Rick McElroy, Cybersecurity Strategist at VMware Carbon Black, describes some of the myths surrounding managing a remote workforce securely.
I’ve attended a bunch of executive CISO roundtables over the past few weeks all focused on the current situation for companies dealing with a suddenly remote workforce. I’ve heard the challenges of companies of all different sizes and many of the biggest issues come from misinformation and false beliefs.
I’m outlining here what I think are the five biggest myths that CISOs have had in this situation and explain why they just aren’t true. Hopefully this will help challenge your own organization’s thinking about your security posture today and in the future.
Myth 1: We were prepared for this as an organization
There are many companies who have done disaster planning. Global companies may have done planning around pandemics and even have this as an active risk on their heat map. But to say that they were prepared for this is an absolute myth.
Disaster planning at most companies was regionalized or localized around known disasters like earthquakes and hurricanes. Even if a company planned around SARS or H1/N1 scenarios, it didn’t match up to what we are experiencing. There was never a plan for global social distancing. No one was fully prepared. Even if we had a plan, we never trained for it.
While no company had a plan for this, there are still companies who thought they were prepared because they had a mobile workforce and BYOB policies. But no company had all the tools needed to handle 100% work from home.
Let’s go a step further. Even if companies had the right tech stack, they don’t have the controls in place to keep their endpoints secure on home routers. I wrote an article back in 2017 when the Vault 7 and 8 CIA hacking tools were released about how cybercriminals can subvert home routers. We have a fundamental risk here that has existed since that time and now is exacerbated by having most if not all of our employees working from home.
No company was fully prepared for this.
My advice: There’s no better time to start making a plan and taking steps to work toward it. As I mention in the next myth, things aren’t going back to “normal” so companies need to prepare for some mix as the new normal.
Myth 2: My program will go back to the way it was
This is flawed thinking. The pendulum will not swing all the way back to the way things were before Covid-19. Things have fundamentally changed. When organizations look at how they fared during social distancing, they will find in some cases productivity went up, in some cases it stayed the same.
But, when comparing productivity gains or losses to the cost of real estate and liabilities of having people in a physical location together, it won’t always make sense. Particularly in regions like California where real estate is so expensive. For instance, do accountants really need to stay in the office now that we’ve proved it can work when they are at home?
My advice: I believe the majority of companies will explore the work-from-home model for many departments if not for entire companies. IT departments need to look at strategic project lists and how they will change. They need to align to these changes and prioritize resiliency and remote work projects. Some companies may need to buy an entirely new tech stack. It is more important than ever before for IT to think hard about what their program could look like 3-5 years from now—because it will be drastically different.
Myth 3: The bad actors can’t work right now
The reality is that bad actors are used to working from home. Additionally, they already know how to work securely to protect their identity. Instead of being stunted by social distancing, they are taking advantage of it. Reports are showing higher levels of activity in simple technique attacks like typosquatting and phishing to target the remote workforce.
My advice: Companies need to be communicating with their workforce on these increased risks and increase their vigilance in monitoring the security of their data.
Myth 4: Remote security is harder than on-premise security
If my program isn’t going back to the way it was and bad actors are highly active, I need to address remote security. However, there are still a lot of CISOs and IT teams out there who believe that centralization of data is the best and easiest way to keep it secure. They believe that the tools to enable and secure a remote workforce are immature, insecure, don’t work and don’t scale. My answer to that is no, it’s not. It’s just something you have to account for when you build your program. Post Covid-19, every company will build their security practices to account for this.
My advice: Remote security is all about control points. Companies had to quickly add endpoints to enable workers, but they were not able to fully secure them. Security teams need to do the same things they do with on-premise, but it requires building these processes from the ground up. Applying today’s security tools and processes to remote endpoints doesn’t work. New operational deployment models need to be developed and the time is now to get started on this.
Myth 5: Compliance is achievable with employees at home
This would be nice, but this just isn’t the case. For some situations, like where PII is being sent via different means, this is obvious. But every industry may be out of compliance thanks to simple phone conversations that used to take place face-to-face. Let’s explore a few examples:
- Take for instance healthcare or financial industries where confidential patient information was sent via fax and DLP and now it is being emailed.
- Or take call centre phone conversations. You can record, analyse and encrypt VoIP calls. But you can’t do any of this with home phones.
- Or take highly confidential executive conversations that used to happen behind closed doors. Now they may be happening in insecure settings like on a cell phone on your back porch where neighbours can hear. (And yes, I’ve heard things from my neighbour doing this that I never should have heard).
My advice: Most organizations have already shattered their compliance models and there will likely be quite a number of lawsuits after this. Companies need to think through these scenarios and consult with legal counsel to be prepared how to handle this into the future.
Rick McElroy is Cybersecurity Strategist for VMware Carbon Black. Rick has 20 years of information security experience educating and advising organizations on reducing their risk posture and tackling security challenges.
Main image courtesy of iStockPhoto.com