Remote workers present a new security threat in the age of COVID-19

May 26, 2020
Why the new work from home paradigm brought about by the pandemic has given rise to a new set of challenges for businesses

The onset of the COVID-19 pandemic has created unprecedented challenges for organizations as many employees have transitioned to working out of their homes. This is a significant issue with regards to the efficiency and effectiveness of those who have never been in a position where they have not been directly supervised and it can be a daunting task for executive management teams – both procedurally and technologically.  Most organizations have built management systems and technology infrastructure to support operations within the four walls of their facilities they work in but not extensively outside those walls. 

Of course, the human factor was always the one equation that was very challenging and difficult to control.  Well, I’m sorry to say… welcome to Armageddon. With this dramatic shift in workforce to home we now have many imminent problems that will arise. 

The Technological Gap at Home

Technology that has been developed to communicate on a local area network (LAN) typically has been either designed or evolved infrastructure with firewalls, cyber tool and rules sets built to define and recognize and resolve vulnerabilities, otherwise referred to as a “kill-chain.”  These vulnerabilities could easily be detected and quarantined.  Most organizations have an established process of internal communication as well as segmentation, at least for those who have evolved to a more mature IT posture.

In the wake of the coronavirus outbreak, you now have a workforce that no longer is protected by the infrastructures we created internally to protect the business from the internal users.  When employees do not have all their familiar “workspace” technology, especially the communication technology necessary to securely connect to the internal network, this becomes a recipe for disaster.  Reflexively, the inexpensive and quick solution is using a router attached to Wi-Fi, which was previously thought to be good enough. 

I really don’t think it’s a great idea to stream the intellectual property of a business over an unsecured Wi-Fi network with a password “MYDOGGYISPRETTY1234,” especially when their dog’s name is “Pretty” and their children have posted this on every social networking chat room for the past three years. Out of necessity, companies are having their employees sign into the VPN from home; however, they are using the family Wi-Fi router which is still a recipe for disaster.

Many organizations do not have dedicated laptops to send home with employees with secured encryption to protect data at rest. The reality is that on their personal laptop, workers have either accidently or intentionally watched hours of very questionable content or have let their kids play every free, downloadable game from the internet that has viruses and backdoors to every nation state syndicate and hacker in the Deep Web.

Policy and Procedure Adherence

Policies and procedures that have been built by companies as part of disaster recovery plans, compliance requirements, continuity of operation plans, risk mitigation strategies and business continuity plans were rarely built for work at home. The major issue is that most organizations do not have policies established to run a business from afar, nor do they have procedures that allow for proper guidance by managers or executives from a distance.  As we move into months two, three, and four of this difficult and horrible event in world history, business executive will begin the process of finding effective ways to manage, but without the policies and procedures to do so, there will be an imminent struggle with following his or her guidance. 

With regards to regulated markets such as energy, banking, or manufacturing, you must follow policies and procedures set forth by customers and governing bodies.  Although there is an immediate relaxing and lack of concern for regulations since everyone is in triage mode, organizations will inevitably be held responsible for any breaches that occur due to a lack of adherence. Inevitably, if the technology gap cannot be solved; how can managers implement workspace policy and procedures for remote workers that will meet compliance standards?

Human Inconsistency

Unfortunately, the work at home human factor also is the greatest weakness in productivity and proficiency. The issue is connectivity and the answer now is Webex, Microsoft Teams, Go to Meeting, Zoom, Skype and others.  Unfortunately, this too becomes a minefield since most employees do not have the proficiency to operate in this environment securely.  Most of the time they begin loading the site with as many slide decks, Excel sheets, and manufacturing diagrams as they can so they can bring them up to share with their colleagues from home. That’s admirable, however; how does a supervisor manage the workspace rules remotely, especially as it pertains to company intellectual property?

The human tendency at home is to be lazy and would prefer to take as many shortcuts as possible to get the job done. To be honest, the 15% of your workforce that always works remotely, does not always dress properly, does not always follow policy and procedures, and over time, does become more tech-savvy and secure. But the numbers are lower so the risk is lower. Now the math says you’re in trouble.

Nonetheless, it is obvious we are in a heap of “you know what,” but there are solutions that you can deploy today, including:

1). Ensure that a secured communication infrastructure is immediately deployed.

          a. Assign company laptops to defined groups.

          b. Use MiFi communications when large data files are not required.

          c. Consider private cellular networks (new and effective with the coming of 5G) 

2). Employees must have multi-factor authentication (MFA) permissions turned on with hopefully some form of challenge question attached to a separate device, such as a phone. By having all remote employees doing this, you are creating a work at home culture and discipline that allows supervisors to better manage and challenge compliance.

3). The employer must immediately create a security awareness program that has employees go through a tutorial of work-from-home rules daily, such as not clicking on any attachments unless you challenge the sender. This creates a way for supervisors to monitor work at home discipline improvement.

4). I would toggle up the firewalls and sniffers on all your systems to make it inconvenient as possible for your work at home employee to receive emails that are flagged by the business entity.

5). Reevaluate your permissions structures within your remote employee groupings. Segment whenever possible.

These basic rules will dramatically improve your liability posture and may just save your network and your business from ransomware attacks.  The age-old triumvirate of people, process and technology, which are the key elements in converged thought and operations, is the real answer for today.  If you were not already, you are now part of that converged world. COVID-19 just made sure of that.

About the Author: 

Pierre Bourgeix is President of ESI Convergent in Cleveland, Ohio. ESI Convergent is a management consulting firm focused on helping companies assess and define the use of people, process, and technology within the physical and cyber security arena. The company was formed to not only help end users but also manufacturers in defining the proper strategy to drive products successfully into the marketplace. As a thought leader in the Security Industry, Bourgeix has helped companies successfully launch and position products and solutions globally. He is also an Enterprise Consultant Manager for Boon Edam.