Experts discuss what precautions companies need to be taking right now that a record number of people are working outside of offices.
For most cities in the US, life has been upended in drastic ways that were largely unexpected just weeks ago. Millions of employees now have to work from home, even more need to attend school digitally and hospitals are facing unprecedented numbers of patients in need of care.
These changes to the fundamental order of most people’s lives have fast-tracked a newfound reliance on digital tools that in some areas are struggling to keep up with previously unseen levels of demand.
TechRepublic surveyed experts to gain a better understanding of what businesses, schools and hospitals should prepare for in terms of network security and bandwidth issues as governments battle the spread of coronavirus.
Curtis Peterson, senior vice president of operations at RingCentral, and many other analysts said most businesses probably did not anticipate the crisis over coronavirus lasting for such a long duration and most likely did not have business continuity plans in place to brace for offices being closed until the summer.
“There’s a thing that happens with us things mentally. We shift from what we perceive to be a public space or a semi-public space where we practice a relatively decent set of privacy and security hygiene. We log out. We don’t share passwords. We don’t have bank accounts open, TurboTax running, iTunes streaming, Netflix playing or online checkers games in the background,” said Peterson.
“But when we switch from that work environment and we go home, we need to bring those habits with us. That’s what I’ve seen missing from what people do when they work from home and what employees fail to include in their instructions for work-at-home personnel. Most companies only did business continuity planning at the last minute.”
Biggest security threat concerns
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, said enterprises involved in crisis response and management should expect DDoS attacks, large scale phishing attempts and even ransomware attacks that will try to force a quick payment decision because time does not work in favor of the victims.
Hospitals in particular are at greater risk than ever, he said, given the spotlight shining on them during the current situation, so it is important for these enterprises to go back to the basics: patching systems as quickly as possible and not falling into the trap of “we can’t afford that activity or a downtime now.”
While working from home is necessary at a time like this, it leaves critical employees away from secure buildings and far from IT teams who can keep their devices or information safe.
Paul Norris, senior systems engineer at Tripwire, said many organizations were at increased risk now that senior officials were forced to access secure systems from home, where internet connections may not have top-of-the-line security.
“Administrators of key systems are now working remotely and from home on potentially insecure networks. They will then have access to critical systems which in turn could lead to attacks. Home networks could become victims of attacks and compromise noncorporate operating systems and hardware to use as a springboard to compromise organizations,” Norris said.
Peterson echoed those concerns, citing the increased use of online meetings as a gift and a curse. People have increasingly used web meeting tools but now that everyone had to use them, it was key that any meeting be protected with a password at least.
But the vast majority of meetings use no passwords to join those meetings, Peterson said, adding that millions of employees are now jumping from digital meeting to digital meeting throughout the day without knowing exactly who is on every call.
Another issue organizations may face is with VPN connections, which have become a relatively common way for enterprises to provide their employees with secure connections.
Justin Jett, director of audit and compliance at analytics company Plixer, said as more and more employees begin working from home, organizations are struggling to maintain network privacy and handle security issues.
“Because of bandwidth capacity issues, many organizations are struggling to provide secure VPN connections for all of their remote employees. This can result in employees not using the VPN, or having a significantly poor experience as compared to when in the office. Since not all employees understand how VPNs work, some employees are bound to engage in activities, like streaming video, that drastically tax the bandwidth for all users,” Jett said.
Bandwidth is also an often-forgotten limiting factor because most people are not used to dealing with it in office situations, so many think of it as a problem that only happens at home. It can be hard to make the leap to considering what bandwidth limitations can mean for the workplace.
One thing to keep in mind is that any impacts to bandwidth or connectivity can significantly increase the consequences of any issues that do occur, said Ian Paterson, a data analytics expert and CEO of security company Plurilock.
“The IT operations team that’s able to respond instantly to a security breach or systems problem when in the office is now at risk of being hampered by poor connectivity. Things that might previously have involved a five- or 10-minute window to resolution—whether a system outage or something more serious like an ongoing attack that needs to be stopped or addressed—may now involve double or triple that time due to slower connections,” Paterson said.
“Even worse, if a key player’s connectivity goes down at a critical moment, it may be difficult to even notify them of the problem, much less for them to address an evolving yet critical situation. For these reasons, it’s important for operations and other security-critical teams to coordinate and develop plans and alternative chains of response in case any one person—any one link in the chain—finds connectivity to be hampered at a moment of danger or trouble.”
Accessing sensitive information
RingCentral’s Peterson said business information or large lists of information in single locations have become far more valuable and enterprises will be far more vulnerable now that millions of people are accessing more sensitive information outside of encrypted channels.
Some enterprises may also limit their security posture to reduce the strain on networks but that is a dangerous game to play, Peterson said.
“This is no time for security to take a break. When you’re looking at how you’re continuing to operate as a business, you sometimes take a look at what are essential business functions and what are non-essential business functions. It’s real simple to say ‘I’m going to reduce my security requirements to keep everything running on there.’ And that might be ok for some certain instances. But there can be significant risks,” he said, adding that hackers are going to look for opportunities to infiltrate networks that are using legacy applications.
Phishing attacks are on the rise as more people work from home and compliance to hardening standards is a must to help reduce attack surfaces. The good news is that many of the tools that allow for remote working in a secure manner already exist, including some that offer VPNs, two-factor authentication, password managers, secure file transfer and other secure features.
Norris noted that organizations should be enforcing strong policies on all systems and ensuring VPNs are used to connect to backend systems. Employees are being tempted to click on fake news, false health reports, bogus information from schools and how to claim lost income back via fake inland revenue sites. Attackers are appealing to human nature and panic situations where desperate people may not think clearly and click links that are malicious, Norris said.
The bigger issues come with cultural issues related to working from home, like leaving laptops unlocked, allowing children to download insecure games or opening phishing emails designed to scam people.
“As the U.S. and the world shift to a work from home model, people need to be vigilant when it comes to their email, as phishing and Business Email Compromise scams will continue to increase. It is less likely that people can verify the sender if the email appears legitimate while not being in the same office to check with that person,” said James McQuiggan, security awareness advocate with KnowBe4.
“Communication becomes important through secondary means, like phone calls, text messaging or other applications that increase communication and productivity. People need to make sure they are not using personal machines to access their organization’s sensitive intellectual property, unless authorized by their IT team, as this can increase the risk of exposing information to unknown or untrusted systems.”
He noted that it is important for digital personal assistants, like ones used for turning on lights or listening to music, are not in the same workspace with you, especially for confidential or sensitive phone calls, as these are always on and recording.
Organizations allowing people to work from home where the employees are not able to access email in the cloud, like Office 365 or GSuite, should be using VPN connections. IT departments should verify ahead of time that the network load can be adjusted due to increased connections.
Jett added that malicious actors are well aware of the increase in employees working from home and are shifting tactics to attack home networks in an effort to infect devices that will ultimately connect to the VPN. Once users connect to the corporate network, malware can easily spread through the company.”
Advice for best practices
Peterson from Plurilock advised that every organization rapidly deploying work-from-home solutions to ensure that they’re keeping employees inside a VPN to access any key systems. In situations where regulations prevent local data storage, it may also be important to ensure that remote workers are quickly provided with VDI solutions like Citrix or other similar platforms to ensure that they can continue to work in a secure environment without running afoul of regulations about how and where data is stored.
All logins—not just critical logins—should be protected by strong multifactor authentication as quickly as possible. Sessions should be configured to expire at least once a day, if not more frequently. A secure single sign-on solution such as Okta or similar platforms can help to reduce “login fatigue” by securely reducing the number of logins that users have to complete in order to go about their everyday work.
A companywide one-time password reset cycle, prefaced by a notice that with the onset of remote work, a maximally secure password is now critical, is also a best practice here. Where role players do have to log into many systems because a single sign-on solution isn’t available or yet deployed, finding a secure password manager application like 1Password or other similar alternatives can help to alleviate some of the pain while reducing the chance that users will re-use the same password over and over again on multiple disparate systems.
Encrypted VPNs should be enforced as a requirement to log in to or use any sensitive systems. Before any data is stored locally—for example on a remote computer—it’s clear that regulations allow this to occur and that strong storage encryption is in place.
Finally, it’s important for teams to confront these problems explicitly and in a process-oriented fashion, rather than on an ad-hoc basis. Regular meetings with relevant stakeholders from risk and compliance, operations, and other departments can help to ensure that all of the regulatory and security bases are covered and that risks and needed contingencies are accounted for—without leaving newly remote employees hamstrung and unable to be productive.
Organizations across the board should be reviewing and implementing business continuity plans and must ensure that there is suitable bandwidth and resources available for everyone to work remotely and have secure access to systems to ensure students, care workers and employees provide an effective service.
RingCentral’s Peterson noted that if possible, enterprises should provide employees with business laptops so that there is no co-mingling of people’s personal and work information. Companies should also provide all-in-one, comprehensive systems so that employees don’t have to fill any gaps themselves with apps downloaded from the internet.
“If you look at where we are now compared to 10 years ago, we are so much more able to handle this today than 10 years ago. It’s hardly even fair to compare the two time periods. As bad as all the news is, we are in the best place to deal with something like this from a work point of view,” Peterson said.