3 minute read
Dean Dorton
How Working from Home is Impacting the Cyber Threat Landscape
“In a study conducted by the Ponemon Institute and IBM Security, 54% of responding organizations across industries had required remote work in response to the pandemic, and 70% of those respondents said that remote work would increase the cost of data breaches.”
Advertisement
In order to understand changes to the threat landscape, it’s important to take a step back and review what has changed from a broader IT and business perspectives.
When the pandemic struck, more than a year ago, many organizations had to rush in sending their employees home. Few organizations had an updated incident response or business continuity plan with detailed information on how to respond to a global pandemic. There was no time for planning, no time to go through thorough change management. In some situations, employees were simply given new laptops and were sent home as quickly as possible.
Many questions started to arise: How to use the technology? How to stay productive? But what about security and privacy? How to protect sensitive information and systems from unauthorized access and disclosure in this new paradigm?
Few organizations had a playbook that they could leverage for this scenario. Here are some interesting statistics from IBM‘s Security Work from Home Survey that supports this idea:
• 52 percent are using their personal laptops for work – often with no new tools to secure it, and 45 percent haven’t received any new training.
• More than half have not been provided with new guidelines on how to handle highly regulated PII while working from home. This is despite more than 42 percent of people who manage PII as part of their regular jobs now doing so at home.
• More than 50 percent of respondents don’t know of any new company policies related to customer data handling, password management and more.
Organizations need to update the scope of security and risk assessments to account for remote work.
For example, consider the diagram (at right) that depicts some of these new risks. Going through this updated risk assessment process, here are a few thoughts to consider: A lot of malware can infect computers via email or simply browsing the internet. Controls around protecting these activities can be different when working from the office vs. working remotely. At the office, there might be a web proxy or a firewall that is inspecting and protecting web traffic. If a there is not a VPN connection or an agent on remote devices, this might leave a gap in the control environment.
When talking about “handling sensitive data,” it is very important to understand the rules of engagement. For example, employees might be tempted to use their personal Gmail account or Google drive (or DropBox) to transfer sensitive business documents in order to access them from home. They may be focused on meeting a deadline and might not think about the data security risk. Consider how sensitive data is handled in its entire lifecycle: from storing, sharing, printing, to disposal.
Here are other examples of questions to address during a risk assessment:
• Can organizational emails be accessed from personal devices? Is the anti-phishing protection working from personal devices?
• Can all users install applications on laptops or do they need to go through IT for installation? Users should not be local administrators of their devices as malware could do more damage.
• Is there a list of authorized applications that can be safely installed and kept up to date?
• Are remote computers fully managed and patched? Can IT deploy security updates remotely?
It’s important to review your risk assessment framework and see if and how these risks apply to your organization in this new paradigm post-pandemic.
