Remote working… a corporate security loophole that needs closing?
Published on: 12 04 2021
According to TechTarget’s “IT Priorities 2020-2021” survey, 65% of companies are preparing to better support teleworking in 2021. In this context, one concept in particular must urgently be addressed: the issue of cybersecurity at home.
Boosted by the health crisis, all IT managers are having to deal with the teleworking trend, which is set to become a permanent feature. And with it, the collateral damage which is often put aside in the rush: protection for the company’s IT system. We have one foot in the office, one foot at home, and the risk of mixing private and professional life or working environments and personal environments... What safety assessments can be made of the year 2020? Should remote working be seen as another potential cybersecurity vulnerability for companies and organisations? How can we combine teleworking and security? What can IT managers do to make this way of working more secure? Analysis
Time to take stock
As the first lockdown in most of the world is consigned to memory, it’s time to take stock of the situation in those organisations that were forced into the massive and precipitous use of teleworking over a year ago. While many companies were not ready for teleworking, others took advantage of this unprecedented situation to put the finishing touches to their already well-established teleworking policies. “Many companies have had to “learn on the job” and many myths about teleworking have been dispelled. However, remote working remains a complex issue for organisations in sensitive sectors such as defence or banking, which have a strong culture of professional secrecy”, explains Adrien Brochot, Product Manager at Stormshield. And more generally, a trend is emerging: for all organisations, the issue of data protection - especially in teleworking - has become essential.
Corporate IT security put to the test
“For companies that were not used to teleworking, everything had to be built from scratch and some had to make security compromises on certain aspects, such as authorising tasks or actions that were previously only possible from the company network” explains Maxime Nempont Technical Leader (Security) at Stormshield. Indeed, one in four companies say they have made cybersecurity concessions to ensure business continuity, according to the 2020 edition of our digital transformation barometer. Certainly, and as this recommendation from Cybermalveillance.gouv.fr explains, with the first lockdown, companies had to remotely guide certain employees to set up teleworking, without really having control over security. Some companies have had to deal with a lack of available IT equipment and to accept that employees may work from their own workstations, without being able to ensure effective security measures.
For companies that were not used to teleworking, everything had to be built from scratch and some had to compromise on security.Maxime Nempont, Technical Leader Security Stormshield
Another notable aspect concerned by the available feedback is learning how to manage the increase in the number of connections from outside the company. Many organisations have moved to cloud solutions and web-based tools, to the point where large vendors are concerned about their capacity to absorb the exponential demand. For others, the massive deployment of teleworking has highlighted the issue of trust. Or rather, the principle of never trusting: Zero Trust Network Access (ZTNA). “While VPN remains a widespread means of securing exchanges, other techniques exist, including ZTNA”, adds Adrian Brochot. With a simple principle to be applied: never trust a request from a user to access a company resource. And check the security of his workstation or impose additional authentication requirements on him. The health crisis could therefore boost this approach.
The shift to all-teleworking has also provided encouragement and justification for some companies who had already made great progress in the move to remote working. But it has also surprised - and often challenged - others who were not ready, and for whom the risks of teleworking have now become a leading cause for concern. However, despite a notable increase in attacks during the pandemic - a Deloitte study indicates that 25% of teleworking employees were exposed to threats such as phishing and spam - cyber threats in teleworking remain the same as those on site, and the hunt for suspicious behaviour has remained more or less unchanged. What has changed with remote working is the loss of visibility by IT departments over the actions of employees: the working environment is less controlled and therefore more exposed, and the human risk is amplified, far outside the company’s protective perimeter. “When teleworking, workstations are more exposed, which means that IT teams face an additional challenge in protecting these workstations, which are no longer in a trusted environment”, explains Maxime Nempont
The central role of HR teams
From the HR teams’ point of view, the indisputable threat that emerges from this long period of enforced remote working - as opposed to home office working by choice - is the mixing of professional and personal life over a very long period. “What did HR do during this period? Take care of employees, ensuring that a human connection is maintained”. Indeed, for Sylvie Blondel, HR Director at Stormshield, “mixing work and personal life has been a real threat, especially from a cyber perspective”. In addition to bad habits being adopted by some employees in general, the weariness of employees due to an unprecedented health situation where the home becomes the only office has led to a decrease in digital vigilance directly impacting the cybersecurity of organisations. Using the company’s computer for personal browsing and taking the risk of compromising the machine, or paying little attention to the security of the workstation, something usually managed by the IT teams, are just some of the employees’ shortcomings noted over the last few months, with the result that companies have to deal with additional security holes. This has highlighted the importance of HR teams working hand in hand with IT managers. The removal of organisational silos is conducive to the pooling of expertise. Expertise that has proven to be particularly complementary in supporting teleworking employees, for example with the introduction of awareness-building initiatives.
Should we rethink the home office concept?
“Teleworking will emerge from Covid-19 for many companies and is set to leave its mark”, says David Lamiaux, HR Director of the Kiloutou Group. Thus, with the health crisis taking hold, teleworking may well become a full-fledged mode of work, if not the predominant mode of work. A new trend that could open up new channels for malicious groups of all kinds, if companies fail to adopt measures and security habits adapted to this new paradigm and do not anticipate the risks of teleworking. But how then should we address the issue? What actions can companies take to make teleworking a long-term feature without sacrificing cybersecurity?
Teleworking will emerge from Covid-19 for many companies and is set to leave its markDavid Lamiaux, HR Director of Kiloutou
Increased vigilance for employees
To some extent, teleworking is “out of sight and out of mind” for CIOs. It’s no longer possible to simply pop into the next office and remind employees of security practices. However, the level of vigilance displayed by employees remains a key factor in cybersecurity, especially at home. But how do you prevent a drop in alertness? For David Lamiaux, vigilance in the cyber sense is first and foremost a matter for the company and IT managers, who must define and organise it as they would in a “real” company. “The average employee does not want to be bothered with his or her company’s security issues and, more generally, employees are not equipped or are poorly equipped to deal with cyber risks”. As far as awareness is concerned, in addition to the classic exercises (to be deployed abundantly to employees!), in teleworking, the message must be focused on the threat. “Since 2020, it’s been important for CIOs to highlight the threat of teleworking by reminding people that, even at home, employees are still in the company”, suggests Bertrand Méens, Deputy CIO of the IRCEM Group and a member of the CESIN, who adds: “What is interesting is to ask yourself what awareness-building scenario you are going to use and to make it concrete in relation to the context”. It should come as no surprise to anyone that user awareness remains a central lever to activate when it comes to work and cybersecurity. In any case, this is an observation shared by 58% of companies, who wish to see this subject become a priority in 2021, according to TechTarget.
The UX can also be a means of compensating for a decline in employee vigilance. It’s therefore in the interest of IT managers to use cyber solutions that are easy to use and effective, and that will integrate seamlessly into employees’ daily lives. For example, some data encryption tools can now be integrated directly into the browser or apply automatic encryption policies.
Guaranteeing cybersecurity outside the company walls
The issue of mobility and that of IT security do not really go hand in hand. So, to ensure continued cybersecurity when teleworking, a simple switchover to remote working must be possible, so that employees hardly have to change their habits, thus limiting the loss of reference points, often synonymous with a loss of good practices and reflexes. Thus, in as far as possible, IT managers should provide employees with the same working environment as in the company, along with a host of IT guides and procedures. “We should no longer look at the subject of cybersecurity from a technical point of view, but rather from the point of view of use, with it being therefore oriented towards employees” says Bertrand Méens . How do you launch your VPN? How do you set up this or that software? How do you encrypt and protect your files? Or put your device on standby, not leaving your computer unattended on the train, in the car and even within the family circle... Even if it seems like a laundry list, the need to remind people of good teleworking practices is essential. At the same time, IT departments can implement enhanced security measures on workstations, such as automatic locking or blocking access to personal peripherals, and pre-configure equipment to limit the autonomy of employees. “This provides a certain degree of comfort for the employees and a framework with a defined security model for the company”, adds Bertrand Méens.
What about securing remote access?
Although teleworking has been around for years, it is now widespread in almost all business areas for a company, directly impacting on IS mapping. Ten years ago, IT managers had a single point of entry, but today more and more companies are dealing with teleworking, a multi-cloud approach and collaborative tools that are scattered. We are therefore seeing a major change in the IT paradigm, and technical measures need to be put in place to limit the risk of exposure of teleworkers’ workstations: “Strict firewall rules must be established and all traffic must be routed through the company’s network”, says Maxime Nempont. Security must also be focused on the workstation itself, with Endpoint solutions. Not to mention the use of VPNs, which are still widely used to secure remote exchanges and IT connections. Vigilance is still required, however, since VPNs are far from foolproof and additional measures such as the use of dual authentication (2FA) or multi-factor authentication (MFA) are recommended.
Another issue raised by the widespread use of teleworking is how to secure mobile workstations. Smartphones are increasingly being used as a second desktop, and employees’ vigilance often tends to be lower when dealing with these mobile devices. It is therefore necessary to restrict the use of mobile workstations as much as possible and to have them pre-configured by the IT teams. “You have to define ‘application bubbles’ with the software solutions you want to authorise and secure them” explains Bertrand Méens. Another possible solution is enrolment with Mobile Device Management (MDM) tools, in particular to guarantee the application of security rules and to have the capacity to remotely erase data from a terminal in the event of loss or theft.
CIOs, who’ve been very busy in 2020, already have an ambitious roadmap for the coming months, and a key role to play in organising enhanced cybersecurity in teleworking.