Ensuring enterprise security in a world of remote work.
It is critical during this time that business leaders support their organizations by formulating effective security strategies that consider the needs of a distributed workforce — not simply as part of the response to the crisis, but for the inevitable future of remote work.
In early April, the Cybersecurity and Infrastructure Security Agency (CISA; part of the U.S. Department of Homeland Security) and the UK’s National Cyber Security Centre issued a joint advisory, presenting evidence that malicious actors were actively taking advantage of the pandemic, targeting the anxieties of remote workers with phishing messages masquerading as advice and information regarding the coronavirus itself. Analysts have reported a huge volume of coronavirus-related phishing attacks — possibly the largest total collection of attacks around a theme to date.
As hackers capitalize on the crisis that has hundreds of thousands more Americans teleworking, it is clear that enterprise security is no longer a matter of defending clearly established perimeters. In a world where critical applications are delivered as services, shared data is the lifeblood of business. Factor in employees bringing their own devices and connecting to company services via ISPs and mobile networks, and there are simply too many routes into a typical corporate network for firewalls, white and blacklists, and similar approaches to do the job they once did.
As Christopher Spanton, Principal Architect, Emerging Technology Strategy for T-Mobile, points out, an effective strategy depends on managing three basic concepts:
1) Authentication (making sure users are who they claim to be)
2) Authorization (determining whether users should have access to the resources they are trying to access) and
3) Access control (the process that ensures that the right people have permission to access the right resources)
To enact such a strategy, every stakeholder — from IT manager to remote employee — must be aware of the importance of secure communications and must work together to ensure the systems they rely on remain safe.
Effective access control means, first and foremost, that IT teams need full visibility into the elements of the systems they oversee — from in-house servers and service providers that live in the cloud to company computers and employee-owned devices accessing company-owned systems — and they need to develop a strategy for installing security patches as quickly as possible.
“We need to train developers to code smarter, the business to design with privacy in mind and educate employees on secure data handling procedures.”
The most effective “hacks” have been instances of social engineering, typically beginning with phishing emails designed to get users to give up information they should not, whether that is a bit of personal information or the password to a corporate email account or VPN. To help protect those passwords, multi-factor authentication is essential — and best done via a dedicated application rather than by SMS messaging (SMS, while commonly used, has security limitations.). Employees must also be trained in the use of password managers and similar tools, and to recognize the signs of exploitative emails in the first place.
There is always some measure of friction with a secure solution (the success of phishing operations is based on the frustrations users feel with having to enter passwords), and anything managers can do to simplify the security measures employees must take to conduct business safely leads to a more secure environment for all. As Heffron puts it, “building safeguards and guardrails into products, systems and infrastructure can minimize the risk while being sympathetic to the way employees need to work."
Organizations have long used virtual private networks (VPNs) to safeguard their data. In a March alert, CISA warned of potential threats to remote access infrastructure: “As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.”
VPNs can enable remote workers to securely access critical data. But the marked increase in remote work has meant enterprises have rapidly rolled out remote access options to employees. This has caused some frustration for employees, which can potentially expose organizations to serious breaches should they be compromised. Employees must be trained to recognize the importance of using VPNs. In a recent poll conducted by CISO Mag, only 70 percent of respondents reported using their company VPNs while working from home.
Constant vigilance by IT is required. VPNs themselves are as subject to bugs as other software, opening the door to catastrophic exploits. Since a VPN provides trusted access to an enterprise network, an attacker who gains access to a user’s home system — via an insecure home router or a shared computer that is also used for gaming or streaming — and also manages to obtain log-on credentials could then go on to compromise an entire enterprise network. As CISA recommends, making sure VPN servers and clients are patched and up to date, constantly testing and the use of multi-factor authentication are key strategies in successful use of VPNs.
As the gateway for both personal and professional connectivity, providers have a significant role to play in both the transition to remote work and the maintenance of secure access. With more workers depending on home networks and mobile connections to accomplish mission-critical business tasks, it is critically important that carriers and ISPs be transparent about security threats.
ISPs and mobile carriers have risen to the challenge of COVID-19 with programs to help ensure connectivity. And they can also play a continuing role in finding ways to help safeguard their customers and enhancing their ability to conduct business securely from home.
As stay-at-home restrictions ease and the offices reopen, mobile networks can help with security solutions for workers to remain connected in more flexible work environments. For those who spend part of the week onsite, and move between a home office, remote locations and travel responsibilities, SIM authentication is more reliable and secure than connecting via unsecured Wi-Fi networks, which would require the configuration and use of a VPN for reasonable protection.
Even at home, teleworkers are often sharing their network with IoT devices, some with only lightweight security features or no protection at all — an unsuitable environment for critical business computing. However, LTE mobile hotspots can already offer more secure, SIM-authenticated connectivity for remote work than unsecured or public Wi-Fi. With the future of 5G, mobile networks will become more competitive with Wi-Fi in terms of speed and bandwidth, and the lower latency should enable better quality teleconferencing than is currently possible. This will be increasingly helpful for those working remotely beyond just their home environments.
The three major U.S. mobile providers are working collaboratively to build a platform with enhanced security via ZenKey, an identity solution that builds on mobile encryption and uses the data that carriers already possess about users and their devices to provide a portable, verifiable identity service that can be used in both business and personal applications.
As T-Mobile CIO & CPO Cody Sanford points out, “With ZenKey, every authentication request will combine carrier authentication and user authentication. Businesses that use BYOD solutions can use ZenKey to make sure that a verified employee — the person who registered the device in the first place — is logging into company services. And should they want to switch devices, they would not need to bring a new phone in to be provisioned, making the process even simpler."
Because of the COVID-19 crisis, the future of a distributed and remote workforce is upon us faster than many companies anticipated. And that means enterprises can no longer wait to upgrade their security measures for remote operations.
Originally appeared on CNBC.com.