The pandemic has likely forever changed how and where work will get done. Vestiges of the unprecedented worker migration from offices to homes are likely to remain far past the pandemic. That is, at least in part, due to worker preferences. According to a Pew Research report, 54% of work from home (WFH) employees would rather not return to the office after the coronavirus outbreak ends.
This points to a prevailing satisfaction with working conditions at home, which IT departments everywhere should be proud to see. After all, IT had to make this mass migration work on the fly, with almost no warning or time to prepare and with an overwhelming mission of keeping the company profitable while they did it.
Unfortunately, employees working from the comfort and protection of their own homes were not the only ones enjoying the change in the workplace. Bad actors saw extraordinary opportunities to hack, attack and fleece both employers and employees as IT resources moved with employees from a centralized to distributed model.
IT battles new and expanded WFH attack surfaces
According to a Deloitte report, “working from home is becoming a gateway to new forms of data theft.”
However, the security issues do not all stem from attackers. WFH employees pose potential security threats too. Some are familiar concerns, such as insider threats, but others are unique to the circumstance, such as data hoarding on home devices.
In the Deloitte survey, 26% of respondents admitted to being tempted to keep copies of valuable company data in case the pandemic impact worsens and the company becomes insolvent or they lose their job. Generally, those data copies are not secured, leaving the company vulnerable to attack even if the employee means no harm.
While IT was previously well-versed in the hazards that remote workers present, that hard-won experience was centered on covering work sprints as employees and executives traveled. The pandemic-fueled WFH scenario is more like supporting and securing an extended marathon, without overtiring and discouraging the runners.
According to the Deloitte report, “one in 10 complain that they are less productive” because of security measures imposed in their home environments. The researchers found “specific problems include access to data, a poor VPN connection, limited access to software tools that they have been using for years privately, and not being allowed to use their own printer.”
One long and hard year later, IT has learned a lot about what it takes to secure WFH employees. Here are the top five security issues that must always be proactively addressed or defended on the home fronts.
1. Employee-forged security workarounds.
When WFH employees experience or perceive a lag in their work due to security measures, they’ll often find a way to workaround those measures rather than comply with security protocols. For example, they may use their home ISP and skip signing on to the company VPN. Or they may use consumer tools rather than corporate tools to speed their progress.
Forrester recommends IT departments end this dangerous practice by using an app-centric approach to security. “To protect company assets that are being accessed on personal devices, invest in app-based solutions such as app virtualization, app containers, and app security that enable security professionals to deemphasize device-centric endpoint protection,” advise Forrester analysts.
2. Noncompliance on updates and patching.
Employees working at home face many distractions from barking dogs and constant deliveries to home schooling duties and a lack of childcare. When these distractions are heaped onto their already-busy work schedule, something has to give. Usually that “something” is routine security measures, such as applying patches or authorizing application or operating system updates.
Forrester recommends IT departments use unified endpoint management (UEM) platforms to simplify and manage security update rollouts and to remotely patch assets across the various operating systems. The analysts say that UEM platforms also “allow the security team to manage native security capabilities, gain greater visibility across devices, and enforce encryption standards across OSes.”
3. Cloud services solely dependent on vendor promises.
Deloitte warns that “many solutions were rolled out under enormous time pressure at the beginning of the crisis” and they were, by necessity, almost entirely dependent on vendors for security. Now that there is a little more breathing room, Deloitte analysts say “IT staff needs to ensure effectiveness of security controls” in all newly-deployed solutions.
4. Haste made waste and costly mistakes — everywhere.
It’s understandable that security mistakes were made by WFH employees too in their haste to move their work home. But now, says Deloitte, is the time to “step up security monitoring of both devices and users to enable companies to proactively identify and correct mistakes made by users in managing sensitive data.”
5. Backup and Recovery frozen in time.
Also, in the haste to disburse the workforce, backup and recovery processes, many of them automated, were left on pre-pandemic settings. But things may have fallen through the cracks with all the many changes now in place. Now is the time to revisit disaster recovery (DR) and business continuity (BC) plans and protocols.
Companies should now take the time to “assess capability and capacity to recover from catastrophic cyber-attacks effectively, such as a widespread ransomware attack. This includes the capability to get the entire IT infrastructure back up and running as soon as possible after such an event,” according to the Deloitte report.
In general, it’s now time for IT to review all the changes the pandemic brought, with an eye towards their increased and continued security. Further, it is prudent to also assess the changes for their usefulness as part, or all, of the workforce returns to corporate workspaces. Some workers are likely to continue to work from home while others will work remotely as business travel resumes.
In a nutshell, while the pandemic will pass and the economy will resume, IT cannot continue to protect its “business as usual” models; what worked before is increasingly no longer good enough to defend your company’s most important assets.