As individuals, companies, and the country have adapted new ways of interacting to minimize risks from COVID-19, the use of remote access and telework have exploded. USTelecom, the Broadband Association, reported that network traffic in the first few weeks of the COVID-19 response increased as much as 27% over baseline. NCTA, a cable industry group, similarly reported an overall 30% increase of upstream traffic since March 1st. CenturyLink, where I work, has seen a 35% increase in overall traffic on our network as a result of COVID-19.
The shift to widespread telework allowed critical business operations to continue during stay-at-home orders and social distancing. As the nation starts to transition back to normal activity, many firms seem poised to make some remote work processes more permanent. Given the rapid transition to mass telework and the likely long-term nature of this phenomenon, it makes sense to take a moment to consider the risk implications of this new distributed work environment.
The home office brings unique risks to enterprises, starting with a relative lack of control over the devices your employees use to connect. Teleworkers generally connect over a home Wi-Fi or ethernet router; further, many teleworkers also use personal computing devices and phones. This “Bring Your Own Device” (BYOD) environment lacks the same focus and discipline of regularly performed system updates and patches that are characteristic of most corporate IT environments. Also, even well-patched home systems lack enterprise level firewalls and other cyber threat detection and mitigation systems.
Unfortunately, these common vulnerabilities combine to make home users more susceptible to cyberattacks and data theft. In addition to the technical risks, the new telework environment opens up new social engineering opportunities as bad actors send phishing emails, set up fake websites, and even make phone calls masquerading as company leaders, IT and HR personnel, or COVID-related charitable organizations.
To minimize these risks, you should consider adopting a few core practices that can make a big difference in keeping your information assets secure:
1. Apply layered security controls
Leverage tools such as multi-factor authentication and data-at-rest encryption for devices that are outside of corporate control (e.g., desktop computers normally in company facilities). BYOD guidelines should be revisited and the relative costs and risks of BYOD vs. corporate equipment should be carefully considered.
2. Ensure regular communications and training
Conduct telework-specific training regarding cyber threats, and regularly communicate remote work risks and best practices, including how to update and patch home devices, to all employees. Companies should stress the importance of “cyber situational awareness” and encourage employees to refer suspicious cyber activity to their IT teams for investigation. When communities and companies return to more normal conditions, also provide proper training and policies regarding how to connect to corporate systems over publicly shared Wi-Fi and the dangers of physical theft, shoulder surfing, and eavesdropping when conducting business in a public space like a coffee shop or restaurant.
3. Balance operational needs with appropriate secure connection types
Particularly when rapidly transitioning to large-scale telework, companies should tier their functions to ensure the most secure connections are available for those who require them. When a corporate VPN connection is not necessary, encourage employees to access IT systems via portals and/or cloud applications. Where risks are controllable, consider making support functions such as corporate communications, HR, and IT helpdesk assistance accessible over non-VPN connections. Finally, strain on VPN resources can be further reduced by diverting non-secure traffic outside of the VPN using a technique known as split tunneling.
Like all major transformations, the sprint to telework and subsequent evolution of remote connectivity has created remarkable opportunities, in this case for business resilience and operational flexibility. But large changes often come with new risks and vulnerabilities, so security professionals should carefully assess this new environment and apply risk-based mitigations as appropriate to maintain their business operations.
Some further reading:
· Risk Management for Novel Coronavirus (COVID-19)
· Enterprise VPN Security
· COVID-19 Exploited by Malicious Cyber Actors
· Defending Against COVID-19 Cyber Scams
DHS CISA & NSA:
· Telework Best Practices (government employee focused)
National Institute of Standards and Technology
· Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions