We sat down with Demi Ben-Ari, CTO at Panorays, to discuss the cybersecurity risks of remote work facilitated by virtual environments.
The global spread of the COVID-19 coronavirus has had a notable impact on workplaces worldwide, and many organizations are encouraging employees to work from home. What are the cybersecurity implications of this shift?
Having a sizable amount of employees suddenly working remotely can be a major change for organizations and presents numerous problems with regard to cybersecurity.
One issue involves a lack of authentication and authorization. Because people are not seeing each other face-to-face, there is an increased need for two-factor authentication, monitoring access controls and creating strong passwords. There’s also a risk of increased attacks like phishing and malware, especially since employees will now likely receive an unprecedented amount of emails and online requests.
Moreover, remote working can effectively widen an organization’s attack surface. This is because employees who use their own devices for work can introduce new platforms and operating systems that require their own dedicated support and security. With so many devices being used, it’s likely that at least some will fall through the security cracks.
Finally, these same security considerations apply to an organization’s supply chain. This can be challenging, because often smaller companies lack the necessary know-how and human resources to implement necessary security measures. Hackers are aware of this and can start targeting third-party suppliers with the goal of penetrating upstream partners.
What are the hidden implications of human error?
With less effective communication, organizations are unquestionably more prone to human error. When you’re not sitting next to the person you work with, the chances of making configuration mistakes that will expose security gaps are much higher. These cyber gaps can then be exploited by malicious actors.
IT departments are especially prone to error because they are changing routine and must open internal systems to do external work. For example, because of the shift to a remote workplace, IT teams may have to introduce network and VPN configurations, new devices, ports and IT addresses. Such changes effectively result in a larger attack surface and create the possibility that something may be set up incorrectly when implementing these changes.
The fact that people are not working face-to-face exacerbates the situation: Because it’s harder to confirm someone’s identity, there’s more room for error.
What are the potential compliance implications of this huge increase in mobile working?
There’s greater risk, because employees are not on the organization’s network and the organization is not fully in control of their devices. Essentially, the organization has lost the security of being in a physical protected area. As a result, organizations also open themselves up to greater risk of not adequately complying with regulations that demand a certain level of cybersecurity.
Another compliance issue is related to change. For example, an organization may be certified for SOC2, but those controls may not remain in place with people working from home. Thus a major, sudden change like a mass remote workforce can unintentionally lead to noncompliance.
How can organizations efficiently evaluate new vendors, eliminate security gaps and continuously monitor their cyber posture?
As part of their third-party security strategy, organizations should take the following steps:
1. Map all vendors along with their relationship to the organization, including the type of data they access and process. For example, some vendors store and process sensitive data, while others might have access to update software code on the production environment.
2. Prioritize vendors’ criticality. Some vendors are considered more critical than others in terms of the business impact they pose, the technology relationship with an organization or even regulatory aspects. For example, a certain supplier might be processing all employee financial information while another supplier might be a graphic designer agency that runs posters of a marketing event.
3. Gain visibility and control over vendors. This can be accomplished by using a solution to thoroughly assess vendors, preferably with a combination of scanning the vendor’s attack service along with completion of security questionnaires. With the shift to remote working, organizations should also be sure to include questions that assess vendors’ preparedness for working at home.
4. Continuously monitor vendors’ security posture. Visibility and control require a scalable solution for the hundreds or even thousands of suppliers that organizations typically engage with these days. Organizations should ensure that their solution alerts of any changes in cyber posture and that they respond accordingly. For example, organizations may decide to limit access, or even completely close connections between the supplier and the organization’s environment.