Organizations seeking to protect their data have been forced to undergo a radical shift in their thinking since the COVID-19 pandemic hit. Before, they could focus on making their buildings and networks cyber “fortresses” and keep most of their efforts centered around virtually securing their networks and physically securing their buildings. This has all changed with many employees working from home and an increase in the number and prevalence of distributed teams — which has in turn resulted in greater risk. The biggest security flaw of distributed teams? The lack of protection for employees and devices in this new post-perimeter world.
More Opportunities…For Attackers
With more employees working from home, bad actors have seen a substantial increase in the attack surface available to them. Before COVID-19, threats were focused on attacking the fortress’ front doors, through phishing campaigns or close access attacks, and organizations have spent billions to protect their employees and devices at work. Now, though, those employees and devices have walked right out of the fortress, which makes them much more difficult to protect. Bad actors can attack a home Wi-Fi network that’s secured by a weak password — or worse, no password. They can focus their efforts on public Wi-Fi networks or gaining access to a device through the Internet of Things (IoT). The point is, agencies and organizations can no longer be content with just securing their workspaces.
MORE FOR YOU
Another day, another data breach — here’s the number one thing you can do to actually protect yourself
Protections to Consider
Securing a device means protecting the device while it’s in-network. When an employee is accessing the network remotely, is it the organization’s responsibility to secure the employee’s home network as well? Even if the organization is willing to take on this added cost, the employee would be justified in bringing up privacy concerns. Ultimately, this question is up to an organization’s risk assessment and the risks they are willing to tolerate, but it is a difficult decision nonetheless.
Another way organizations can protect their data is to install mobile device management software on their employees’ devices. These types of software can ensure devices have the latest operating system versions, stay up-to-date on security patches, and help quarantine devices that haven’t checked in to the network for a specified amount of time. Again, mobile device management is a difficult issue when employees are using their own devices to access sensitive data. These employees are right to be concerned about the amount of personal data their employer is able to access through device managers, but at the same time, organizations have a responsibility to protect their data from threats.
Two more security measures organizations should consider are virtual private networks (VPNs) and multi-factor authentication (MFA). VPNs are mainly used to secure access to shared resources, such as file shares, but secondary VPNs can be installed on systems that secure employee data as it travels over an unsecured internet connection. They can be beneficial for helping secure devices that are using home Wi-Fi networks.
MFA involves verifying an employee’s identity by requiring an additional step when logging into a specific resource, usually in the form of a one-time password emailed or texted to the employee. MFA works on the premise that adding an additional authentication factor makes it more difficult for a bad actor to assume a trusted network user’s identity. While it is by no means fool-proof, MFA can be a powerful way for organizations to ensure only the right people are accessing their data.
An organization’s plan for overcoming this security flaw of distributed teams should be based on a comprehensive risk assessment. Each organization’s plan will be different because the severity of vulnerabilities brought on by remote work will vary. This risk assessment can be carried out by an independent firm or internally. Once they determine where their greatest areas of risk lie, what exactly they’re trying to protect, and how much cost they are willing to incur to fix the vulnerabilities, they should determine which products and software they need to secure their post-perimeter devices. While this will not completely handle the security flaws that come with distributed teams, it does enable an organization to harden themselves and their assets against attack.