Recent events have forced many organizations to require their workforces to operate from their homes. For some employees, this is nothing new, but for those who regularly interact with high-risk and controlled data and systems, remote work is a new and challenging operating model that requires adjustments to work behaviors. Providing realistic expectations for security and privacy and effective oversight and assurance methods will ensure that remote workers can continue to meet information risk management, security and privacy expectations while maintaining the flexibility needed to operate effectively at home. The following are 5 key considerations when securing a remote workforce:
- Working from home creates opportunities for new threats and vulnerabilities that must be evaluated. Many organizations had to undertake considerable efforts in extraordinarily short time frames to provide their remote workforce access to the data and systems needed to be productive. This did not allow time for comprehensive threat analysis and, as a result, attackers quickly adapted their methods to leverage the inherent weaknesses created in work-from-home environments. With tools such as the Shodan search engine, which can be used to identify exploitable Internet-connected devices in home networks, adversaries have systematically been attacking home routers, Internet of Things (IoT) devices (i.e., smart televisions, digital video recorders [DVRs]), printers and other computing devices that can be used for attacks such as denial-of-service (DoS), ransomware, malware injections and others. To combat these threats, it is important to apply the same vulnerability analysis techniques used in enterprise environments using existing case studies and thoughtful analysis.
- Conducting virtual site reviews for high-risk or concerned workers is essential. Audit and security professionals can help high-risk workers identify and remediate security and privacy deficiencies in their work-from-home environments using virtual risk and security site reviews. By having a guided and targeted video conversation with the home worker, security professionals can help remote workers identify and mitigate risk in their home work areas. Some common risk examples that are often identified in virtual site reviews are sensitive materials scattered across a work environment, windows where unauthorized individuals may be able to see information displayed on screens without the worker’s knowledge, open work areas where family members and random individuals could easily overhear conversations and view materials without restriction, and items that may divulge private details about a worker or their family that an adversary could use as part of a targeted attack.
- Incorporating work-from-home considerations into security awareness training benefits everyone. Security awareness training has become an expected practice for many organizations, but they often do not incorporate remote-work-oriented content into the training materials. Security awareness training should be updated to reflect remote-work-specific guidance and requirements. If an organization can introduce content to the home worker that is beneficial to them both professionally and personally, they are more likely to follow and even embrace the guidance. As a result, remote workers will often intuitively increase their overall security posture while operating in a work-from-home environment. For example, helping users understand the importance of keeping their home-network-connected devices updated with the latest security patches or ensuring they are using strong encryption and passwords on their home wireless network can strengthen their overall security posture.
- Providing guidance without creating liability should be prioritized. Risk and security professionals are often restricted in terms of the guidance they can provide a remote worker due to potential liabilities. To mitigate this increased liability risk, an organization’s legal counsel will advise risk and security professionals to only provide assistance related to securing organization-owned assets or devices that are operating in the work-from-home environment. Unfortunately, limiting guidance to these systems alone can increase security and privacy risk. Common examples include computers on home networks that are compromised by an attacker and used to attack the organization’s computing asset on the same network or monitor network traffic. To reduce these liabilities, risk and security professionals can educate users about best security practices and common work-from-home threats and provide guidance about when and where to find assistance from the technology manufacturer. By providing insights from trusted third parties and not directly interacting with personal computing devices, the organization’s liability will be limited, while still enabling the user to strengthen the security posture of their work-from-home environment. This will inevitably enhance the security of enterprise-owned devices.
- Promoting good information security hygiene for work-from-home environments reduces threats. Good information security hygiene focuses on foundational and typically unsophisticated capabilities that must be regularly attended to and can dramatically reduce the threat and vulnerability surface area of a remote work environment. Examples of security hygiene activities that both an organization and a remote worker can actively follow include the following:
- Patching, updating and configuration security-hardening of an organization’s technical assets and the technical assets operating on common networks in the work-from-home environment
- Following clean desk, work area and whiteboard practices where the environment is cleansed at the end of each workday
- Consistent use of privacy screens on monitors and displays where sensitive data are or could be displayed
- The use of segmented work areas from the general home environment with lockable doors or barriers to limit unauthorized individuals from entering the work-from-home area at inopportune times
- Regular changing of passwords and use of multifactor authentication, where possible, for access to enterprise and home environment technology assets
- Logging off or engaging password protection on computing displays whenever they are left unattended (instead of waiting for standard timers to engage)
The work-from-home operating model and environment creates new threats and vulnerabilities for both the organization and its employees. Adversaries are quickly adjusting their attack methods to leverage what they perceive as limited security and privacy capabilities. Organizations that work collaboratively with their remote employees can effectively identify, mitigate and remediate potential security and privacy threats while minimizing intrusions and impacts into the personal lives and home environments of their workers.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.