author photo
By Bruce Sussman
Thu | Mar 12, 2020 | 11:25 AM PDT

What happened in Oklahoma City this week is symbolic of how suddenly things are shifting as the U.S. comes to grips with the coronavirus pandemic.

The Oklahoma City Thunder and the Utah Jazz were on the court Wednesday night, warming up and shooting some shots with minutes to go before tip-off in their NBA matchup.

Rather suddenly, players were told to return to their locker rooms. 

Few knew it yet, but Jazz player Rudy Gobert had received his coronavirus test result and it was positive.

About 30 minutes after players left the court, a voice over the arena's loudspeaker told the crowd the game was canceled "due to unforeseen circumstances" and fans needed to leave the building.

This leads us to a couple of important questions for cybersecurity leaders and teams.

Have your employees (or students and faculty) left the building to work remotely?

If so, what are the cybersecurity and privacy implications of millions of employees suddenly working from home?

As it turns, out, there are quite a few of them worth exploring.

Coronavirus remote work increases cybersecurity risks

One of the biggest challenges is that huge numbers of employees are working from home for the first time due to the coronavirus.

They may be unaware of best practices which road warriors know well, like always using a VPN on public networks or how to handle challenges connecting to the corporate database where sensitive data should be stored.

That can generate significant organizational risk. 

Jeffrey Neuburger and Ryan Blaney of Proskauer Rose Privacy and Cybersecurity Group have been talking about this with clients.

"Employees working from home may take shortcuts, such as downloading or saving sensitive company materials to their personal devices, desktops, thumb drives, hard drives and file hosting services in the cloud (e.g., Dropbox).

Employers should remind their workforce that saving company materials to personal devices that have not been appropriately configured with security systems (e.g., company-sanctioned level of anti-virus software, password protection technologies, or secure network connections) increases the risk of exposure to cybercriminals."

And the firm is advising clients about two particular data types: trade secrets and PII (personally identifiable information).

"Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals."

Employees engage in riskier online behavior at home

Regardless of whether you have prepared your end-users with corporate devices or not, the potential risks from employees working at home for weeks on end may be significant.

The 2020 State of the Phish report reveals risky behaviors that employees admit to participating in.

This includes re-using passwords, not using VPNs, and allowing friends and family access to their corporate devices. Of employees surveyed, 49% say they share their corporate devices.

state-of-phish-2020-risky-employee-behavior

Employees may rely more on mobile devices

Another concern is the use of what employees know and love: their mobile devices. More time working from home may increase what they do on their mobile devices.

Chris Hazelton, Director of Security Solutions at Lookout, expects cyber criminals to see this shift as an opportunity:

"Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices. Mobile attacks are particularly effective because they often trigger immediate responses from recipients - instant communication platforms like SMS, iMessage, WhatsApp, WeChat, and others.”

And Dale Zabriskie, Security Awareness Evangelist at Proofpoint Security Awareness Training, says there is a security and privacy disconnect for many end-users when it comes to their tablets and phones:

"Research reveals we act differently on mobile devices, and end-users often take greater risks. 'I just emailed it from me to me, so that's okay, right?' There needs to be more training on PII protection, for example."

CISA to test remote work plan

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is stress testing its remote work plan. Most employees will work from home on March 13, 2020, according to Axios.

"This telework event will evaluate the current remote capabilities available if CISA-wide telework becomes necessary in response to the outbreak of the COVID-19 virus," agency spokesperson Sara Sendek said.

Mitigating threats from a remote workforce

According to Zabriskie, gaining security mindshare with your employees in-house or working remotely is most effective within a comprehensive testing and training program. 

This will allow you to test, find security knowledge deficiencies, and then train to close those knowledge gaps.

That is one long-term strategy to mitigate end-user risk. 

And Proskauer Rose also suggests several technological solutions to help secure a remote workforce:

  • Requiring all employee devices to be equipped with the employer-provided security software and the latest manufacturer software updates prior to permitting access to any remote systems;

  • Requiring multifactor authentication [MFA] upon each login to a company portal;

  • Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption;

  • Prohibiting working from public places, such as coffee shops or on public transportation, where third parties can view screens and printed documents;

  • Prohibiting use of public Wi-Fi, and requiring the use of secure, password-protected home Wi-Fi or hotspots.

  • Imposing additional credentialing with respect to the ability to download certain sensitive data.

Given the sudden and urgent nature of the current work-from-home transition, it may not be practical to implement all of these steps immediately, but perhaps some can be implemented.

Just like NBA teams and their fans, your employees may have left the building because of the coronavirus.

But they do not have to leave privacy and cybersecurity behind.

[RESOURCE: SecureWorld Web Conference schedule]

Comments