The Covid-19 pandemic changed everything about the way we work, play and live — literally overnight. But here, let’s focus on the way we work since that’s the basis for how we feed our family, afford our mortgage and Netflix.
It happened suddenly. With very little notice companies urgently needed a plan to send all of their employees home while enabling as many as possible to continue working. There was no refusing and no option B. Companies that weren’t prepared were going to have to face complete closure. So, with precious few days to plan, companies sent employees performing sensitive business processes, with sensitive customer and internal information, home to work remotely.
Remote work, if you’re prepared for it, is easy. I’ve worked from a home office for almost a decade, and while it hasn’t always been my preferred mode of work, it’s doable. But that’s the key, being prepared. Companies had to send employees home without any preparation or strategy so the results were predictably disastrous in many cases.
Let’s look at just a few of the risks of working from home:
The network environment that a work-from-home employee plugs into is dramatically different than the one at the office. I’m not simply talking about the hygiene of the network – because it’s far from a given that the network at the office is ‘clean’ – I’m also referring to available resources. Your office has physical and virtual devices that prevent attackers from gaining access, and then detecting and responding to them quickly. Odds are that your home network has none of this. Further, your home network is most likely connected by a cable modem that your children, spouse and even other family members and friends connect to. Their devices and intentions aren’t always clean. Not every company has a robust VPN infrastructure that can handle a full work-from-home workforce, and even fewer have one that supports the kind of flexibility that their users will demand when working from home.
“Internal Protected Systems”
While the notion of a trusted internal network is rapidly disappearing from our reality, there are still many, many companies that have critical business processes that run on systems not exposed to the Internet or outside of the company. As the people who work on those systems go to work from home, it may be necessary to find ways to expose those systems. This is exceptionally dangerous if proper care isn’t taken to think through a strategy and implement significant safeguards.
When you work at an office, the local site administrator sets you up on the printer near your desk or area and any other devices that you may want to use. It’s conceivable that you never needed to perform administrative functions on your laptop. Then, you’re sent home and have to add your printer, your home Wi-Fi and potentially other devices to support your way of working. Since you’re not at an office, and there may be no way to have a help desk professional do it for you, companies will be stuck enabling employees to be their own local administrators. This will prove catastrophic when it happens because one of the highest impact changes that security has implemented in recent memory was to remove administrator access for users. This removal has forced attackers to up their game. Removing that safeguard lowers the bar for attackers significantly.
Security Tools Maintenance
While most companies won’t struggle with this, the reality is that there are many that still don’t have a way to remotely perform software inventory/update, software scanning and patching and other forms of necessary administration. Something as simple as updating your anti-malware tool on your laptop may be impossible if the system was not set up to manage distributed, fully mobile users. These are not trivial administrative things but these tools must be maintained, monitored and leveraged to ensure that attackers don’t suddenly have a massive advantage over defenders.
The risks are there, that should be obvious. The rewards are there as well – the main one being that your company gets to continue to operate even at some diminished capacity. So while I don’t want to tell you that working from home is necessarily some catastrophic event, or that there’s no way to do it safely, the likelihood of many mid-market companies enacting strategic work-from-home policies that include security is probably pretty low given that they weren’t prepared in the first place.
Moral of the story: if you weren’t prepared, you’ve likely made some mistakes. These mistakes don’t need to be permanent, nor do they necessarily mean you’ll be hacked. What you should do is work with someone who has experience in implementing work-from-home and remote work strategies to see what you can improve or what you’ve simply neglected to do. A good time to do that is today because tomorrow you might have to explain yourself – and that’s no fun.