As global economies continue in the fight against COVID-19, millions of people around the world are working from home to slow the spread of the disease. This new WFH imperative has challenged many IT organisations and will continue to impact how we enable business operations for months and years ahead.
In most disaster recovery scenarios, global companies only need enough capacity for 50% of the workforce to operate remotely. Many ‘regular’ disasters are regional – earthquakes, hurricanes, or terrorist attacks, for example – so the prevailing thinking was it would be extremely unlikely that enough capacity would be required for a whole global team to work virtually. COVID-19 has upended this logic.
The global nature of the pandemic is unlike anything we’ve seen in our lifetime. It means many businesses’ continuity plans have needed to be rebuilt. Importantly, the highly unusual scenario has created unprecedented security challenges for CIOs who are now managing entirely remote workforces. From staff having to rely on personal devices to access corporate networks, to increasing threats on video calls, and children listening in on confidential phone calls taking place at home, CIOs are having to adapt quickly to ensure their company assets aren’t being compromised. So, what are the key security considerations for CIOs during this period, and how can they overcome these challenges?
Security challenges of remote workforces
In an office environment, the CIO can control the technology that employees use. As such, desk-based hardware, supported by on premise software, provided both utility and security. Yet, many companies were hamstrung by these very systems which were proved to be inflexbile as teams moved to remote locations. Becoming fully operational through the cloud, with direct access to a server or network via an employee’s laptop, was at best problematic at worst it was an impossibility. What resulted was suboptimal from both a logistics and security standpoint. Many people working from home needed to rely on their personal devices to do their day-to-day jobs. Devices that may not be compatible with the company’s software or security systems.
Furthermore, employees may be dealing with low bandwidth at home – or in some situations – no WiFi at all. At Freshworks, we faced this challenge as a significant number of our staff are based in Chennai, India where many households do not have access to the internet. While we have provided all our Chennai-based staff with MiFi dongles, not all businesses will have the capability to do this, or to manage these devices once they are set up. Another headache for IT leaders, how to maintain security while staff were relegated to using public networks – that can be both unsecure and vulnerable – to access corporate assets, services, and applications.
Not surprisingly, we have also seen a rise in COVID-19 related hacking and phishing attacks. In the US the FBI claimed cybercrime reports have increased fourfold during the outbreak. This is due, in part to the aforementioned increase in employees using public networks and personal devices at home. But the work from home dynamic, in general, presents a wealth of opportunity for cybercriminals. People are downloading a host of tools and platforms they would not have otherwise required – many of which are being secured with old passwords. Zoom is a prime example. The video conferencing service has acquired millions of new users in the last month, and has since been targeted by hackers who have made the details of hundreds of thousands of accounts available on the dark web.
Further to this, people understandably aren’t focused on security issues. They have lots of pressures and concerns going on in their day-to-day lives right now and are therefore are more susceptible to be taken advantage of. Many cybercriminals will tap into financial and health anxieties and use hoax schemes to try to convince us to share our data.
So how can CIOs help employees stay secure while working from home? The good news is that there are several processes that can be put into place now to keep their remote workforces safe and secure.
Using endpoint management systems to secure company assets
When the whole team is working remotely, it is vital that CIOs can manage company devices virtually and push anti-virus software, and other relevant upgrades, to employees’ machines. There are various applications available that help businesses sync their mobile and computer devices into their asset management. Once integrated, CIOs can view the current configuration of their end-user machines, as well as the relevant health information of all devices, and perform actions such as wiping systems, rebooting, and retiring assets.
Why is mobile device management so important? Firstly, and most importantly, it gives a company’s IT operation the ability to secure all employee endpoints, whether that’s company-issued smartphones, tablets or laptops. It also gives them the freedom to control and enforce policies on these devices when needed. Secondly it gives IT teams better visibility into any issue being faced by the end-user, meaning they can respond and fix any issues in the most efficient way.
Employing virtual private networking (VPN)
Once corporate assets are secure, it is important that staff can access the various systems and files that they need whilst working remotely. Establishing a local area network (LAN) connection through a VPN is one way to this. With the right authentication and encryption, the VPN security architecture can be a cost-effective and highly scalable solution for accessing corporate systems.
Maintaining security protocols for new joiners and leavers
COVID-19 is not going away anytime soon. Even when strict lockdown measures are lifted, many businesses will continue to operate remotely until it is deemed safe for their workforces to travel. While a number of businesses have put a freeze on hiring for now, many are still recruiting and as remote working becomes the norm, efficiently enrolling new joiners and enforcing protocol for leavers virtually will be key.
Businesses must use endpoint management systems to remotely set-up new starters. This will ensure anti-malware software is downloaded on their company-issued laptop and that they can securely access the network.
For offboarding, CIOs will need to ensure they have shipping and logistics processes in place to securely courier machines back to their facility. If this is not possible, the ex-employee will have to hold on to the device until working life gets back to normal. And, if this is the case, the CIO should use asset management to ensure the device is wiped and the account disabled.
The mode that we are currently in is accelerating the ‘flight to safety’ of many businesses. So, while the job of a CIO is currently an unenviable one – implementing new tools and securing processes, will, I believe, have immediate benefits for the remote workforce with huge advantages for the
businesses in the long-term.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.