Pressure almost always reveals weakness in a system and COVID-19
has done a great job doing so with corporate entities who never took into
consideration the possibility that their entire workforce one day might be
forced to work from home.
In addition to the problems, both created and solved, with VPN
usage, the virus has brought to the surface a plethora of additional problems
that likely were never discussed at a board meeting or among security
professionals. This ranges from suddenly being unable to do forensic tests and
general upkeep on a company’s computers to being forced to give higher level of
user privileges to staff so they can access systems from the outside. Which then
may be intercepted or conned out of a distracted worker through a phishing scam.
Possibly one of the first lessons learned by companies a week or so ago when workers began transferring to their home offices was that the tools on hand were not designed or intended to work safely offsite, via a VPN or over the internet, said Lisa Davies, head of corporate security at Redox.
This means a number of very important tasks normally conducted by
security and IT teams cannot take place.
“Since most of the security controls and tools used depend on being on the local network, many tools companies use cannot do the above things remotely. They cannot update, they cannon monitor logs etc unless the device is on the local network, so when employees take them home, they are in the dark,” said Stu Sjouwerman, CEO of KnowBe4.
Another factor that was not worked out ahead of time is to build
in the ability to monitor company equipment that has been left behind and to
make sure employees are not connecting their own, unsecure devices to company
assets.
“Monitor inactive company devices, as possible indicators a
device has an issue, or a remote worker may be tempted to use personal
technology. This goes hand-in-hand with technical controls preventing
non-company devices from accessing sensitive information,” Davies said.
However, some level of connectivity is going to be required for
business to function and what has been found is the protocols currently in
place are not sufficient, said Luke Willadsen, security consultant,
cybersecurity services and solutions firm EmberSec.
Not all companies previously required multifactor authentication
to connect to the network and then disable the work computer’s ability to take
a screenshot of the window containing the remote/virtual desktop on the host
computer, Willadsen said.
“Don’t let any data pass between the machine originating the
connection and the remote/virtual desktop. To this end, disable the clipboard
and shared drive access between the origination host and the virtual/remote
system. We don’t want a single byte of information to be exchanged between the
two hosts (aside from the network connection that facilitates the session).
This prevents the introduction of malware into your network and it prevents
employees from exfiltrating confidential or proprietary files,” he said.
There are also a number of non-technical events now taking place in an employee’s workspace that a supervisor did not have to worry about pre-Coronavirus. In the office kids were not running around, the dog was not barking, the fear of loved ones becoming gravely ill was not paramount in most of minds nor any of the other dozen things going on in a normal household.
That is no longer true, so it is imperative that workers be
reminded to stay focused and remember policies put in place to protect corporate
information, especially in a world filled with phishing emails designed to prey
on those now operating in a busy and confusing world.
“They should also build mechanisms to reinforce such policies in
the moment they most need to followed – for example within the context of an
email asking for financial action or confidential information – so that users
can make informed decisions before interacting with suspicious emails. By
providing employees with reminders about policies when it matters, companies
can significantly reduce risk for their remote workforce,” said Matt Petrosky, vice
president of customer experience, GreatHorn.
