Cybersecurity starts at home – Managing the risks of working remotely

20 May 2020 | Wai Kit Cheah, Director, Product Management (Security), CenturyLink Asia Pacific

As governments and citizens work hard to overcome the spread of COVID-19, one of the largest containment measures implemented globally has been the massive shift to remote working. Life has changed so rapidly over the past few weeks; in my own base in Singapore, we have seen ‘Circuit Breaker’ measures extended further1, which means that I will be spending a lot more time attending meetings from my home office than initially anticipated. Fortunately, I have already had quite some time to adjust!

While many companies have had to quickly scramble to accommodate this phenomenal change in working practices, there is another crucial focus area for supporting a remote workforce: new and increased cybersecurity risks. While driving business continuity operating procedures, CIOs have had to rethink priorities, and grapple with challenges such as shortfalls in technology tools2 and consider an increase in cybersecurity investments. As the cyber threat landscape broadens, attacks are also becoming more sophisticated and constantly evolving; just recently CenturyLink’s Black Lotus Labs uncovered a new Mozi malware family that was previously believed to have already been in existence.

VIDEO: Find out how your digital business can stay connected securely and effectively defend against constantly evolving security threats
Technology and collaboration tools have for the large part enabled businesses to carry on business as usual, while maintaining productivity. However, there have been several instances of major security issues, including Zoom Bombing3, where online trolls were taking advantage of system vulnerabilities by interrupting meetings. Further, there are other security challenges: IT managers or administrators do not have the ability to control home WiFi networks that may have weaker protocols and a number of devices connected to it (including gaming), nor check if the devices’ firmware has been updated or patched.  It is not uncommon to find home WiFi routers may still have their default passwords unchanged, set-up without adequate control protocols, and not using WPA2 encryption. Additionally, threat actors love to exploit real-life emergencies and quickly mobilize to increase ransomware and phishing attempts, and an over-reliance on Virtual Private Networks (VPNs) are causing data protection issues4.
While security measures are absolutely valid for anyone, they are especially important at this time when the majority of professionals around the world are remote working5.
 

Maintaining security when employees work from home 

In my experience, there are ‘3Ms’ culpable for cybersecurity breaches in an organization: Mismanagement, Misconfiguration, and Mistakes. Of these, I have found that people are usually the weakest link, particularly because there may often be a lack of awareness, lack of competencies, and lack of care.

‘Staying home’ has been central to efforts in combating the spread of the novel coronavirus and this got me thinking more about applying a similar approach to cybersecurity threats. Perhaps ‘home’, literally and figuratively, is also where organizational threat defense efforts need to start and indeed, be ramped up at a time when remote working is mandated. To put it simply, business leaders should dive deeper into a people-centric approach towards security and lay greater responsibility in the hands of your own employees, moving away from the belief that cybersecurity is just an IT department’s responsibility. There needs to be a fundamental shift in securing an organization’s data and intellectual property and that lies in equipping people with the right tools and knowledge to detect and mitigate risks. 
Security is a people business.
 

Security is a people business and never has it become more important to place some of that responsibility into the hands of your own employees. As mentioned before, a virtual workplace has also meant that some layers of security are difficult to manage; in efforts to maintain business as usual, remote workers are now accessing more data and critical business software and systems from networks, and maybe sometimes even devices, that are not managed by their organization.

Particularly now, during the COVID-19 crisis, there can be a number of ways in which to develop security awareness across the organization including:

1. Frequent communication

Employees need to be constantly reminded not to share their personal and corporate information openly and be cautious of phishing emails, unverified websites, or other avenues which might introduce malicious software to their endpoint. Attackers are known to take advantage of human weaknesses, especially now when people have been cooped up and isolated at home for extended periods of time and are hungry for news and information and connecting virtually with others. 

2. Strengthen security controls

Enabling your employees to connect to the corporate network via VPN extends the reach of secured corporate assets and workloads to remote employees. But VPNs are not bulletproof, it is equally critical to have a strong authentication mechanism in place, strong passwords and preferably at least 2-Factor Authentication (2FA) to access a VPN connection. Similar to Singapore’s ‘Circuit Breaker’ measures, critical assets should be segmented out and isolated so that only those with the appropriate privileges should be allowed access.

3. Get C-suite support

Help leadership understand the repercussions of data breaches and losses to enable effective planning and defense strategies. Methods such as embedding cybersecurity into business continuity plans6 and increasing investment in security awareness training for employees, lay a more stable foundation for protecting an organization’s assets.

Developing and improving cyber intelligence and cyber literacy among a workforce, especially for home-based workers, will ultimately become important digital business priorities to reduce risk stemming from internal sources. It is for these reasons that a vendor-neutral community such as SANS Security Awareness7 exists, bringing together cyber security specialists from across the industry to create comprehensive and globally relevant content and training programs for the entire organization. However, this does not mean that the onus lies only with employees to protect your business; rather it is about establishing systems to ensure adherence to security policies.

Evolving your cybersecurity policies and strategy

Digital trust in itself is an ecosystem comprising several touch points: suppliers, customers, business partners, and employees.
 

This ecosystem is where most of the cybersecurity dangers are and the threat surface is wide; it would be a huge undertaking, if not often impossible, to gate and firewall everything and therefore background checks would be vital. For most organizations, the view on cyber security is very technology (i.e. tools) focused. A robust connected security model involving people, processes, and technology is actually what will help evolve your cybersecurity program.  

Having a well-defined asset lifecycle management program and data classification in place allows organizations to create security zones and granular role-based access controls, including segmentation of their assets. With proper segmentation, organizations would be able to apply appropriate access control policies, which in a way ring fences assets and data according to their criticality.

But it is not only the private sector that has fallen prey to security breaches that are caused by human errors; the discussion is also pivoting to the public sector, the large data breach from an agency of Singapore’s Ministry of Finance being a glaring case in point8. Promisingly, we are seeing greater emphasis on collective responsibility; the Cyber Security Agency of Singapore is one example of an APAC government agency that actively supports organizations through grants and resources to develop cybersecurity capabilities9 while Australia’s cyber security strategy10 has come under new review to take into account the balance of responsibilities among individuals, businesses and government. 

A well-rounded cybersecurity program has never been one that has focused solely on an internal IT team – the strain on resources would simply be too big a burden.
 
It is times like these that enforce the reasons why support from trusted partners can help ease the workload and vastly strengthen an organization’s security posture. Threat-defense capabilities can be extended through solutions such as Adaptive Threat Intelligence for analysis and data that you can act on and Managed Security Behavioral Analytics to help monitor breach of access privileges and network activity for detecting potential threats. Additionally, training tools designed to help employees understand the security implications of their actions and change their behavior. Improving cybersecurity awareness among employees has also been valued by CenturyLink global customers over many years.  
WATCH: Find out how you can leverage the innovative CenturyLink Managed Security Services portal to detect, contain and remediate cybersecurity threats 

Building a security-minded organization 

Creating a culture of security cannot be expected to happen overnight; rather it’s a transformation that begins by demystifying technology and preparing your employees to be vigilant of cyber threats in its myriad forms, and to know how to respond appropriately. Cybersecurity professionals recognize threats are always evolving, but the consistent vulnerability is people internal to an organization.

Although security measures such as antivirus software, firewall and system updates are managed by IT departments, employees too can be empowered with education on how to prevent breaches on their end.

Raising knowledge and accountability among the workforce will translate to better customer satisfaction, brand loyalty and digital trust – and these are the values that need to be constantly communicated and upheld to underpin the overall importance of cybersecurity and why it starts at home. 

Talk to a CenturyLink expert to see how you can improve your security posture while optimizing your budget

1PM Lee’s address on the COVID-19 Situation in Singapore’, Gov.sg, Apr. 21, 2020
2 Natalie Gagliordi, ‘How remote work is changing CIO priorities amid the COVID-19 pandemic’, ZDNet, Apr.9, 2020 
3 Rae Hodge, ‘How to prevent Zoombombing in your video chats in 4 easy steps’, CNET, Apr. 29, 2020
4 Joseph Menn, ‘Hacking against corporations surges as workers take computers home’, Reuters, Apr. 17, 2020
5Surge in Remote Work Increases Cybersecurity Risks adding to COVID-19 Pandemic’, CISOMAG, Mar. 19, 2020 
6 Michael Coden, Karalee Close, Walter Bohmayr, Kris Winkler, and Brett Thorson, ‘Managing the Cyber Risks of Remote Work’, BCG, Mar. 20, 2020. 
7 SANS Security Awareness
8 Eileen Yu, ‘Security lapse exposes personal data of 6,500 Singapore accountants’, ZDNet, Nov. 22, 2019 
9 Singapore’s Cybersecurity Strategy, CSA Singapore, Oct. 2016.  
10 Australia’s Cyber Security Strategy, Australian Government Department of Home Affairs 

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided "as is" without any warranty or condition of any kind, either express or implied. Use of this information is at the end user's own risk. CenturyLink does not warrant that the information will meet the end user's requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents CenturyLink’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. CenturyLink may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2020 CenturyLink. All Rights Reserved.

Related Articles




Where digital business goes to network
        
        
Where digital business goes to network
-->