizations have poor cybersecurity posture with inadequate policies, which are not fit to ensure safe remote working. There are two main reasons for these threats: behavioral and technological.
Behavioral side of the problem
People are not used to working remotely. They are using unmanaged endpoints and laptops without corporate controls. They are accessing corporate networks via public networks. And they are not used to being vigilant against cyberthreats.
Cybercriminals take advantage of human vulnerability and thrive during times of uncertainty. The behavioral side of the problem relates to how people behave in certain settings, how they perceive risks, and how they respond to them. To reduce cyberthreats, companies need to maintain good security practices. This will minimize security loopholes, which often emerge due to a lack of cybersecurity training among employees.
Technological side of the problem
As the majority of the workforce starts to work remotely, the attack surface expands. Companies have to implement exhaustive disaster recovery processes and scale the virtual private network (VPN) capacity, providing tokens for multi-factor authentication (MFA) to all employees.
In normal circumstances, a medium- to large-size company may rarely have more than 10% to 20% of their staff accessing systems through their VPN. And then all of a sudden, to enable remote access, the business has to scale up rapidly to enable thousands, if not tens of thousands, of people on VPN within 24 hours.
If the remote infrastructure is set up quickly and not carefully, and has a large volume of traffic, it can make an attractive target for criminals. At the same time, employees start to work from devices that have not been authorized or provided by the company. They also start to use various collaboration platforms. This leads to unsanctioned collaborations and file storage. As a result, organizations have to extend their perimeter controls such as security monitoring, data leakage, and detection. They also have to adapt access controls.
In these new conditions, the security teams are overloaded, as they have to maintain the continuous operation of the systems and proactively solve all user problems.
Best practices to address the challenges of the new threat landscape
Now that the initial rush to enable remote work is behind us, it’s time to pause and consider how to address these technological and behavioral challenges. To effectively manage cyberthreats, businesses need to follow these five recommendations.
First, companies can take this time to rebuild their security posture with a “secure by design” principle at the heart of it. Companies need to embed security into their fabric. It must be embedded across all processes, applications, infrastructure, cloud, and data. By creating built-in security, a company will have a complete visibility of threat vectors and the security landscape. This will allow for effective threat management and continuous security enhancement.
Second, companies should use automation and machine learning. With automation, security is living within the systems and processes. Automation of certain processes can free up a significant amount of security professionals’ time, who are currently overloaded and struggling to keep up. Machine learning helps make security more invisible, behind the scene. It removes false positives and ensures security at all points of entry into IT systems. For example, endpoint and detection response (EDR) capabilities capture everything that happens on the endpoints of the network. EDR tools help reconstruct the history of any attack and find out which node was used by cybercriminals to penetrate the system and spread over the network. This allows for fast threat detection and its quick remediation.
Third, a company’s bring your own device (BYOD) policy needs to be revised. Ideally, employees should work on corporate computers even from home. But this is not always possible. There are three possible options to address this issue. An organization can distribute managed devices to employees, or they can enable employees to use their personal devices, but connected to a corporate network. The final option is that employees use personal devices but with containerization implemented to separate personal and business applications and data.
For example, Infosys’ mobile phone Infy Me app and email are protected by a container. Whether the device is personal or official, when a user installs a container, the contents of the Infy Me app and email are protected by proper control and firewall. The same thing is implemented on the personal laptops of employees. The container allows the proper segregation of the content for personal usage and official usage. An employee will not be able to copy any data from their official email onto another app on their personal device. This significantly decreases the chances of insider threats and leakage of confidential information.
Fourth, security awareness of both employees and customers needs to be raised. According to the 2020 Cost of Insider Threats: Global Report, 62% of all insider incidents happen because of employee negligence. Corporate communications teams need to raise awareness about security risks across an entire organization. Educating people about safe online behavior will enable them to make the right decision when it comes to cybersecurity. This can be done through awareness campaigns, mandatory quizzes, and certifications.
Lastly, security needs to be more invisible and user friendly. If processes require users to put in minimum effort to achieve security, users will be more likely to follow the required steps. The more complicated a process is, the more frustrating and insecure it becomes. Having seamless security doesn’t mean reducing it. For example, there are sometimes seven MFA layers of defense in consumer authentication, which may not be visible. But that doesn’t mean they aren’t there.
Stay secure in the new era of remote working
The new era of remote working requires organizations to review and strengthen their security posture. Businesses need to ensure that their security at all levels keeps working relentlessly on every endpoint. By renewing old security controls and building new ones with the “secure by design” principle in mind, companies can make security more invisible and user friendly. The use of automation and machine learning technologies will let the processes and ecosystems take over and manage frictionless security. These recommendations will help solve behavioral and technological challenges and effectively protect businesses in this quickly evolving threat landscape.