Security Awareness Training

    Cybersecurity and the New Work from Home Normal

    Now that work from home is the new normal, security professionals need to reassess how they are managing their organization’s cybersecurity risk.

    by Bill Camarda
    getty-man-with-cell-phone.jpg

    Key Points

    • COVID-19 has made remote work from home the new normal.
    • Security professionals need to recognize this and adjust their cybersecurity practices accordingly.
    • Rapid cloud migration, cloud-based security solutions and emphasizing cybersecurity awareness training for employees are among the most important ways to respond.

    COVID-19 has radically changed the way knowledge workers work. The cybersecurity challenges that they face have changed radically as well.

    Enabled by technical advances like faster mobile devices and driven by business imperatives to reduce spending on office space and infrastructure, remote work was already becoming common even before the pandemic erupted. What COVID-19 did was accelerate this trend to the point where home and business computing have become thoroughly mingled.

    But the overnight rapidity with which this has happened has exacerbated the risks of a cyberattack. So, let’s step back and consider how cybersecurity professionals ought to respond.

    1. Move Your Applications to the Cloud

    Eight months into COVID-19 and it’s time to re-evaluate how key business applications are performing. This includes reassessing any security risks they present. If less than optimal performance together with some security tradeoffs were acceptable in March, this is unlikely to still be the case in October. New infrastructure investment may be needed to fix the problem, but a better and more cost-effective approach may be to move problematic applications to the cloud and then scale them as needed.

    2. Support Cloud Applications with Cloud-Based Security

    Along with your company’s applications, its cybersecurity should move to the cloud as well. This will ensure that your security controls — including network, web, email, endpoint, identity and access management, and authentication — can follow your users wherever they go. Taking this approach lets you quickly reduce (and eventually eliminate) the need to backhaul traffic from remote locations or to enforce and monitor security through VPNs.

    Moving to the cloud enables you to integrate all of your security tools into a centralized SIEM/SOAR threat detection and response system. And the robust APIs and off-the-shelf-integrations provided by some cloud-based security solutions make this a relatively easy transition.

    3. Revisit the Way You’re Using VPNs

    For corporate applications that continue to run inside your network perimeter, there’s no substitute for a VPN. But when organizations ramp up their VPN usage, they often encounter performance or reliability problems. While employees might tolerate this in the short term, their expectations will rise once they realize that working from home is now the “new normal.”

    The short-term solution is to build out more VPN infrastructure by adding bandwidth or servers and improving load balancing. Sometimes, it can also help to stagger work hours and encourage people to drop off the VPN when they quit for the day. Longer-term, though, you’ll do better by shifting more work to the cloud.

    But as long as you’re still running your own VPN, make sure that the client and server software remains up-to-date. Yes, that should be obvious, but the reality is that 16 months after a critical flaw was fixed in April 2018, CERT/CC found more than 500,000 VPN servers that remained unpatched.[1] VPNs may be a legacy solution, but you can’t afford to ignore them while they’re still in place.

    4. Some Other Important Steps to Upgrade Your Network Security

    If you still haven’t implemented multi-factor authentication, what are you waiting for? And either issue corporate devices that you control to replace employee-owned mobile devices, or roll out mobile device management where no practical alternative to BYOD exists.

    Consider running password audits to ensure that employees are making use of strong, unique passwords that haven’t previously been compromised. And since manual password management is ever more time-consuming and impractical, consider making use of password managers or replacing passwords with biometrics.

    While you’re at it, encourage employees to install modern network routers at home. These should make use of WPA2 and strong, original passwords in lieu of the default administrator password that the router ships with. Also suggest that employees upgrade their older IoT devices, which are notorious for offering easy access to hackers. Newer IoT devices tend to be more secure, although a 2019 study by researchers from the University of Illinois Champaign-Urbana and Stanford found that millions of home devices still possess major vulnerabilities, such as default credentials, open services and reliance on insecure FTP or Telnet protocols.[2]

    5. Make Cybersecurity Awareness Training Your Top Priority

    With employees using their own devices for work and connecting through their own networks at home, cybersecurity awareness training has become more important than ever. This is especially true given today’s ever-more-sophisticated phishing attacks and employees’ tendency to get careless when they’re distracted by a sometimes stressful home environment. Employees need to learn about home network hygiene and to receive awareness training that is ongoing, engaging and has a track record of success.

    The Bottom Line

    The pandemic-driven shift to work from home is likely to endure, and security professionals need to plan accordingly. Among other things, this means moving more applications to the cloud, employing cloud-based security solutions and making cybersecurity awareness training for employees a top priority.

    [1] “VPN - A Gateway for Vulnerabilities,” CERT/CC Blog, Carnegie Mellon University Software Engineering Institute

    [2]Insecure Home IoT Devices a Clear and Present Danger to Corporate Security,” Dark Reading

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top