Out of Sight, Out of Mind

Riverbank Ruminations; Observations from the Banks of The Technology River

Tom Evans; Ashton Engineer Emeritus

In my role as a consultant for Ashton, I have been working remotely for the last five years or so—ever since I officially retired. For many people, remote work has been an adjustment. There may be some perks, such as working in more ‘casual’ (pajamas) attire. Additionally, you don’t have to put up with that problem employee that irritates you so much. Best of all, you don’t have to deal with corporate IT and their nagging about security.

That last one is a problem for many businesses, especially smaller ones. Large businesses have had remote workers for a long time. The recent migration to a larger remote workforce just meant they had to roll out more VPN support and probably buy a bunch of extra laptops. The infrastructure was already there, it just needed to be expanded. Smaller businesses were not set up for it. For them, remote work meant someone with a laptop took it home overnight, not for 3 months.

The Threat Surface Just Got Much Bigger

An increased remote workforce means the threat surface has gotten very large. The hard boundary of the office was already crumbling anyway, and the pandemic just punched a big hole in it. Because it hit quickly, businesses didn’t have the luxury of defining a plan and rolling it out gradually. For many security weaknesses were suddenly magnified.

Let’s look at one example. You have an employee who has a laptop that they have regularly taken home to do work. They are good about not using it for personal business and you have not had any issues with them from a security standpoint. Any time there was an issue, the employee checked with your IT person to get it resolved.

Now they are home. They have teenagers interested in computers, hacking, and getting games for free who have issues with their computers, viruses and ransomware. Your employee’s computer is on the same home network. Your hastily rolled out VPN gives your employee access to your servers that are still at the office. What protection is in place to prevent the consequences of the teen’s mistakes from propagating onto your network? If your employee has a problem with their laptop, can your IT person help them remotely? What if they can’t get online for remote support? How do you assure that your employee gets all the security updates needed?

Things To Consider When Working Remotely

The Cyber Readiness Institute put out a short paper with some tips for a remote workforce. There are 5 things they mention.

1. Focus on changing one behavior at a time with a monthly cyber readiness theme. Prioritize one behavior—like strong passwords/passphrases—to change or reinforce and make it the monthly cyber readiness theme.
2. Update your cyber readiness policies and procedures for remote work, as needed.
3. Send a short weekly alert to highlight new cyber threats and reinforce the importance of cyber readiness.
4. Hold a weekly 30-minute cyber readiness video meeting to share good practices for remote work and answer any questions.
5. Hold a friendly competition for Cyber Readiness Star of the Month with a video conference “Awards Ceremony.” Tie the topic to the monthly cyber readiness theme.

The Importance Of Security Can’t Be Understated

Most of these items focus on communicating specifically about the importance of security. It is impossible to overemphasize how critical it is that employees understand the importance of security. Very few of the data breaches and successful ransomware attacks are due to bad guys exploiting some obscure software weakness that no one knew about. Phishing is still the main vector of successful attacks. Hence the importance of item #3 above. Your employees need to know what is out there and how to identify it. You may be particularly vulnerable to certain types of attacks. Do you send wire transfers or process sensitive personal data? Different businesses will be attacked in different ways, so know what to watch out for and let your employees know.

I find that many businesses do not have policies regarding security, acceptable personal use of company resources (computers and networks), or even general conduct. This is problematic in two ways. Employees need to know what they can and cannot do. If you have a problem employee and you need to release them back to the wild, you might have issues if you lack policies outlining terminable offenses. The changes imposed by converting to a remote workforce bring up new issues to be addressed. Policies may be dull, and they may be a pain, but they are a necessity in the best of times and these are certainly not the best of times for businesses.

Many employees are working remotely, out of sight. Letting them be out of mind is a risk that can have serious consequences. The bad guys know the landscape has changed. They have adjusted. Have you?

Reach out to Ashton at 216 397-4080 if you’d like help or guidance around creating a cyber security plan for employees working from home.