The pandemic has caused a seismic shift in our daily lives. It has upended everything as we know it! Since it has become customary to be working from our kitchen tables, we need to explore the cybersecurity consequences of remote and home working.
Why should we be worried?
We are suddenly in a situation where employees use their own devices for both work and play. Previously, the organisation had some level of control over individuals and the technology they used. There were policies and processes in place, and activities were monitored. We should be worried about employees and how their online actions can impact our companies due to the reduced level of protection.
Why is it a problem to use a personal device for business?
The perceived risk may be very different from the actual danger. An employee may find that their device is running slower than usual, not realising there may be malware running on the device. The malware may be benign, and perhaps is simply targeted advertising running in the background. But what if it is not harmless, and that device is plugged into your company network?
When software is running only on an employee’s home computer and network, then any malware or malicious intrusion is a problem isolated to them. However, once that employee connects to the company network, they may be infecting the server and database at work. Ransomware affects thousands of endpoints. Through their actions, employees can create a vector for malware to get in via these endpoints.
What can businesses do to secure devices for their employees working from home?
Suppose employees are allowed to use their own devices for work. In that case, companies need to ensure the employees’ working environment at home, and the laptop they connect to the corporate network, are secure. A bring-your-own-device policy is crucial. Alternatively, companies can opt to configure their own devices and ship them out to employees. This is much more sensible than allowing staff to use a ‘family laptop’.
Whether you allow employees to use their own devices or whether you supply them with machines, the installation of endpoint security is vital. Corporate anti-virus or anti-malware software has to be installed on all devices used. It will provide added security and give corporations an ‘eye’ on every laptop interacting with their environment.
Bit Defender Gravity Zone is a product used at Samurai. It gives visibility on OS patching, anti-virus, and firewalls states, prevents and alerts when malware is downloaded, etc. It also works well with mobile devices.
When we look at on-device security, what other security concerns are there for the business? Does opening up VPNs cause any threats?
Yes, it does! A VPN creates a private tunnel between the device’s endpoint and the corporate network employees are using. This applies to both on-premise and in-office. Malware can spread from a device via a VPN onto corporate devices. To counteract the threat a VPN could pose, an acceptable usage policy must be created, and home IP addresses should be whitelisted.
Passwords must never be shared! When a user is connected via a VPN, no one else should be allowed to communicate via that VPN. Company policies should stipulate that only acceptable users, IP addresses, and laptops can access a particular VPN. Heads up to those connecting from home: corporations will need to keep an eye on the machine you are connecting to the company with.
Is it possible to make passwords more secure?
If users did not repurpose a single password over multiple accounts, this would be less of an issue! However, we cannot assume that people are going to do the right thing. We can ask them to, train them to, and advise them to, but it is not always enough.
Risk is definitely reduced by changing passwords, but it is a balancing act between the frequency, weighed up against the potential threat a reused and repurposed password could pose. A happy medium for changing passwords is every 2 or 3 months.
A company-wide corporate password manager, like LastPass, will remember and even auto-fill passwords on behalf of the user. In this way, the responsibility shifts to the user for storing their own passwords. Simple and repeated passwords must be banned outright, and this rule must be outlined in company policies. It is clear to see that passwords are high on the culprit list for breaches. And even more so now staff are working from home.
What else can people do to secure their accounts?
Multi-factor or two-factor password authentication is essential for all important systems i.e., almost all of them. This provides the user with more than one way to confirm their identity, e.g., a fingerprint or retina scan. A more robust method is to use authenticator apps on your phone, the Microsoft and Google ones are excellent. SMS is not secure as the sender can create the perception that a message originated from a different number. Two-factor authentication does involve extra effort. Still, once you get into the swing of things, it becomes a habit. This extra level of security is especially important when working from home.
How can we counter possible breaches?
Companies need to ensure that individuals are adopting appropriate behaviour. We are at a point where the responsibility needs to be shared between companies and their employees. Employees need to be guided with training and policies. A basic example is a Wi-Fi router, the golden rule is that settings should never be left at default. These rules should be stated in a working from home policy.
The emphasis is even stronger now on user awareness training. To make sure that the devices used to connect to the corporate network are not compromised. We also need to make certain employees are reading the working from home policies. In our view, staff should be tested on their understanding of the policies and should not be allowed to just tick a box without assessing their knowledge.
What advice would you give to other businesses regarding the culture of ‘security first‘?
Get the message across clearly to shift the organisational culture. People have fallen prey to many ‘phishing’ scams in the form of a malicious email pretending to be a legitimate one. Mails are sent to trick someone into handing over sensitive data. ‘Phishing’ poses a significant threat, and the sophistication behind it now is excellent. Unfortunately there are now no easy way to spot “Nigerian Prince” phishes. Most employees will only understand the danger level when it is explicitly explained to them with examples. To help drive awareness, Samurai can set up ‘phishing’ campaigns where we test individuals and provide companies with insight into the problem’s scale. If the hit rate is high, it will be essential to embark on an education drive; otherwise, it will compromise your company.
Preventative Actions vs Reactive Actions
Preventative always beats reactive! Always try to catch something before it happens. It is not a case of “if”, but “when” you are going to get breached. Both preventative and reactive plans need to be in place to reduce the frequency and impact of breaches.
As part of your incident response planning, identify the most business-critical resources. Then plan for the identify, contain, eradicate, and recover phases of breach impact mitigation. The more you put in place to manage the process upfront, the less trouble you will be in should the worst happen.
In addition to incident response planning, you also need to make your systems as uninviting to attackers as possible. The more defences you have around your data, the less frequently you will need to put your incident response plan into action.
It is easy to have a skewed perception of cybersecurity. Often folks are under the impression that all we do at Samurai is fight malicious hackers, and to be fair, we do our fair share of that. Ultimately though, it is about protecting businesses, their stakeholders, and employees. To empower them to grow securely and sleep better at night.
This blog is transcribed and summarised from the podcast, hence the lack of grammar, syntax, and semantic formality.