Mass home working is now a long term reality for many organizations.
It’s inevitable that all kinds of gaps and issues will have already emerged when it comes to the capability of employee’s home IT set ups – and their ability to remain both secure and effective. Hopefully, your organization has a long-established home working policy that can, if necessary, also expand to accommodate Disaster Recovery plans. But not every workplace has the capability or resources to offer this to all of its staff who are able to do all or part of their jobs remotely.
The challenges we face here are multiple: basic IT equipment and software maintenance will be problematic. The borders of an organization’s network – and therefore its attack surface – are now exponentially larger. Plenty of data is now physically held or accessible outside organizations’ own borders.
Finally – and most importantly – everyone, without exception, is subject to heightened stress and anxiety as well as information deficits. We’re all likely to be more vulnerable to social engineering attacks and similar scams, and we’re also more likely to consider or actively pursue shortcuts to Just Get Something Done – which starts to peel away at protections.
As we start to adjust to new ways of living and working, it’s worth considering the potential risks mass home working brings and taking active steps to measure and protect. In no particular order, here are some of the immediate concerns.
Consumer-grade broadband suffers from poor Wifi configurations, leaky endpoints, outdated protocols and so on. Extracting log data and managing these networks remotely is, respectively, difficult and unaskable. The old advice of ensuring best connectivity via an ethernet connection if possible can help here – but only in conjunction with VPN use.
Firewalling, VPNs and breach investigation
Identity and Access Management (IAM) is critical, as is secure connectivity.
Of course all employees should be connected by a VPN only – but planning for instances where this may not be possible – for example in the case of endpoint issues, a damaged hardware token and so on – has to take place.
That said, many organizations also face the prospect of employees using their own devices to do work. Depending on your organization’s Mobile Device Management (MDM) policy and availability of thin client, virtual machine and other technologies, this practice represents both opportunity and risk. Inconsistent, out of date or failing hardware and software adds further complexity.
Updating, patching and remote incident response
Working remotely can add further complexity to updating systems – as administrators are physically removed from users, their systems and back end infrastructure. The convenience of being able to simply re-image a user’s broken laptop at your work desk no longer applies. Handling security incidents from home – with users also at home – at scale comes with its own particular set of challenges.
The fake call centre support scams that have been around for over a decade are likely to step up and users may be more susceptible to them during times of stress. Ensuring that users verify callers – especially in the event of connectivity failures that prevent them from accessing company directory services or help pages – is vital.
This brings up another area of concern; should secure and assured communications channels fail or prove insufficient, users will be tempted to supplement them with alternative public services that the security team has no oversight of. This raises the second issue of identify verification, too.
Some of these challenges can be ameliorated at the first point of failure – the workstation – using monitoring, telemetry and detection tools on each workstation. Building in forensic and response tools can remotely scan and, if needs be isolate devices.
As organizations adapt to distributed workforces over the next few days and weeks, if not months, new complications and unforeseen consequences are bound to arise. Downtime for Microsoft Teams in recent days is one example, and there will no doubt be many more. Ensuring devices, systems and humans are prepared for this sort of disruption in the midst of an even greater one will remain a huge challenge.
What have we missed in this brief blog? What would you add to the list? Feed back in the comments below, and keep an eye out for more on this topic from us.