As organizations start to think about the post-pandemic work environment, many are re-considering the benefits and drawbacks of remote work. Allowing employees to work from home increases morale but can also increase the risks. From leaking company data to ransomware, remote employees have created a host of new challenges for security professionals. Let’s look at some of the most serious risks – which I've observed since working from home – and review how IT and security professionals can work to better protect their organizations.
Threat 1: Not ensuring devices are updated
Depending on the setup, a corporate environment can only update a device connected to the corporate network, typically with a VPN. If employees don't regularly connect over a VPN, updates to security software and configuration changes might not happen. Without a connection to a corporate Active Directory, updating software falls on the user. Not all users will have the knowledge or ability to update all programs, which can create more work for IT.
When possible, IT should have programs update automatically. Software update managers installed on workstations can help manage updates outside of the corporate network. But inevitably there will be some programs that can’t automatically update and aren’t supported by the update manager. For these programs, I recommend having users check for updates on a regular basis. Whether you adopt a schedule like Update Tuesdays or you create your own schedule, checking for updates at least once per month should be basic table stakes. If users have problems updating a program, encourage them to use different software.
Threat 2: Using personal devices for work
For good or bad, some employees use personal devices for work. The most basic example of this is using a personal phone for multi-factor authentication (MFA). Employees working from home will often use their own routers to protect their workstations. A malicious actor may choose to take advantage of the generally lower security of a home router to compromise it rather than a corporate router and firewall with much higher security standards. Giving remote users the minimum access necessary to get their work done will help protect the corporate network if a home network is compromised.
To restrict access, create VPN policies that only allow required access. You may have gotten away with a generic “any” policy on a VPN for one or two occasional users in the past, but for larger organizations with more remote users, role-based access control (RBAC) is a more secure approach. This separates users based on their role. For instance, HR probably doesn’t need access to the engineers’ server and customer care reps probably don’t need access to financial data. Additionally, protect users that access the corporate network via VPN from another user’s compromised home network by preventing other VPN users from connecting to them directly.
Threat 3: Not using multi-factor authentication (MFA) in a VPN
Every month we find millions of stolen credentials online and available for download. While many of these credentials have hashed passwords that provide some protection, readily available hacking tools can make easy work of many hashes and reveal the corresponding password. If a user employs the same passwords for VPN access as they do for other services (an unfortunately common and terrible practice), the attacker can access anything the user can access. Because WFH users will connect over a VPN in most cases, protecting access to the VPN is critical to protecting the corporate network. A straightforward way to protect against credential leaks is to require each user to be authenticated securely with MFA when using a VPN.
While there are always new security challenges for corporate networks, using MFA and RBAC on your VPN offers a good start when protecting your corporate network. In fact, these best practices shouldn’t only apply to VPN access, but to all areas for securing a network.
Threat 4: No WFH policy and training
At the start of the WFH experiment last year, many companies created policy exceptions for remote employees. Now it’s time to consider creating more permanent WFH security policies. Companies that already have preexisting policies should review them now.
Among the most important considerations for these policies is ensuring that they help employees be more productive. An overly burdensome policy with many exceptions may not only cause delays and frustration among employees but could also lead to exceptions that don’t follow best practices. Speaking of best practices, they need to be top of mind when creating new rules and policies to balance the security and productivity of employees. NIST offers some good tips for creating security policies for remote employees.
Along with policy changes, don’t forget to provide security training for employees that includes best practices in WFH environments. Never assume employees understand the risks and potential vulnerabilities of working remotely.
Threat 5: Contingency plans don’t include work from home users
A good contingency plan allows the company to continue running and avoid irreparable harm when there is an incident, such as a network outage or a breach. A contingency plan must include additional scenarios such as VPN access to backup servers when the main VPN server fails and timely physical access to servers by IT with the know-how on how to resolve the issue.
If you don't already have a contingency plan that protects your servers from ransomware and other attacks, you’re not alone. But you should have one as part of your security policy. No security measure can provide 100% protection for your devices, and the price for better security rises exponentially as you try to achieve “perfect” security. At some point the price for the security is higher than the revenue lost from an incident. Formulas created by security experts have made this process easier to determine how much to spend on business continuity and disaster recovery (BCDR) plans and how much to spend on security.
Many organizations today are trying to find their way forward in the new remote and hybrid work model. These are just a few of the most common vulnerabilities that security professionals need to consider. But addressing these first, IT pros can provide a reasonable measure of protection in an always-evolving threat landscape.