The Future of Work: WFH Changing Cybersecurity
As we hit the six-month point of work from home (WFH) orders and seven months since COVID-19 first knowingly made its appearance in the U.S., workplaces continue to struggle with many uncertainties. But one thing we know for sure is the virus has changed everything about securing the workforce. This means that all we once assumed about how organizations functioned securely has shifted. What impact will this new cybersecurity normal have on the future of the way companies and employees work?
That was one of the questions posed during a pre-Black Hat USA roundtable called “The Future of Work: The Biggest Threats to a New 21st Century Work Life,” with panelists Mor Levi, researcher/VP of Global Security Services, Cybereason; Jadee Hanson, CISO, Code42; Dan Conrad, field strategist, One Identity; and Maha Pula, VP of Solutions Engineering, Akamai.
Y2K in 2020
When businesses began sending their employees to their dining room offices, there was an expectation that most organizations had a sound grip on cybersecurity practices and would be able to easily move security and IT into a remote work setting. However, that isn’t even close to what really happened.
Remember Y2K, Pula asked, and how that was to impact our networks and computing? Those changes have finally shown up, 20 years later. COVID-19 changed the paradigm, she said, and the lines that once separated home from office are blurred.
And we’re going to be in this state for the foreseeable future, Hanson added. “As CIO, I want to make sure the employees have the right technology to do their job in this particular environment.” She also has to make sure that her team has a good understanding of the security challenges that are facing the WFH landscape. “We’ve been looking a lot more at the endpoint as the source of visibility into user actions.”
WFH and the Future of Security Awareness
Security awareness has gotten more visibility in the WFH environment, with an increasing attack surface and a workforce that has to be more self-reliant when it comes to securing their devices and home networks, as well as recognizing the increase of threats designed to take advantage of virus fears and stuck-at-home boredom.
That’s why the approach to security awareness should be cultural, said Hanson, and it should happen constantly. For example, if her team notices an employee sharing something that could be malicious or with someone without proper privileges, they reach out to that employee and provide guidance on proper procedures. It might be more difficult to approach security this way remotely, but making it a culture rather than a once-a-year or once-a-month training chore will build a security mindset as remote work becomes the norm rather than the exception.
The largest threat to a quickly changing workforce is the awareness perspective, added Conrad, and we can’t expect employees to practice good security if they aren’t aware of the dangers of working from home. “When you authenticate, when you VPN, you extend the company network to your home network that could be riddled with malware,” he said. “If they aren’t aware of that, we can’t expect a lot of awareness from them. They have to understand why they need a VPN.”
Biggest Threats Going Forward
Expect ransomware and phishing to be the worst security problems going forward. “The impact of ransomware is much bigger,” said Levi. “Now that endpoints and laptops are encrypted, and you have hundreds or thousands of these devices, IT has to struggle to make sure that attacks aren’t spreading.”
There’s also been an increase in extortion attacks against enterprises. More phishing attacks are focused on SaaS applications such as Microsoft 365 to harvest enterprise credentials that can be used by bad actors to infiltrate corporate networks and applications. This is putting a crimp into organizations to make these applications available to WFH workers.
The pandemic and remote work have forced organizations to rethink cybersecurity. But this isn’t a bad thing.
Wherever there is risk, there is opportunity, said Levi. COVID-19 presents both. There are risks from the privacy of the employee and the security around the new perimeter. On the other hand, this offers the opportunity to try new security technologies introduced that are geared specifically for remote workers. And that’s where the future of work in the time of COVID-19 will lead us.
