Are Current Work From Home Security Measures Enough?
The COVID-19 pandemic has turned working from home from a perk to an everyday reality. These changes are permanent, and they require a new security perspective.
The chaos of the first few months of the COVID-19 pandemic required swift decision making and abrupt, earth-shaking changes to everything from the workplace to the grocery store. Although thoroughly disruptive, many of these changes - particularly in the case of a now largely remote workforce - were initially seen as temporary fixes. They would last a few weeks, perhaps, before things returned "to normal."
We are now well aware that "normal" is not coming back.
Those reactive quick fixes are now the first steps towards permanent change. Earlier this year, the number of job postings on ZipRecruiter that offered work from home was 1.3%. Since March, that number has risen to 11.3% and will only keep rising. Major tech companies like Facebook and Twitter have even gone so far as to institute permanent work from home positions.
Because the pandemic moved so swiftly and upended companies on so many levels, many had little choice but to opt for speed over security. Getting an entire workforce set up to function remotely - if that were even an option for the company - meant that corners had to be cut.
According to the CyberArk Remote Work study, 77% of remote workers admit they are using personal devices to access corporate systems. An additional 66% are utilizing potentially vulnerable communications platforms like Zoom and Microsoft Teams for corporate work and collaboration. A small but not insignificant number (37%) still save important passwords in browsers on their "work" computers.
"As more organizations extend work-from-home policies for the long term," says CyberArk CMO Marianne Budnik," it's important to capture lessons learned from the initial phases of remote work and shape future cybersecurity strategies that don't require employees to make tradeoffs that could put their company at risk."
The dust is settling and the long term view is coming into focus. The question now is, are companies actually doing enough to balance the convenience needed for remote work with the stringent protections required for corporate data?
Are IT Departments Doing Enough?
Perhaps the most confounded discovery from the CyberArk Remote Work study wasn't that remote workers aren't employing the strictest security measures, it's the glaring discrepancy between the mindset shared by an overwhelming number of IT professionals, and the actual, tangible actions they have taken regarding WFH security.
During the first few months of the pandemic, some systems were exposed because developers made the conscious decision to opt for a friction-free experience over one that offered more security. The phenomenon known as "Zoombombing" was the most visible example - companies began wholesale adopting Zoom as their go-to meeting resource, only to find that nearly anyone could drop into a meeting with little or no barrier to access.
"Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce,” says William Altman, Senior Analyst at the Global Cyber Center of NYC, operated by SOSA. “It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that's what this is all about."
Of the over 3,000 IT professionals in the U.S., UK, France, and Germany surveyed for the CyberArk study, 94% expressed confidence in their ability to secure a remote workforce. However, only 40% have increased security protocols or made any other significant changes to their systems. Confidence will only get you so far, after all. The "attack surface" - the collective term for all the areas through which a system can be breached - has widened significantly for everyone during the pandemic. Resources are stretched and there are fewer centralized hubs for access.
Simply reducing the number of passwords your employees need through Single Sign-On authentication, or employing efforts such as Multi-factor Authentication, App Gateway, and other forms of device security management can help IT departments ensure stronger defenses without adding additional layers of friction to the sign on experience (and without taxing their already stretched resources). The timeline towards Zero Trust security has been accelerated, but there are still a lot of details to be worked out for most companies.
Everyone Has to Do Their Part
Even after adopting SSO or MFA practices, IT departments have not eliminated the threat of breach - because, to paraphrase the urban legend, the calls are coming from inside the house. In other words, if you can't get your workers to change their habits, there's only so much adding these backend security measures can do.
Work habits have changed, and it goes a lot deeper than just forgoing pants on a video conference. Something about being at home makes people relaxed - which is a good thing for their mental health, but not so good for security on their work devices. Leaving browsers open, letting children Google homework help, online shopping during a boring meeting -- these habits can and do widen the attack surface even more.
“This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” says Colin Bastable, CEO of security awareness training company Lucy Security.
If the confidence most IT departments feel about their ability to secure multiple devices isn't backed up by a slight increase in friction at the access points -- and focused and consistent education of how corporate devices need to be handled in the wild -- then the new work from home reality should brace for even more cyberattacks than we’ve already seen.
One of the unintended consequences of the COVID-19 pandemic will likely be increased Zero Trust adoption that further embraces cloud services, reduces reliance on VPNs, and enables employees to truly work from anywhere with minimal disruption.
We have the confidence and know-how, we just need more action.
Corey Williams
Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO), Adaptive Multi-factor Authentication (MFA), endpoint and mobile context, and User Behavior and Risk Analytics (UBA).
While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.
Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.
Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods).
Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University.
CHAMELEON-LIKE SUPERPOWER
If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”