The coronavirus is sweeping over the world and as countries are enforcing lockdown and sending people in quarantine, the home office has become the new normal. For some, this is business as usual, while for others, this means new challenges and strains on both business processes and information security. The IT infrastructure might not be dimensioned for the home office and the security weaknesses become apparent.
The home office is for many during the Coronavirus times, not a voluntary choice, but something that has been forced upon them. They are not used to working from home, and the business processes and infrastructure is not adapted to everyone working from home. This can bring with it an increased risk for data leakage. As users try to adapt, IT and security leaders must play an active role in making sure that information security is attended. Potential risks for current or future data leakages are many:
Cybercriminals have not let this chance go by and are already in full swing creating fake websites, phishing emails, malicious attachments and so on. With everyone sitting at home alone craving new updates on whether or not the world has gone under yet, the corona phishing industry is blooming. How many that will take the bait is too early to say, but we know that historically, about 90% of all successful hacking attempts started with phishing.
Bring your own device
Bring your own device or BYOD as it is also known is when an employee wants to use their own personal device for doing business. This usually comes from a preference for a certain type of technology or the desire to use a most familiar device. These devices can be a personal laptop, a Mac, a pad or maybe a smartphone. As everyone is sent home to work home office it should maybe be renamed to use your own device. Given that users are confined to their homes, it will increase the chance of using personal devices for accessing and processing sensitive company data. When personal devices are used for processing and storing information, the business loses control over that information. You don’t know whether the information exists, for how long it will be stored, who it may be shared with, who has access to the device, etc.
Updating security patches to systems is an area that can potentially suffer during the crisis. This goes especially for endpoints like laptops that are no longer connected to the company network. Users that now use private devices for work, may not have updated their devices in a long time, and may even use old Software that is no longer supported like Windows 7.
Some Software vendors have indicated that due to Coronavirus the security vulnerabilities may not be patched as quickly as they normally would. An example is Microsoft that that left a critical bug unpatched on patching Tuesday and just warned about the security vulnerability.
Rogue or shadow it
Rogue IT, or Shadow IT has long been a problem for the IT and security department. Users and even departments have set up servers, software and services on the side to avoid the strict security requirement. In this day and age with a cloud service just a few clicks, this problem has not gone away but is instead increasing. If your services and infrastructure are not what the users expect they will find new ways outside of the IT department's control. With everyone on home office, slow or ineffective services may be just that catalyst that makes users look for alternatives. When users start using WhatsApp, Dropbox, Box, OneDrive and Gmail to transfer and store sensitive documents, leakage is not far away.
The Wi-Fi network you have at work is probably and hopefully set up securely with a password and WPA2 protection. This may not be the case for many of the home networks out there. Users who run on an open network or who had their router set up when WEP was the latest and greatest and who have not configured their network since. Insecure networks are vulnerable to eavesdropping and man-in-the-middle attacks. Some sinister neighbors may also set up a fake network point using a Wifi Pineapple to steal information from their high-profile neighbors.
What can be done?
Some businesses and companies will be more prepared than others as all the employees are quarantines and sent to work from home. While some activate their Business Continuity Plans (BCP) others will need to start almost from scratch. Regardless, here are some points that all can benefit from reviewing.
Security Awareness Program
If you don’t have a security awareness program already, now is the time to start one. If you already have one, wipe the dust from it and get it out to the users. Few things can improve security more than security-aware users. Even with the best technology out there to protect you, users will find a way to press that link, surf that insecure website or download that malicious attachment. A security-aware user will think twice before doing anything that can compromise the network, machine or data. It is easier to get a security-aware user to do the right thing and to use secure solutions because they know and understand the risk involved.
Move to cloud
The cloud offers some good solutions when everyone is working from home. One of the benefits that cloud solutions have promoted is just that, connect from everywhere. Whether you are at the office, at home or one vacation you can connect safely to your data in the cloud. The cloud solutions usually also come with security built-in. You can easily set up multi-factor authentication (MFA) and restrict logins to regions or IP addresses. Some cloud solutions even come with security programs running on advanced artificial intelligence to keep your data safer.
Performing risk assessments is a great way to become aware of risks and vulnerabilities. You may not have the time or budget to mitigate all risks, but with a good list of risks assessed, you may know where to start. What is the company’s risk acceptance and what is risk tolerance? Identified risks that are outside the company’s risk tolerance level needs to be mitigated, or the activity needs to be stopped. During the current Coronavirus situation, processes should be risk assessed, vulnerabilities identified, and unacceptable risk mitigated.
To know what data you have, and the risk you are exposed to, you should classify all your documents. This is a great way to know the sensitivity and quantity of the information you are processing outside your structured databases. While a breach and subsequent leakage of a sensitive database would usually be more severe than a leak of a document, it would also be rarer. Databases are fewer, better protected and IT is aware of the content of the database and the risk. Documents, on the other hand, are numerous, spread out on many machines and servers, copied and distributed daily. Unless you classify your documents, it is difficult to know what kind of protection each document requires.
Ideally, all documents should be classified automatically from each computer, server and cloud instance and reported centrally. This way you know the number of sensitive documents you have, where they are and who has access to them. This is especially useful as people are now working from home. Many sensitive documents and reports will probably be created as users download data from databases to work with offline. The more confidential documents that are created, processed and transferred between endpoints, the greater the risk for and consequence of a leakage.
Monitor and log
Monitoring and logging may not directly protect your data, but they may give you an early warning so that you can prevent leakage. For logs to be effective as a preventive tool they need to be reviewed. Logs that are not reviewed will usually only take a lot of space and serve to explain what happened after the incident. Here are some examples of what you can use logs for and what you can look for:
-Logons to your servers or services from unknown locations
-Logons to your servers or services at strange hours
-Multiple failed login attempts for one user
-Failed login attempts on multiple users
-Massive downloads of confidential documents from a server
-Unauthorized creation of new users
-User privilege escalation
-Large amounts of encrypted traffic to strange locations
Keep IT security involved
Make sure that IT security is involved in new ways to work. Working from home will create some bottlenecks. As users and departments change their processes to avoid these bottlenecks, IT risks may arise. If IT security is not there involving themselves to ensure safe practices, security will be overlooked, and incidents will happen. The same way that HR is involved in staff issues and the Legal Department in legal issues, IT security should be involved in all processes to ensure information security.