As many organizations revert back to WFH strategies amid another COVID-19 spike, is security better this time around?
Just as businesses began to welcome back employees, the virus kicked back into gear and some states have reinstated mandatory work-from-home (WFH) orders.
When the initial WFH orders came, security and IT teams were rushed to ensure all employees had the equipment they needed, including VPNs. In this hurry-up remote work model, security had to be at the forefront of everyone’s minds. The second round of WFH orders are less sudden. Many companies had staggered returns so they had fewer people to reshuffle back to home offices. And it’s safe to say that most businesses saw this coming as new COVID-19 hotspots shot up around the country and states saw uncontrolled rises in cases after their reopening stages.
Presumably, the second stage of WFH should have gone more smoothly than the first. What have security teams learned from their experiences in March that will provide a more secure remote work environment going forward?
“Organizations are moving from the initial rush to move an entire workforce to remote work on what was thought to be a temporary basis to now a longer-term sustainable model where employees can work securely for extended periods of time,” said Chris Hickman, chief security officer at Keyfactor. “Everyone’s home has become a mini data center.” That means companies have increasing struggles to extend some of the legacy security into that type of footprint.
VPNs Move Front and Center in Security
Security teams are focusing more attention on the benefits of VPN connectivity, said Heather Paunet, senior vice president of product and marketing at Untangle.
“VPN connectivity is an essential tool for remote employees to safely connect to the corporate network while working from home,” she said. “Now that teams have a better understanding of the amount of employees who will require login access and credentials, IT teams can better plan the number of secure links they need to support at any given time.”
With a better understanding of the number of employees who will need to use the VPN client, she added, and depending on the services being used—video conference calling or softphone use, for example—IT teams can better prepare and manage their bandwidth needs.
Better Security Awareness
Tom Pendergast, chief learning officer at MediaPRO, believes that security teams learned a lot during the first round of WFH. They’ve already learned the basics such as how to configure a home network safely and connect through the VPN. Now, he said, it is time to move to the next level and focus on deeper issues, such as reinforcing that security awareness is a team effort.
“Employees working remotely are going to ask questions where they think they can get answers—and that might not be with you. So you’ve got to extend your influence by equipping others to provide good security advice,” Pendergast said. “Whether it’s the IT help desk or HR or just line managers, they need an easy way to share how-to steps and videos and short training bits on the issues you care about most.”
This requires better engagement. Getting employees on board with security awareness training is difficult enough when everyone is in the office together, but when they are scattered all over the place, it becomes even more challenging. Now is a good time for organizations to take a closer look at their training content and make it more interesting and more relevant, especially when it comes to COVID-19 phishing and social engineering scams.
Preparing for Long-Term or Permanent Remote Work
Shifting employees back and forth between the workplace and home offices is not going to be sustainable for anyone, but especially the security and IT teams who are tasked with preparing these settings with each move. Expect more organizations to stick with mandatory WFH on a long-term basis, maybe even until a vaccine is developed, and expect a good chunk of the workforce to request permanent remote work. To make this security sustainable, security teams will have to adopt some new ways of thinking about how to best protect the corporate infrastructure and data.
“For teams implementing new security tools and strategies, looking at guidelines from organizations such as NIST is a great way to get started,” said Hank Schless, senior manager of security solutions at Lookout. “Many of those guidelines include end user education tactics, which help employees understand the risks associated with this new reality. Teams can also run testing programs, such as sending employees fake phishing attacks from mobile channels such as SMS, messaging platforms or social media.”
Also, pay closer attention to the threats around mobile devices. As Schless pointed out, mobile devices are becoming a key enabler of productivity, but they also present a significant entry point into the infrastructure if they’re not properly secured. Requiring security applications on every device protects your employees from threats and protects corporate data.
Finally, don’t let the workforce get complacent about security as they shift between work environments. Be alert that employees may take more risks while working remotely, and continue to reinforce WFH security best practices. The recent Twitter hack should be a reminder of what can happen when you let your guard down around security.