Cybersecurity and the New Work from Home Normal

COVID-19 has radically changed the way knowledge workers work. The cybersecurity challenges that they face have changed radically as well.

Enabled by technical advances like faster mobile devices and driven by business imperatives to reduce spending on office space and infrastructure, remote work was already becoming common even before the pandemic erupted. What COVID-19 did was accelerate this trend to the point where home and business computing have become thoroughly mingled.

But the overnight rapidity with which this has happened has exacerbated the risks of a cyberattack. So, let’s step back and consider how cybersecurity professionals ought to respond.

1. Move Your Applications to the Cloud

Eight months into COVID-19 and it’s time to re-evaluate how key business applications are performing. This includes reassessing any security risks they present. If less than optimal performance together with some security tradeoffs were acceptable in March, this is unlikely to still be the case in October. New infrastructure investment may be needed to fix the problem, but a better and more cost-effective approach may be to move problematic applications to the cloud and then scale them as needed.

2. Support Cloud Applications with Cloud-Based Security

Along with your company’s applications, its cybersecurity should move to the cloud as well. This will ensure that your security controls — including network, web, email, endpoint, identity and access management, and authentication — can follow your users wherever they go. Taking this approach lets you quickly reduce (and eventually eliminate) the need to backhaul traffic from remote locations or to enforce and monitor security through VPNs.

Moving to the cloud enables you to integrate all of your security tools into a centralized SIEM/SOAR threat detection and response system. And the robust APIs and off-the-shelf-integrations provided by some cloud-based security solutions make this a relatively easy transition.

3. Revisit the Way You’re Using VPNs

For corporate applications that continue to run inside your network perimeter, there’s no substitute for a VPN. But when organizations ramp up their VPN usage, they often encounter performance or reliability problems. While employees might tolerate this in the short term, their expectations will rise once they realize that working from home is now the “new normal.”

The short-term solution is to build out more VPN infrastructure by adding bandwidth or servers and improving load balancing. Sometimes, it can also help to stagger work hours and encourage people to drop off the VPN when they quit for the day. Longer-term, though, you’ll do better by shifting more work to the cloud.

But as long as you’re still running your own VPN, make sure that the client and server software remains up-to-date. Yes, that should be obvious, but the reality is that 16 months after a critical flaw was fixed in April 2018, CERT/CC found more than 500,000 VPN servers that remained unpatched.[1] VPNs may be a legacy solution, but you can’t afford to ignore them while they’re still in place.

4. Some Other Important Steps to Upgrade Your Network Security

If you still haven’t implemented multi-factor authentication, what are you waiting for? And either issue corporate devices that you control to replace employee-owned mobile devices, or roll out mobile device management where no practical alternative to BYOD exists.

Consider running password audits to ensure that employees are making use of strong, unique passwords that haven’t previously been compromised. And since manual password management is ever more time-consuming and impractical, consider making use of password managers or replacing passwords with biometrics.

While you’re at it, encourage employees to install modern network routers at home. These should make use of WPA2 and strong, original passwords in lieu of the default administrator password that the router ships with. Also suggest that employees upgrade their older IoT devices, which are notorious for offering easy access to hackers. Newer IoT devices tend to be more secure, although a 2019 study by researchers from the University of Illinois Champaign-Urbana and Stanford found that millions of home devices still possess major vulnerabilities, such as default credentials, open services and reliance on insecure FTP or Telnet protocols.[2]

5. Make Cybersecurity Awareness Training Your Top Priority

With employees using their own devices for work and connecting through their own networks at home, cybersecurity awareness training has become more important than ever. This is especially true given today’s ever-more-sophisticated phishing attacks and employees’ tendency to get careless when they’re distracted by a sometimes stressful home environment. Employees need to learn about home network hygiene and to receive awareness training that is ongoing, engaging and has a track record of success.

The Bottom Line

The pandemic-driven shift to work from home is likely to endure, and security professionals need to plan accordingly. Among other things, this means moving more applications to the cloud, employing cloud-based security solutions and making cybersecurity awareness training for employees a top priority.

[1] “VPN - A Gateway for Vulnerabilities,” CERT/CC Blog, Carnegie Mellon University Software Engineering Institute

[2] “Insecure Home IoT Devices a Clear and Present Danger to Corporate Security,” Dark Reading