Bitglass warns of Covid-19 home-working perils

Covid-19 is disrupting businesses on a global scale, thousands, if not millions, of people are working from home – but many are at risk from security issues.

However, Bitglass CTO Anurag Kahol cautions that not all companies are prepared for their employees to work remotely.

Pre-Covid-19 there were reasons why a company might need its employees to work from home at short notice – bushfires, floods, or public transport strikes.

Certain companies need their employees to continue working through such a crisis, using either corporate technology or their own laptops and mobile phones.

Clearly there are benefits from home-working, the most obvious being saving on commuting time. But while remote access can raise productivity, if an organisation omits to insist on use of the proper security tools, staff left at risk from various threats.

What can organisations do to ensure their employees are working securely from any location, no matter what disruptions might arise?

Kahol says that those which maintain onsite workforces should encourage employees to work through VPNs and access corporate network and cloud resources from managed devices that have software agents such as mobile device management.

But these approaches can create latency issues which make it difficult to deploy and track all web traffic on the users’ devices, including personal applications. Such an approach invades employee privacy and violates compliance frameworks such as the General Data Protection Regulation (GDPR).

Organisations that previously lacked having the proper technology in place should consider how they can adapt to handle any future incidents where employees are unable to come into the office. Bring your own devices (BYOD) policies allow staff to use personal devices such as mobile phones, and to work remotely. BYOD allows people to get the job done whatever unforeseen incident occurs.

However, there is still a risk of data exposure when employees can download and share from personal devices, remote locations and unsecured networks. So it is essential that security controls are in place when companies implement BYOD and allow employees to work remotely.

According to Bitglass’ Kahol, it is critically important for organisations to maintain visibility and control over data as it is accessed by unmanaged devices. Unless they can see and control user activity on personal endpoints, organisations may suffer unauthorised data access, malicious external sharing, or an inability to protect downloaded data when employees lose their devices or have them stolen.

He urges organisations to use data loss prevention (DLP) tools to prevent data leakage by identifying and controlling sensitive data-at-rest and upon access. With visibility and control, a business can prevent data from reaching the wrong hands, leading to a breach or potential exposure.

Identity and access management, such as multi-factor authentication (MFA) or user and entity behaviour analytics (UEBA), must be utilised. These can detect abnormal activity and address mobile security threats.

MFA requires a second form of identity verification which ensures that users are who they say they are. After inputting their passwords, users are asked to verify their identities again through an SMS token sent via email or through a text message.

UEBA learns behaviour and collects a detailed report, alerting every user to be wary of any suspicious activity. For instance, if a user usually logs in from Sydney but signs on from Brisbane, it will send an alert to ensure the user’s account has not been compromised.

As a minimum, single sign-on (SSO) should be implemented, as it securely authenticates users across all of an enterprise’s cloud applications.

Also essential for protecting corporate data on personal devices is agentless security. Agent-based tools that demand software installations on personal devices disrupt user privacy and harm device functionality. Mobile device management (MDM), for example, holds more data than employees realise including login credentials in plain text.

Additionally, when MDM wiping capabilities are used to remove corporate data, everything is deleted from that device including personal pictures and contacts.

Using agentless tools assures IT of the necessary security and compliance, while the user does not feel invaded. Companies unprepared in advance for an abrupt remote workforce change can take advantage of agentless security at any time as it requires no installation on the end devices themselves – which is impossible to do under quarantine conditions.

With so many unexpected factors, companies must be prepared for their employees to work remotely at any given moment. Some incidents, like bushfires or a global pandemic, are out of anyone’s control, and emergency work continuity and security plans should be discussed to protect a company from malicious threats and the need to halt their operations. Enabling a remote workforce securely with BYOD represents a huge business advantage, especially when the unthinkable happens.