The Evolution of Cybersecurity: The Risks of Working from Home – A Zero Trust Approach (Part 4)
Whether it be improved flexibility or improved productivity, working remotely entails a variety of added benefits. However, there are cybersecurity risks which accompany these benefits. This entry in The Evolution of Cybersecurity series will detail what the risks associated with working from home are, the threats cybercriminals employ, and how a zero trust approach can help in their mitigation.
If an employee does work remotely then to accomplish their objectives they require access to the same information and applications as they would if they were working in the office. However, this doesn’t entail that they bring the same computer or desk phone with them. Instead, when working remotely it is often possible to use any digital device. Accordingly, many people use their personal devices for work related tasks. Typically, an online portal is available to all employees which, when successfully logged in to using any digital device, grants access to the desired digital services necessary to complete work.
Ultimately, you’re all set for remote work if you can equip your personal computer with the same productivity applications as what would be on your office computer. Additionally, leveraging the mobile capability of your smartphone doesn’t seem to hurt either, because after-all it probably reduces your likelihood of missing any messages from your boss or coworkers.
Unfortunately, this convenience comes with a trade off. Personal devices often don’t have the same level of security as those devices which are provided by an employer. It is simply easier to regulate cybersecurity on devices which are corporately owned, as the data management is centralized to a limited number of devices. Accordingly, for a corporately owned computer or office phone, an IT team is granted access and can verify that the necessary firewall is operational, that the cybersecurity policies for technology are being followed, and that the computer hasn’t been compromised in any way. On this note, detecting whether or not vulnerabilities exist or whether a breach has occurred is streamlined, as the IT team will be familiar with the existing hardware and software.
On the other hand, allowing employees to use their own devices for work related tasks opens the floodgates for all sorts of hardware and software to be added to the significantly larger toolbox—much of which the IT team is unfamiliar with. Most importantly, the IT team is often not granted access to these personal devices to oversee their cybersecurity, meaning it lies solely in the hands of the employees. However, unless the employees exhibit similar expertise to the cybersecurity professionals, this could leave the company in an inferior state of security. Therefore, it is recommended that employees should prioritize using employer-issued devices wherever possible, as they are often managed internally by a knowledgeable IT team.
Despite this, it is still very often the case that employees are either not supplied with, or choose not to use, corporately owned devices. Regardless if this is so, there are a variety of device management practices which one should concern themself with if they are to improve their cybersecurity proficiency. Accordingly, here is a list of some of the primary risks associated with working remotely which one should be personally interested in mitigating:
- Failing to ensure devices are updated. Updates are often rolled out to combat ongoing security threats and to patch vulnerabilities in the operating system. Failing to ensure one’s device is up-to-date could result in an unnecessary breach. Furthermore, if an attack does occur, and sensitive information is stolen or damaged, then one’s disregard for keeping their device well-maintained may be considered negligence. Therefore, one should be obligated to keep their devices in the best shape.
- Becoming a victim of suspicious links and files. Threats are often disguised. Educating oneself on what malicious content usually looks like is a step in the right direction. If you can bring yourself to be aware of the tricks which cybercriminals employ, then you’ll be in better shape for when you’re filtering through unfamiliar files.
- Adopting poor passphrases. Gone are the days of using your pet’s name as a password. This is simply insufficient. Instead, experts say that using a lengthy, arbitrary, mixture of characters is best. Furthermore, using unique passphrases for every account is ideal, as that way if one account is compromised it doesn’t result in a domino effect with other accounts.
- Forgetting multi-factor authentication. As the last entry to The Evolution of Cybersecurity series would suggest, multi-factor authentication (MFA) is a crucial addition to anyone’s cybersecurity strategy. Implementing some form of multi-factor authentication, whether it be based on knowledge, such as a password you remember; possession, like an authentication token sent to your phone; or inherence, which uses biometrics, MFA immediately raises the quality of one’s endpoint security.
- Lacking physical security. When working remotely it is important that one treats their personal computer like a vault—one which they shouldn’t leave the door open to. This means that, if needed, you should configure the device so that a keycode is necessary for entry. This assists with ensuring that you’re the only person who is able to enter. However, you should also consider the possibility that someone may outright steal the device, especially if it is sometimes located in public places. To mitigate this risk, it is important to always accompany your devices when outside of your home or office. Furthermore, downloading a backup of your data is an important component of being secure.
- Lacking virtual security. Failing to uphold a certain standard of cybersecurity can deteriorate a company’s reputation. Implementing a firewall, which acts as a barrier that monitors network traffic and filters out suspicious activity, along with endpoint protection software, which monitors applications and identifies ransomware, spyware, viruses and so on, is the most fundamental necessity of cybersecurity. The understanding which people have regarding what constitutes sufficient cybersecurity is likely to vary, and especially when working remotely it is important to remain in-the-know when it comes to modern virtual security practices and standards. Recall that the first two entries in The Evolution of Cyber Security series cover this area specifically and are insightful in this regard.
The United States Cybersecurity and Infrastructure Security Agency claims that accounting for these risks is necessary for good “cyber hygiene”. In order to grasp why it is important to mitigate these risks, one should also consider the various threats which cybercriminals employ, which take advantage of these sorts of vulnerabilities. As such, here are some of the most common cybercriminal practices which concern remote workers:
- Phishing This is where criminals impersonate either a person or an organization, which you are familiar with, to try and trick you into sending them private information. Typically, this is done via email or text messaging. Recently, targeted phishing ploys have gotten so realistic that it has become extremely difficult to decipher between what is real and what is fake.
- Ransomware Criminals will prevent access to a specific service or to specific data until a requested payment is made.
- Eavesdropping Live VoIP conversations can be tapped into, and audio transcripts can be stolen.
- Malware Comes in a variety of forms which makes it difficult to identify and performs virtually any action as desired by the sender—ranging from theft, to observation, to destruction.
To eliminate risks and prepare oneself for these threats, and overall to gain the upperhand in the realm of cybersecurity, one can adopt a zero trust model. The first principle of this model entails that an organization assumes that all network traffic, both inside and outside their borders, has the potential to be harmful. This is known as the assume breach mindset. Accordingly, it is recommended that an organization’s system be segmented, that data transference is encrypted, and that all activity is monitored. Thus, in the event that a user or entity does perform a harmful action, whether intentional or not, the blast radius will be minimized and the damage is identified. Of course, collecting analytics is beneficial in this regard to supplement one’s understanding with more insight regarding the nature of the breach.
By default, when it comes to authentication, a stranger is never given the benefit of the doubt. Instead, users are expected to participate in rigorous verification processes. This leads to the second principle of the zero trust model—to extensively verify users and entities. Accordingly, access is only granted when all the necessary log-in requirements are satisfied, and all of the available data regarding the user seems to indicate legitimacy. Data regarding location, device, server workload requests, classification of data, and and other anomalies are consulted, and any suspicious activity is flagged. Ultimately, the common expression describing this proactive security strategy is “never trust, always verify”.
Moving on, the third principle of the zero trust model entails that users be given least privilege access. This means that any user or entity will only be authorized to perform actions which are necessary for their specific tasks, during prespecified times. This is known as just-enough (JEA) and just-in-time (JIT) access. Granting access on a by-need basis entails that users and entities can use only relevant resources, applications, and data. In the event a user or entity’s actions do prove harmful, this limits their ability to damage the system. On the contrary, if an organization grants far more generous system access to all of their accounts, then if one user or entity’s actions are harmful, the extent of the damages is far worse.
In conclusion, there are added risks to working from home. This is generally because an organization’s IT team is given less access to the software and hardware used from home. On this note, it is preferred that corporately owned computers are used, but this is often not the case. These risks to working from home can be mitigated at the personal level if one is to educate them self on modern cybersecurity standards and threats. Ultimately, organizations can use a zero trust model to help ensure intrusions do not occur, but that if they do the damage is minimized.
Multi Part Series: The Evolution of CybersecurityPart 1: What Poor Endpoint Protection Entails Part 2: Ideal Endpoint Protection Part 3: The Need for Multi Factor Authentication Part 4: The Risks of Working from Home – A Zero Trust Approach |
Featured Download |