By Maninder Singh, Corporate Vice President - CyberSecurity Services
Amid the first global pandemic in a century, ideas that have been sporadically considered for decades are moving front and center. For example, the Covid-19 virus has drawn attention to the benefits of locally sourced food and manufactured goods. It has highlighted the high cost, in time and money, of business travel. And it has shown the potential of “work from home” for many companies and their employees.
This last idea has itself spread like a virus, as the 2020 pandemic has prompted many businesses to adopt a WFH policy – call this virus WFH-20 -- for nearly all employees. The aim has been to ensure minimal service breaks and keep the wheels of the economy turning, while protecting employees’ health.
WFH is an idea that has been around for years. It has failed to get real traction because it runs counter to the age-old notion that employees working in groups need to work physically together. Even as digital collaboration tools have proliferated, there has been the assumption that having people working onsite and, when possible, in the same location makes it easier to monitor productivity, optimize efficiency, leverage skills, exchange ideas, and share tools and infrastructure.
But Covid-19 has forced businesses to rethink their traditional wariness about remote work and do everything they can to enable employees to work from home. Unfortunately, though, while legacy thinking on remote work is coming down, companies’ vulnerability to digital viruses and other security threats is going up – exponentially.
Security is—and has always been—a major obstacle to widespread remote working. There are several reasons for this. For one thing, the moment employees swipe into the workplace, they subconsciously switch into high-alert mode. They begin to follow guidelines, policies, and processes automatically. They resort to professional behaviors that are learned and reinforced over decades. When they deviate from those behaviors, colleagues are quick to raise eyebrows, wave a red flag, and get matters back on track.
By contrast, when employees go home to work, they often leave their vigilant mindset at the office. They are more relaxed, casual, distracted. Workplace security is no longer likely to be foremost in their mind. Therefore, when they connect from remote devices to enterprise systems, everyone along the chain of connectivity is exposed to cyber threats.
Human psychology is not the only factor that has discouraged businesses from adopting remote working. WFH may be difficult in places where electricity is undependable. Laptops, mobile devices, modems, routers, reliable broadband, VPNs, firewalls, access to enterprise systems, networks and data, access to partner and supplier systems and data, communication and collaboration tools, productivity tools – all of these are vulnerable to the intermittent or fluctuating power supply common in many parts of the world. The lack of an uninterruptible power supply (UPS) can undermine the most well-meaning WFH initiative.
There are also infrastructure and connectivity obstacles. In many industries, driven by twentieth-century processes and overreaching compliance requirements, IT Infrastructure and risk and compliance teams are averse to thinking or promoting remote working as part of infrastructure support and management requirements.
While these issues are sorted out, however, there should also be a sharp focus on security vulnerability.
In addition to relatively traditional and predictable cyber-attacks, researchers in early March 2020 had already identified two new global pandemic-related malware attacks. These attacks succeeded because of users looking for data about the corona virus and inadvertently becoming malware victims. One of the two attacks used a phishing email to spread Remcos RAT, which uses obfuscation and anti-debugging methods to evade detection and distribute malware. The other used an MS Office document to open a backdoor to systems. And this was just the beginning. Cybersecurity firm Checkpoint found 4,000 coronavirus-related domains, of which 3% were sources of malicious attacks and another 5% were considered suspicious. There is new vulnerability everywhere.
Infrastructure teams simply must assume that the new touchpoints, equipment, and systems they put in place to support WFH will attract a host of hackers and cybercriminals. It is imperative to put new cybersecurity processes in place, including the following:
- Educate employees about the array of threats they face: phishing attacks, malware, viruses (you only need look to the medical virus COVID-19 to see how quickly a virus can take over your systems!), scareware, spyware, worms, misleading applications that are downloaded on endpoint systems, etc.
- Adopt user identity and access management policies to raise security levels, allowing only verified and authenticated devices and users with multi-factor authentication.
- Use traditional VPNs which, though relatively expensive, may be necessary in certain environments.
- Consider cloud-based home office solutions for VPN, which are cheaper than conventional VPN, are available on-demand, and can be installed quickly.
- Establish methods and processes to enforce security policies and geo-specific data privacy requirements, and keep the policies updated as requirements change.
- Extend patch management to all remote devices and endpoints.
How relevant are such cybersecurity processes? That is, how widespread has WFH become in the few months since the emergence of Covid-19? One indicator is the stock prices of collaboration and communication tool makers. Zoom Video Communication, the company that makes remote conferencing software, saw its share rise 275% in a period when the Dow Jones index fell by as much as 33%.ii Another indicator is the number of events that have moved online. Events planned by Google, Adobe, Microsoft, SAP, Nvidia – not to mention big trade shows like Barcelona’s Mobile World Congress – have been moved from physical to virtual space. In most cases, the migration has been pretty successful. This makes me believe that something we perceived as hampering productivity will now lead to greater efficiency and cost reductions for those willing to embrace it – but only if your business pays adequate attention to cybersecurity.
On a personal note, let me add that working from home in recent weeks, listening to birds chirping in the morning, seeing a clear blue sky in my crowded and otherwise polluted city, is a refreshing experience. The outbreak of the Covid-19 pandemic also has a social and professional message for all of us: Embrace a sustainable model of living – while ensuring your digital way of working, as well as your physical health, are secure against viruses.