Cyber Risks and Reliefs of Sheltering in Place
As we all become accustomed to working from home for the immediate future, it has given us time to ponder the impact this "new normal" will have on cybersecurity. It turns out, there are indeed a few more risks we must bear in mind, but we can also take solace in ways we will reduce risk too.
Let us first begin with some of the additional risks we must consider as we are asked to ‘shelter in place.’
Home sweet home
We know that more work laptops are at home with employees, and they will be there for the foreseeable future. This makes our title of ‘Household CISO’ more important than ever to keep home networks protected against bad actors and cyber threats.
Do we have any idea where our less cyber-savvy household members go on the internet? They might download malware that could spread on home networks, resulting in more risk for every device connected, including those work laptops. While we are reasonably certain work devices are running up-to-date endpoint security, can we say the same for the rest of our home devices? Maybe or maybe not. What we can say is that work laptops on home networks will be subject to greater risk in the immediate future, meaning security at home impacts security at work.
When you have a spare moment, double check the security for other devices in your household, and also consider free DNS-layer protections for your home network or devices to block connections to malicious websites. Consider a "security 101" lesson as part of your next dinner-time conversation, to teach family members how to avoid things like illicit sites when downloading games or music.
Visibly less visibility
It is clear that working from home blurs the lines between home and work life. You might take a coffee break to mediate an argument between kids or take your dog on a much-needed walk around the block. Given this is the case, we can only anticipate the same will happen with our cyber lives, too. We will all use our laptops for more personal activities, like reading the news or ordering online.
If we VPN into work (and the security stack at the office), our security team has visibility into what employees do, and they can apply URL filtering, DLP, or other security measures appropriately. But more and more, we work directly in SaaS apps or browse online without a VPN backhauling traffic to the office, which gives way to another challenge. When we don’t use VPNs, our security teams have limited visibility into the risks that employees take on-line. We lack the ability to see risky behavior as it happens and threats that may have seized devices, limiting the ability to develop a proper security response before an employee connects to the VPN and potentially exposes the entire company.
Shutting the door behind us
Like it or not, we are being forced to open corporate networks and systems to enable simple remote productivity. For example, a critical server that was only reachable from the office by a (previously) reasonable security policy may now be open via remote access VPN because the office is physically closed. Organizations will do all in their power to put the right security measures in place to limit the risk of more open systems, but the fact is that this will increase our attack surface and will introduce additional cyber risk.
The other aspect? Will we shut the door behind us and remove the more permissive network policies when we return to the office? We’d venture to guess that more than a handful of organizations will fail to remove these permissive policies as we return to work. We suggest you diligently record which policies were relaxed during this period and set a reminder now to tighten things back up in a few months.
Now for the good news.
There are a couple of reasons to be relieved (at least cybersecurity-wise) when working from home.
Road warriors no more
There are lots of concerns when we consider bogus Wi-Fi networks, man-in-the-middle attacks, or Wi-Fi sniffing, and while we continue to educate our teams about such cyber risks, individuals continue to connect to open networks at coffee shops, hotels, and airports. That said, for the time being, far fewer employees are connecting this way. A good amount of the risk we previously assumed when working from the road has simply disappeared – because we can’t do those things while ‘sheltered in place.’ So, as a consequence, infection via those vectors will reduce dramatically.
Another potential upside is the fact that we will likely see fewer stolen laptops. For instance, employees will not leave their laptops in their cars when running errands after work, inviting smash-and-grab laptops thefts.
Backhauling to cover our backsides
While some organizations are implementing security models without VPNs, many still rely on VPN connections to backhaul remote employee traffic to the office security stack. In many cases, we find users whose traffic is backhauled to the office (with the appropriate visibility mentioned above) better protected going through the chokepoint of VPN and related network security devices. Somewhat paradoxically, workers may not get the same protections when they return to their office networks, as devices running to those networks connect directly to each other and are mixed with other IoT and BOYD devices without a chokepoint whereby security controls can be applied.
Some organizations are looking into expanding VDI implementations to ensure they don’t overwhelm VPN infrastructure supporting heightened numbers of remote employees. For more information on our strong protections of VDI with Adaptive User Segmentation, see our recent post on the topic.
The coming weeks will indeed prove to be a test for us all as we seek to remain as productive from home while not turning our backs on security. We hope we’ve given you some food for thought on what additional risks to consider and even a couple of silver linings.