COVID-19, Security and WFH: Myths and Misconceptions

With COVID-19 stay-at-home orders still in place in many states, working from home (WFH) has become what is sure to be the “new normal” in the post-pandemic world. Given this, remote security should be at the top of every organizations’ priority list.

Yet, there remains a long list of common myths and misconceptions about remote worker security. And it’s easy to see how and why this can happen, especially in a world where staff went from working onsite to working from home practically overnight. But it is critical that businesses make themselves aware of what these myths and misconceptions are and address them with the urgency they require.

The list is long, so below are the five most pressing.

Zoom Meetings Are End-to-End Encrypted

Video chat has exploded in to people’s lives over the last couple of months. What was until very recently used mainly as a meeting tool (with a video function that people often tried to avoid) has suddenly become an essential part of our everyday lives in the WFH environment—both for work and recreation.

And the video app of choice has turned out to be Zoom. But many people are still operating under the misconception that Zoom chats are end-to-end encrypted when they are not. In fact, a number of privacy issues have come to light, such as Zoom’s iOS app sending data to Facebook without explicit user consent. While this issue has since been rectified, people are still operating under the encryption misconception when it comes to Zoom and other video conferencing apps, some of which are end-to-end encrypted and some of which are not.

VPN Solutions Will Work Seamlessly

Another common misconception that WFH employees are operating under is that VPN connections will work and that there will be sufficient bandwidth and licenses for VPN solutions. This may not be the case because VPN has always been somewhat of an afterthought.

Until COVID-19 took over our everyday lives, VPN was generally used only in special scenarios in which someone needed to work remotely or outside their usual working hours. Because of this, housekeeping, maintenance, management and administration of VPN are not very effective. Organizations don’t have dedicated people to handle those things. VPN requires a lot of bandwidth and adequate licenses, and suddenly, with millions of us working from home amid the pandemic, everybody is trying to use VPN, which means issues with bandwidth and licensing that we just hadn’t thought of.

VPN Solutions Are Secure

VPN solutions also lend themselves to a common WFH security myth—that VPN solutions are fully secure. They aren’t. Generally speaking, we don’t see day-to-day housekeeping of VPN servers, such as patching. Compounding this, organizations are often not on the latest versions of their VPN.

This can mean a remote, unauthenticated user may be able to compromise a vulnerable VPN server and gain access to all active users and their plain-text credentials. An attacker also may be able to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Given this, and now that VPN has suddenly become so popular—and is likely to stay that way in the post-pandemic world—we need to make sure that VPN solutions are up to date and patched so that hackers don’t see VPN as an easy vehicle through which to conduct an attack.

Personal Device Security Is Equal to Company Device Security

In some ways, it seems so obvious that personal device security is often a far cry from company device security, yet so many organizations allow personal devices to be used for company business without a second thought for security.

It’s obviously a challenge even during normal times for remote security to be implemented on any personal device that might be used for company business. But during these extraordinary times, when companies had to set staff up to work from home literally overnight in many cases, it’s an understandable oversight.

Still, it can have catastrophic consequences if not addressed in the WFH environment. Firms must implement two-factor authentication, content filtering, identity and access management, encryption, auto backups, authentication and security monitoring to any personal device being used for company business.

These are some of the things that you’d see in a typical corporate network, but we don’t see on personal devices; it’s a long and dangerous list of disparities creating a myth of security that isn’t there.

Remote Workers Always Know How to Spot a Suspect Email

They don’t, and this is particularly problematic in the current situation, given the massive rise in phishing and spam emails since the COVID-19 situation took hold.

And with the majority of organizations currently running their staff remotely, this problem is only magnified. The pandemic is giving rise to a huge amount of fear, uncertainty, anxiety, sympathy, greed and disorder, meaning clarity is easily taken advantage of.

This makes phishing emails even more effective because our defenses are down and we are sitting alone at home with no one to bounce ideas off, ask immediate questions of or get opinions from. We are vulnerable right now and hackers know it.

It’s exceptionally important that companies stay on top of these latest and advanced emerging phishing attacks and stop operating under the myth that their remote teams are going to be able to spot a suspect email every time. They probably won’t.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Vikram Chabra

Vikram Chabra

Vikram Chabra is the director of the NetEnrich cyber security practice. He is responsible for building the entire portfolio of cyber security services at NetEnrich, ranging from assessments and managed security services to security technology management. He also expanded the NetEnrich cyber security and cloud security portfolios to include the US, Canada, Japan, META and EMEA regions.

vikram-chabra has 1 posts and counting.See all posts by vikram-chabra