It’s been a week since the Canadian and U.S. governments moved from urging to pressuring organizations to make employees work from home rather than offices.
The sudden turn caught many firms off guard. Now, says a vendor, IT departments are coming to grips with the security ramifications of necessarily quick decisions.
Operationally, organizations had to follow management directives, said Greg Young, vice-president of cybersecurity at Trend Micro. The situation is a little different now. “Now they are starting to wrestle with the security implications how to manage that,” he said.
It’s not a problem for the small number of employees who already use IT-supplied and managed laptops, tablets and smartphones. But it is for a larger workforce using personal devices whose level of security is unknown to IT. This is particularly worrisome as there’s evidence threat actors are increasing their phishing attacks.
If they haven’t done so already, Young said, IT and infosec leaders should be sending home workers instructions on how to improve the security of personal devices used to connect to corporate assets as well as reminders.
Firms seeing a leap in remote access solution sales
First, if needed, make them download and install anti-malware security software for all internet-connected devices. This software may be covered by the existing enterprise licences. Employees must be told to make sure their operating systems, applications and hardware like routers have the latest security patches. That may include buying or leasing routers for staff working from home who have old devices that can’t be upgraded. Staff have to be encouraged to make passwords on personal devices secure, including changing factory-set administration passwords.
If employees have to download sensitive corporate documents, have them confirm that their version of Windows supports full-disc encryption and encourage employees to enable it. Another strategy is giving staff enterprise-level cloud storage accounts, such as the corporate version of DropBox, which have security controls. Too often, Young said, staff use dodgy or free online storage with no controls. IT may already have licences for the enterprise-level services.
How IT leaders can prepare for COVID-19 challenges
While many malls, arenas, restaurants and other public places are closed in North America, staff still need to be reminded not to use public WiFi on devices that will connect to corporate assets.
Finally, send employees a refresher on security awareness, emphasizing the risks of downloading unfamiliar applications and clicking on attachments. “We’ve seen false COVID tracking websites distributing malware and [malicious] telework vouchers,” Young said.
Internally, Young said, IT and infosec leaders should quickly evaluate the need to add cloud-based security to clamp down on the expected increase in threats from devices used by home workers. This includes secure gateway-as-a-service, sometimes called a cloud access security broker (CASB) to help better protect endpoints. “In the corporate environment, we take that for granted. Data going out from the office goes through a secure gateway where bad URLs or known malware sites are blocked and attachments are opened in a sandbox. Working at home employees aren’t equipped that way unless they also have a secure gateway.”
Gateway as a service is offered by IBM, BlackBerry, Citrix, Zscaler and others for access control and data encryption.
Another category of control to be considered is cloud-based mobile/enterprise device management from vendors such as BlackBerry, SOTI, MobileIron and others, which will block access to corporate assets to unsecure endpoints. This will be valuable, Young said, because the number of lost devices used by the new remotely-working employees will increase. Mobile device management applications allow devices to be remotely wiped, as well as enforce device encryption.
Some experts say adding network segmentation should be considered for environments that don’t already have it. However, network changes at a time when IT staff may be stressed with other work may not be a good idea, warned Young.
Employees may have concerns that their personal surfing on personal devices may come under corporate surveillance, Young said. This can be alleviated by IT telling staff how to turn off secure gateways, for example, or simply telling staff that such activity won’t be tracked.
Young also said that because of the increased security risks from home workers IT teams will have to step up network monitoring.
What’s important, he concluded, is that IT provide “reasonable security measures. Try to make it easier for people to be secure. Humans will always try to evade [complex] mechanisms.”