Security holes: So now we have seen this too: the world in chamber arrest. The old dictionary came to use again—this time in the form of a makeshift adjustable height table so the home office did not end up generating any additional work for our country’s ergonomists and chiropractors.
And despite a bit of start-up panic, the vast majority of people actually came out with quite a good experience from home office work.
In Denmark, we registered no drop of productivity in our home office workplaces. In fact, in many cases, it rose a bit. The meetings on Zoom and the functions of Teams have made it relatively easy for people to get used to their new daily round despite the fact that we are all soon going to be sitting on the same perch packed together again.
As home office workplaces also come with an unprecedented flexibility, which most employees have come to love, the turbo acclimatisation to home work will, in all likelihood, have far-reaching effects into the future. And when you look at things like this, this is very good, since we now know that companies can continue to operate even if their employees are not in the same office day in, day out.
Nevertheless, there is one problem. A big problem indeed.
Home office workplaces pose challenges to IT security
Home office workplaces have namely resulted in a previously unknown range of IT security risks. Even if we have all learned to navigate Zoom and Skype, we are not used at all to handling—and thinking about—IT security when we are in the comfort of our homes, with a cup of filter coffee in our hands and the garden door ajar.
We are not accustomed to paying the same kind of attention to threats lurking right on the other side of the VPN network when we are sitting in our own living rooms.
In isolation, our colleagues cannot exercise the same social control over us by constantly reminding us to lock our computer when we step away from it, nor do we only use software approved by the IT Department—when it is that much easier to just share the dataset with Tove over WeTransfer.
Thus, the reality after COVID-19 means a continued low security standard for quite many employees.
Therefore, you as IT manager must be extra mindful of your role and, just like a boxing coach who keeps yelling, in the corner of the ring, “Put your hands up—protect your head!”, you must also take some extra safety precautions to keep intruders out of your IT systems.
As IT manager, you have to intervene, and our recommendation is that you keep a watchful eye on the following 5 items:
1. COVID phishing—the new and preferred strategy of hackers
You should know that hackers do not close shop as a token of post-corona sympathy. No, very much the reverse. As in all previous catastrophes and crises, criminals are poised to take advantage of the situation.
We saw this in 2001, when the World Trade Centre crashed down; we saw it during the tsunami in 2004 as well as when the global financial crisis hit in 2007-08. And we also see it now:
Hackers take advantage of global confusion, ramping up their activities with cascades of coronavirus-related phishing emails and stopping at nothing to intercept your users’ login credentials.
The corona-related phishing emails come in various disguise:
- Health authorities, SKAT, other public authorities
- Non-profit and aid organisations
- Financial institutions
- Subcontractors (who, for example, offer a helping hand)
2. Do not permit private computers
Most major companies and organisation have mastered this point. As soon as Mette Frederiksen closed down the country, a great many of the country’s IT departments placed orders for additional laptops.
They were going to furnish all their employees with laptops so that work, even at the home office, could proceed in a controlled, interactive environment that could meet all of the IT department’s requirements.
However, the situation is somewhat different for the entire stratum of small and medium-sized enterprises. The exercise of suddenly having to buy lots of new laptops so that all of your employees can take their work home with them is namely a costly affair for a company that was perhaps already facing a period of enormous uncertainty when it comes to customers and revenues.
Not exactly a welcome task when you would simultaneously rather tighten the purse strings.
Separation of private and professional life is essential for security
Nevertheless, the alpha and the omega of IT security is maintaining a strict separation between private and professional life. Private computers must be used for private affairs, work computers for work ones.
If you allow your employees (albeit temporarily) to use their private computers for work, you will entirely lose any control over the security of their computers, which versions of Windows or MacOS they are using and what that computer is generally used for.
In other words, it is not good enough to install a VPN client on the private PCs of your employees, as what happens if they inadvertently install a Trojan horse, just waiting for them to key in their login credentials?
In other words, costly or not, if you want your employees to work from home, you will have to buy laptops for all of them. There is no way around that if you want to maintain control.
3. More logins mean more risk zones
Just like we are advised to stay indoors to prevent infection with the virus, the more times we need to log onto secure systems, the more chances a hacker has to intercept a password.
When everyone is away from the office, the number of logins sky-rockets—to the VPN, to the email, to Teams and, yes, to all the social media that give you the daily social fix during lunch break (and—who are we kidding?—at all other possible times).
In other words, hackers get an awful lot of chances on any given working day.
It is therefore also even more important for your employees to use different passwords and usernames for the different services they access.
Use different passwords everywhere
It is not enough to change your password once every quarter—no, the most secure approach is for each individual employee to have different passwords for different applications.
As IT manager, you should therefore put pressure on your employees to install and use a password manager. A password manager (e.g. LastPass) namely allows employees to have different, complex passwords to all the different services they access without having to remember all of them.
Considering how many people access maximum security systems on a daily basis, the number of employees using password managers can never be enough, and you as IT manager must simply make sure that your employees’ login credentials to Facebook, Gmail, katteforum.dk and your secure IT systems are not the same.
4. Keep kids away from your work computers
I know several guys who have no other computer than the one they got from their employer.
There is nothing wrong about this, but the problem arises as soon as Malthe, age 9, has to be entertained with a YouTube film or computer game. Your work computer then suddenly turns into a family computer, and then the question is whether Malthe, age 9, will be just as aware of suspicious links and of a message that he has just won 100,000 Danish kroner because he was visitor number 35 to the page as his dad?
Therefore, children’s activities at a workstation always pose a serious risk, and when the parents are suddenly at home working all day long, this risk is multiplied because the workstation is so much more accessible—after all, it is already on!
As IT manager, you must therefore make it abundantly clear that the work computer is intended for work, not for entertaining children.
If you start suspecting excessive family use of work computers, you can consider if it makes sense to monitor use of selected domains (for example, YouTube) so you can keep an eye on things if they escalate.
5. Shadow IT can gain more ground
Is there a bigger irritant at work than a slow computer? We are all aware of the problems, and we have all angrily closed browsers or pressed refresh in a desperate attempt to raise load speed.
When all work on your servers must go through a VPN, it is extremely important that your servers and your VPN solution be geared to handle the greater traffic.
If you do not do your best to keep users’ working speed up, the risk is that they will try to find other solutions and will suddenly start sharing files and data outside of your secure systems.
Services like Dropbox, WeTransfer and even file transfers on Facebook Messenger are tempting options if you find yourself trapped again in a loading loop or if you are thrown out of the VPN time and again.
The speed of your systems is decisive
If you want to limit the need of your users for so-called shadow IT, you must make sure they notice the distance separating you only to a minimal extent.
You must make sure that the systems are lean and load quickly so users do not fall for the temptation to transfer the video conversation from an overloaded Teams to an user-friendly Messenger chat, consumer-grade Zoom call or suchlike.
Try to implement the right solution instead of the easiest one. This is not easy, but it will prevent your data from suddenly finding its way to obscure sharing platforms and ending up being scattered all over unfamiliar servers.
When all is said and done, much of the above is a question of training your colleagues. They are not accustomed to having to deal with IT security when they are at home, and you as IT manager will therefore have to help them cope with the new situation.
Make sure that:
- You handle the higher threat of phishing
- Your employees only use work computers when they work at home
- Your employees use different passwords for all services
- Work computers are only used for work and not for, e.g. YouTube for the kids
- Your system speed is high enough to prevent file sharing via unknown third-party services
Even if many people are ultimately back within the walled security of Ethernet, you can expect more employees in the future to choose to take a home office day during the week or perhaps go on a month’s working holiday to Bali so they can drink rainbow drinks at the end of the working day.
The actions you take to secure your home office workplaces now will therefore not be redundant when we go back to “normal”.
Very much the reverse, you can presumably expect this “normal” that we are all talking about to be a completely different and much more flexible normal than reality before the coronavirus.