During COVID-19 lockdown more people than ever before are working from home, including people who may never have done so before. Following on from my colleague’s blog on controls businesses should consider for remote working, I will be tackling some of the unseen threats WFH could bring.
IT departments will have issued laptops to staff, be configuring VPNs and other remote access solutions, and performing capacity planning for the increased utilisation of resources. They may even be allowing staff to connect to the corporate VPN from personal, uncontrolled devices. All of this increases the risks of exposure or compromise.
Some of the more obvious risks in allowing more staff to connect remotely are the possible loss of corporate information, and the increased chance of malware infection. If staff are accessing information from laptops, and are not used to working in this way, they may be storing information locally where it will probably be uncontrolled. In the event of loss or theft of these devices, the information on them could be compromised. While more and more organisations are using full-disk encryption on their laptops, this is unlikely to be the case for personal devices. If staff access corporate resources from their own personal devices and store it locally, this could make it accessible to any family or friends who may also use a shared computer, as well as in the event of theft.
Corporate devices are also typically kept up to date and should be running anti-malware software. But again, this cannot be guaranteed for personal devices. These may never have been updated and could be infected with botnet software or other malware. Allowing these to connect to the corporate network could allow any infection to spread from these personal devices onto corporate resources or allow an attacker with remote access to the device to access the corporate resources through it.
As staff are working outside their normal office environments, the temptation to ignore corporate policies is going to become stronger. Away from the tight controls that may be in place when not working remotely, such as web filtering proxies, users might be tempted to browse unauthorised websites, install unauthorised (and possibly illegal) software, or maybe download pirated films or music. But aside from the possibility of introducing malware, what are the risks of this?
More and more, large organisations such as banks and insurance companies are turning to services which track a company’s “cybersecurity rating”, in a similar manner to an individual’s credit score using providers such as BitSight. They use this information to judge the trustworthiness and security of companies they are dealing with. Poor scores could cause a company to lose out when bidding for work or be declined access to services.
These rating companies use a variety of sources for their scoring, such as directly checking for vulnerable or out of date services hosted by a company. They also use indirect measures, such as tracking the IP addresses which download illegal content or visit untrustworthy websites. A lot of this information comes from services which perform real-time tracking and correlation of online threats.
As more users work remotely, the possibility of tripping one of the flags that these organisations monitor becomes more likely. Users might not even be doing anything deliberate or malicious. If a user connects their own computer to the corporate VPN, and is infected by a botnet, the traffic from that botnet will now appear to come from a corporate IP address; this would suggest that the company is infected when in actuality the issue is with a non-corporate resource.
Or a user might visit a website which could be considered inappropriate for business use, but relatively innocuous for personal use; if they forget to disconnect from the VPN at the end of the workday before doing their personal browsing, then again this traffic will originate from a corporate IP address. And if a user decides to download illegal content to watch a film or television series in the evening, this will likely also be detected. Given that a lot of these staff members won’t be used to operating in this way, the likelihood of these transgressions, either deliberate or accidental, is increased.
Knowing what the risks are, what steps can organisations take to try and prevent or at least minimise the impact. The controls are a mixture of technical and administrative. From a technical perspective, we recommend that all staff’s internet access, even when remote, is monitored and restricted to prevent access to unauthorised or unapproved websites; this is especially important when connected to the VPN. A corporate web proxy should monitor and control all outbound Internet access from the VPN. Additionally, all systems should have anti-virus software which is updated from a central server even remotely. While it’s not possible to control Internet access from staff personal devices when not connected to a VPN, perhaps a corporate license for anti-virus software could be temporarily extended to allow installation on these devices. Some VPN software also validates that systems meet certain requirements, such as checking for up to date anti-virus, before allowing connections.
Another option, and one which probably offers the most control, is to use a remote desktop solution such as RDS or Citrix. With these, users connect to a server and are presented with a full Windows desktop environment, but the environment they are connected to is managed by the organisation and runs entirely under the organisation’s control. All Internet access and software could be managed by the same controls as though the user were on site. As well as the security control provided, these solutions can actually offer some additional benefits; for example, a user can disconnect at some point then later reconnect back into the same session to continue working uninterrupted.
Lastly, it is important to ensure that all administrative controls such as Acceptable Use and Information Security policies cover remote working, and that all staff are fully aware of these and the implications of failing to follow their obligations; if remote working is not covered in policies, now is the time to ensure that it is added.
Which my colleague Matt Watson covers in more detail in his blog ‘Migrating to Home Working with Controls to Put in Place’.
If you have questions or concerns, please email firstname.lastname@example.org and we will do our best to assist you.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.