Before the COVID-19 pandemic, many businesses pigeonholed cybersecurity efforts as an IT responsibility. But some experts say it should be a shared approach with IT leading the way, especially since COVID-19 has forced many employees to work from home, potentially leaving a hole in digital defenses.
“Many of the cyber protections that have been built into an office environment may not transfer when employees transition to remote work from their homes,” said Cathy Coloff, managing member of IT Radix, an information technology services provider. “That’s because the employer’s IT department doesn’t control the employee’s home network, or any of the IoT [Internet of Things — smart printers and other devices] that may be on the employee’s home network.
If a family member, roommate or someone else is connected to the employee’s Wi-Fi network and has a cybersecurity issue, it can easily affect others on the same network, and give a hacker or other bad actor easy entry into the company’s system.”
That struck home for one of her clients after many businesses were forced to operate remotely. “The owner of a landscaping company pulled his dusty laptop off the shelf — where it hadn’t been used for three years — and told us he was going to use it to communicate with his employees,” said Coloff. “Our thought, was: ‘What? You haven’t maintained the operating system and other software with security updates in three years, and you don’t even have an anti-virus program on it, and you’re going to use this to connect to your internal network? I don’t think so.’”
Coloff and her team advised the owner about buying a new laptop for himself and for several employees who had outdated or no laptops, and also set up security measures, including a virtual private network connection with multi-factor authentication — a multi-step security measure that often supplements a password with a security code sent to the employee’s smartphone — designed to make it harder for unauthorized people to enter the network.
“There isn’t any ‘one-size-fits-all’ solution,” Coloff added. “You have to examine each setup and determine the vulnerabilities and the possible safeguards.” Many safeguards are typically enforced behind the scenes through a company’s central firewall and network, “but you’ve got to be creative when most of your employees are suddenly working remotely.”
MORE SECURITY RISKS
The new normal of a distributed workforce drives a variety of data and cybersecurity concerns, said Surjeet Mahant, managing director and head of Cyber Risk Management services at K2 Integrity, a risk, compliance, investigations and monitoring firm. “Working from home has demonstrated an increase in information sharing; the lack of proper security on home networks; having vulnerable devices, including Internet of Things devices on the same network; and an uptick in phishing attacks. All of this is coupled with distractions and improper separation of personal and work affairs.”
To safeguard against hacking and other threats, he cited a laundry list of steps, including secure remote access to employee-connected systems. Businesses should also ensure “that a secure virtual private network solution is in place and well managed,” he added. “We have been taking a holistic approach in ensuring an end-to-end solution to meet the work-from-home scenario and have been working with our clients to deploy security solutions at the corporate infrastructure level, while simultaneously helping employees and executives secure their homes when it comes to cybersecurity.”
In one client engagement, K2 Integrity was called in to assess the overall cybersecurity, including compliance issues, at an investment firm in the tri-state area that had to quickly switch to a work-from-home model. “This work included a performance assessment that led to the review and rewrite of all policies and procedures to align with the new working model,” he said. “Additionally, the client’s controls environment was reviewed to ensure that these controls were operating effectively and that all identified gaps were addressed. Today, we continue to remain engaged with this organization, providing security operations services including services to protect the home offices of their executive staff and key stakeholders.”
When it comes to remote-worker cyber-threats, “every industry is at risk and can become a victim of cyberthreats,” said PCH Technologies President and CEO Timothy H. Guim. “But I would say that small companies are more at risk than larger ones because they are an easier target. Small companies often do not have the tools or staff of large companies, which explains why almost half of all cyber-attacks are directed at small businesses, unfortunately.”
During the pandemic, “we got a referral to a law firm that suffered a cyberattack due to an employee who was working from home and clicked on an email phish link that initiated ransomware and encrypted all the servers, and took the entire network down,” Guim added. “PCH Technologies set up secure remote access with a VPN for all employees, and also issued corporate owned devices to access the network. Additional email and endpoint security – which typically uses machine-learning or behavioral analysis to protect systems from certain threats – and cybersecurity awareness training were rolled out to all remote users. To recover from the ransomware, we used the existing cloud backup to bring the system backup prior to the incident that occurred.”
Working from home has exacerbated these kinds of threats, he added. “With employees working from home, the footprint of what needs to be protected is now much larger and more distributed than when you had employees working from one central office where a firewall is used to protect and monitor security traffic. Now employees working from home do not have a firewall, and instead you have to protect and monitor the internet connection that employees are using when not physically in the office.”
There are behavioral challenges too. “People working from home may take their guard down in regard to cybersecurity,” he cautioned. “Employees may be more comfortable using their home device, browsing the internet at their leisure. This means the employee working from home could be more susceptible to click a nefarious email phish link that could compromise the computer and then be used to gain access to the corporate network, email systems, or extract sensitive corporate data.”
But there are solutions. “It is important to issue corporate-owned equipment including computers, laptops, tablets and/or phones for employees working from home,” declared Guim. “This will allow the devices to be completely locked down with proper security and significantly reduces the risk of compromise.”
Additionally, a digital device should be encrypted, “so if it is lost or stolen, the data on the device will not be accessible,” he said. “Secondly, mobile device management software should be used to manage the security settings of the device, as well as be able to track the location and perform a remote wipe if the unit is lost or stolen.
The third item that is important to implement is two-factor authentication for the network and cloud-based systems to reduce this risk of a cybercriminal needing more than just a password to gain access to systems.”
The most important area, said Guim, “Is making sure there is a commitment from the executive level, understanding the importance of cybersecurity. It is very important to have regular robust cybersecurity awareness testing and training which includes the onboarding of all new employees. This will help remind employees that even though they are working from home they need to stay vigilant with cyber threats.”
The work-from-home model has opened “A Pandora’s box of security risks that’s helped drive a brisk increase in our business,” said David Durko, CEO of Security Validation, a data security and privacy consulting firm. “An office-based internet connection typically has a firewall and other filters that help to keep out bad actors, including state-sponsored ones from the Middle East, Russia and China. But at home, employees typically have a weaker, commercially available router. They’re still connecting to sensitive corporate resources like payroll, the accounting system and others.”
At the same time, he added, remote employees may be surfing the Web without restriction and, checking their email and possibly downloading attachments “A lot of offices restrict access risky website and attachments, but these and other best practices may go out the window in a work-from-home environment.”
Recently, Security Validation created a “virtual desktop infrastructure” for the employees of a global consumer electronics company, “so an employee who’s working from his or her home computer isn’t being directly connected with the corporate network,” he said. “Everything they type on their screen is actually being done on a computer in a secure location.”
The very qualities that can give small businesses and edge in the marketplace — an open, nimble corporate culture — can also make expose them to cyber-threats, Durko added. “Family oriented businesses have traditionally given employees pretty free use of their computers, and often let them surf in their spare time.
Then a security advisor will come along and say that’s not safe — and some employees feel betrayed. But there’s no doubt that the threat of cyber-intrusion is at record-high levels, and companies have to take proactive steps to safeguard their data.”