COVID-19 has been wreaking havoc in the US (and across the globe) for over 8 months now, with no signs of abating. And all this while, we’ve heard much talk about remote working and #WFH cybersecurity measures. These days, we live in an era where every voice can easily be heard, thanks to the Internet and the various methods we’ve invented to leverage it. By that, I mean social media, blogs, webinars, YouTube videos. You name it.
Several years ago, my PR team kept asking me for comments on breaches. Such news were so frequent that it got to the point I was literally copying/pasting comments from one incident to another. I kid you not. Unfortunately (for me), they noticed but (fortunately for me), we ultimately agreed they wouldn’t ask me for comments on breaches anymore (phew).
Because once you’ve talked about something so many times, what fresh perspective could you possibly come up with, while still sounding intelligent? What new message could one deliver once you’ve talked about it ad nauseam?
Eight months into the pandemic, I’m now feeling the precise same way where, “security during the outbreak” is concerned. Or, more specifically, “#WFH cybersecurity“. We’ve said it all. Enough already! If you haven’t been listening, you were either very sick, or living on another planet. A short while back, I saw a recommended toolkit for remote work from CISA (the Cybersecurity and Infrastructure Agency). My first reaction was, “It’s about time we highlighted #WFH Cybersecurity, after all, we’ve only been at this since February“. But after reading a few paragraphs, I couldn’t stop yawning because, once more, it’s a rehashing of the same ole, same ole.
No more, no less.
And yet, how could I possibly have expected otherwise? After 8 months of the entire world talking about nothing but the one same topic, it’s only to be expected that we’ve pretty much said everything that could possibly be said. Use the VPN. Don’t connect to unknown networks. Encrypt your laptop, don’t let any family member use it. Install tools to increase visibility and bolster your #WFH cybersecurity posture. Adopt a SIEM.
You get the point.
However, I did hear something new a few days ago. Someone claimed that a VPN is neither necessary nor sufficient as part of #WFH cybersecurity measures yet proposed no alternatives. I’m perplexed, to say the least. Could it be that the virus has gotten to us all? If not via actual illness, could it be affecting our mental faculties? So much so that some of us are starting to say things that make no sense? I’m fully aware that my words are dripping with sarcasm, I am. In truth, I’m starting to wonder if the coronavirus has begun to drive some people mad!
Using a VPN, with 2 factor authentication, is and remains the only way to properly connect your users remotely.
Anything else is just a risk.
Yes, there are other tools such as Citrix and gotomypc, to name two, but none of which can achieve the flexibility of an SSL VPN for the same price.
SSL VPN is free! Period. It is created by an open source consortium and is available to anyone. If you purchased VPN from one of those providers who make you pay ‘per user’ licenses, move on. There are plenty out there that are free with your Firewall connection. And for 2FA, be sure to adopt a VPN that uses TOTP. It was a Google initiative, which they decided to make open source, and therefore it, too, is free. There’s no need to pay for the 2FA feature. I really can’t understand why companies spend money on these applications and not seem to trust opensource tools.
Is there really anything else that we can say about #WFH cybersecurity though?
I’m really not sure at this point so I won’t even try. What I will do is address those who think that remote work is temporary by saying they’re not properly evaluating what’s happening. I was reading an article wherein Stewart Butterfield, the CEO of Slack, makes the point that things aren’t going to change back to what we used to call normal, not anytime soon, and in fact, not ever. While this seems very obvious for large corporations, I’m convinced the same will apply to every company that isn’t retail and/or require face-to-face interaction. In other words, with the exception of B2C stores and F&B outlets, your employees aren’t coming back. And even for those service industries, employees in the back office aren’t likely to come back either.
Too bad chefs can’t work from home!
If you’re skeptical, read Stewart Butterfield’s article. He makes an excellent point. If you force employees to come back to work, some other employer won’t, and they’ll move on, and they’ll leave you. Yes, of course, once in a while they’ll still need to come in, for face-to-face meetings, the “all hands on deck” sort of meetings. But that won’t be the norm, my friend, no, it’ll be the exception. As Butterfield correctly points out, “What do your employees do in the office that they can’t do at home? They likely work isolated, staring at their computer all day long anyway“.
He’s not wrong.
And while I do advocate that teams need to be close to each other, modern unified communication technologies have made the physical presence irrelevant. Close no longer means in close physical proximity, it simply means “connected”.
What does all this mean from a security standpoint?
Well, to put it succinctly, IT people need to get used to this new norm. That’s all there is to it. And those tools they’re still resisting in purchasing because, “Oh, we won’t need them in a few months so why bother!!”? Well, my IT peers, give in and give up. Buy these tools because you will need them.
Go for it, and do it now.
You’ll close the security gap faster, hence avoiding risks you’re exposed to now, and you’ll set yourself up for successfully managing a remote workforce that’s just not coming back to the office.
The real issue remaining is that apparently 66% of remote workers for small business aren’t properly protected and/or trained. Often times, they’re left completely unaware of the new issues they face, and that’s most likely because their own business owners are unaware as well. Now, let’s face it, the many users aren’t interested in how the Internet works. No, they want to turn on the computer and navigate their way into completing the day’s to do list. You can’t expect them to suddenly become IT savvy and protect themselves. Which means we still have a lot of work to do in educating and sharing the knowledge, to evangelize.
And by “we“, I mean the cybersecurity community at large.
We must find ways to communicate with this “silent” majority who, for some unfathomable reason, no matter how much news they read about #WFH cybersecurity measures, they still believe it’s never going to matter to them. The situation isn’t just assuring your peers and colleagues that security is done properly. In most cases, apparently, it’s more in terms of ensuring that it’s done at all.
So, what do you need to do?
What security do you need?
What do your users need to do?
We will discuss that in another post.