How to Manage WFH Risks Through COVID-19 and Beyond

Work from home (WFH) brings many benefits to organizations, but it creates risks by virtually inviting cyberattacks along multiple vectors. This is NOT a call to stop WFH. It is a caution to shore up specific defenses.

WFH Risk: Technical Challenges Abound

WFH has enabled many organizations to continue operating during the pandemic. For many occupations and workgroups, it is the optimal way to work for both individual quality of life and the business bottom line. But not always.

Increased cyber risk is one of WFH’s downsides. For many of us, the transition to WFH and remote working literally happened overnight. Businesses had to cut corners to make remote working, well, work.

The following kinds of security deficiencies remain to be addressed:

  • Ill-equipped or personally owned devices used for WFH lack solid security controls.
  • Devices may be shared among family members, including schoolchildren.
  • Heightened vulnerability to social engineering attacks, such as phishing, due to employees’ distraction or changing routines and processes.
  • Access control changes, including reduced network perimeter protections.
  • Increased privileged access grants to users or administrators and new forms of privileged access.

Symptoms of Governance Issues

Many organizations also manifest these deficiencies amid the ungoverned adoption of cloud services. Along with VPNs, the cloud’s become our digital lifeline. WFH happens in the cloud. Businesses are subscribing to additional services or moving existing ones to the cloud at an accelerated pace. Often, they lack an overarching IT strategy or cloud security architecture.

Cloud security deficiencies are symptoms of larger issues. In my new book, “Rational Cybersecurity for Business,” I call the belief that security is just a technical issue the No. 1 Cybersecurity Myth. To solve cloud security, organizations must develop a third-party risk management program within a security governance framework. This is all about aligning business and security leaders on how to adopt, use and manage the technology.

Addressing WFH Risks: What You Need To Do

To further reduce WHF risks, we have to stop operating as if WFH were temporary. Organizations in lines of business as diverse as Twitter, Nationwide Insurance and Morgan-Stanley have announced it could become their permanent way of working. At the very least, continuing pandemic concerns mean even organizations that aren’t fans of WFH won’t be able to bring all the work back into their buildings anytime soon.

Equip Users to Work Securely From Home

If you are permitting staff to access company IT resources from personally owned equipment, you need a bring your own device (BYOD) program. Deploy mobile device management, endpoint security, email security and other tools that can work in a BYOD context.

Once again, BYOD isn’t just about the technology. User awareness of an organization’s Acceptable Use Policy, the basic cybersecurity risks and good safety practices for working online is key. Invest in security awareness and training!

Enable MFA as Broadly as Possible

Multi-factor authentication (MFA) is available from cloud security services such as Microsoft, Google, Amazon and others. Because user accounts in the cloud are exposed to web access and phishing attacks ubiquitous, misuse of captured credentials is considered the No. 1 breach cause. Having a second authentication factor (such as a phone or one-time passcode-generating token) that’s independent of the user’s primary working device reduces the risk of credential misuse by more than 95%.

Authentication is also part of identity and access management (IAM). IAM in turn is a core feature of a zero trust architecture, and that is what we need in the online cloud world.

Close Privileged Attack Vectors

When they make quick fixes, technical teams tend to cut corners. They remove firewall rules that protect the perimeter. They increase administrative privilege levels or create new privileged accounts. They migrate to new cloud services from new suppliers.

WFH, hollowed-out central IT teams and a shifting cast of outsourced vendor support characters pose additional risk. Users and vendors working from home not only access your sensitive or mission-critical business systems, but they also maintain them. It’s imperative for businesses to build out the harder bits of the zero trust architecture, which mostly have to do not with authentication, but authorization.

Businesses must evolve their IAM strategy to decompose IT roles into more of a least-privilege model.

Learn From Twitter’s Debacle

Many suspect that the recent hacks on the Elon Musk, Bill Gates and Jim Bezos Twitter accounts began by compromising Twitter’s privileged administrator accounts. This is, after all, one of the most obvious ways a cyberattacker could bypass the two-factor authentication sophisticated VIPs like these tend to have on Twitter.

Twitter’s not talking, but privileged accounts may have been exposed via the WFH model Twitter itself espouses. Hypothetically, Twitter could have saved itself a lot of trouble by deploying a privileged account management (PAM) system and/or by increasing the separation of duty requirements for high-value account administration. For example, a different administrator role could have been required to disable a Twitter user’s two-factor authentication setting than to reset a Twitter user’s password.

WFH Risks: Bottom Line

The reason not all companies have PAM systems, least privilege models and a cloud security strategy is that they lack a mature security governance model or rational cybersecurity. WFH, remote access and digital transformation have exposed multiple security deficiencies. Businesses need to act to correct both by deploying such as MFA and through more comprehensive security program governance.

Avatar photo

Dan Blum

Dan Blum is Managing Partner and Principal Consultant at Security Architects. An internationally-recognized expert in security, privacy, cloud computing and identity management Dan Blum develops Security Architects Partners’ business partnerships, creates content and leads consulting engagements. Formerly, he was a Golden Quill award-winning VP and Distinguished Analyst at Gartner and one of the founding partners of Burton Group. As a Principal Consultant at Security Architects Partners and formerly at Gartner, he has led or contributed to projects such as: Cloud security and privacy assessment for a pharmaceutical company with a global customer base Full security assessment for a large U.S. health care network following negative audit results Security organization review for a major university Full security architecture for a large U.S. power company Independent evaluation of the U.S. government’s E-Authentication Program Directory services architecture for a Swiss bank Full security assessment for a Fortune 100 technology company Identity management and PKI architectures for a large pharmaceutical Recently honored as a Privacy by Design Ambassador, Dan has authored 2 books, written for numerous publications and participated in standards groups such as CSA, ISACA, OASIS and others.

dan-blum has 3 posts and counting.See all posts by dan-blum