Coronavirus, or COVID-19, has created a wave of disruption across the globe. In response to the spreading pandemic, many organizations that can have remote workers are advising their employees to work from home to avoid contamination in the office.
While a recommended health practice, this rush to make every employee a remote employee has some security ramifications that CISOs and their teams must address to keep their organizations safe.
Has your company considered these four threats that an increased teleworker population presents? These unprecedented times call for unique yet practical secure remote working best practices to ensure your organization's risk posture does not explode during a teleworker boom.
VPN everywhere, all the time
Problem: Despite the proliferation of cloud and advent of technologies such as cloud access security brokers that provide cloud application security, the tried-and-true VPN on every employee's laptop, tablet or mobile device continues to be the first hop to securely connect to an enterprise network. While VPNs provide obfuscation through encryption, the sudden and sustained increased of VPN connections will stress the VPN headend due to the spurt of remote workers.
Solution: Test enterprise VPN throughput and sustained connections, and review service agreements with VPN vendors or service providers.
Enforce remote employee security and privacy best practices
Problem: While some employees have enjoyed the work-from-home experience, many others have never worked remotely before. As such, they may not be familiar with upholding enterprise security and privacy best practices in the home.
Solution: It is critical to ensure remote employees have the proper set of tools in place pursuant with their employer's policy. Such tools may include a VPN client and mobile device management software.
To ensure remote worker security and privacy best practices, create a short video or a humor-underscored presentation -- humor helps with resonance -- about work challenges, such as how to deal with more than one person at home simultaneously having conference calls. Even though an employee's roommate may not work for the competition, overhearing a financial forecast she's alluding to may inadvertently lodge in his brain, and he may casually refer to it in a coffee conversation with his analyst buddy.
Note, new work-from-home employees, along with those who have previously worked remotely, should go through this training.
Using nonapproved engagement applications
Problem: For employees to sustainably, efficiently and productively work from home, expect an increased load on enterprise applications, including CRM, HR and collaboration apps. If remote workers' primary applications do not respond instantly -- the way they are accustomed to at the office -- it's a sure bet that they will conjure up new (read: not approved) ways of working at home. Imagine Slack takes too long to respond and thus Google Hangouts becomes the new go-to for employees to discuss sensitive company issues. This probably isn't what any CISO wants to discover.
Solution: Every application must be tested and upgraded for an increased workload. In addition, employees need to be trained -- again, use humor, cartoons or contests to resonate -- to understand remote employee security practices and to learn why using nonapproved applications can harm employees and their employers. Application whitelisting and blacklisting should also be considered.
Watch out for spying smart speakers
Problem: The increased use of Siris, Alexas and Google Homes following the advent of smart speakers in employees' homes, combined with the greater number of conference calls and video chats that will accompany a teleworker boom, may cause a privacy nightmare. Certain words or phrases may wake up these digital assistants and confidential information may accidentally be recorded and shared, as was the case with a couple whose Alexa recorded their conversation and sent it to a random contact. While not an enterprise security scenario, it very well could have been.
Solution: CISOs and chief privacy officers must put policies in place and conduct employee training to ensure remote workers take simple steps, such as turning off any smart speakers or adjusting their settings before a call, to prevent any privacy mishaps.