In the past several months, organizations were forced to quickly adapt to “the new normal” of employees working from home on personal devices, while connecting to corporate networks and accessing enterprise assets. That organizational scenario can be a compliance nightmare, assuming the associated security risk doesn’t already keep you up at night.
Of course, it’s not all bad. There are real benefits to both companies and their staff in working from home. Many employees no longer commute to a physical office, enabling them to start work sooner, and organizations are achieving greater productivity through the rapid and widespread adoption of collaboration tools. Operational costs decrease when employees provide their own workspace, network connection, and even their own devices. And I can personally attest to enjoying more time with my family during lunch. The remote work experiment has been so successful that major companies like Facebook and Twitter plan to make the shift permanent.
But the flipside is that the safety of the corporate network security perimeter is gone, and organizations lack visibility into home networks. Some remote work security solutions, such as VPNs, were not designed to handle the scale of a full-time, remote workforce. Organizations that did not previously allow remote work had to sprint to implement new policies and procedures.
People within the organization need to adhere to these policies and procedures to avoid any action that jeopardizes data or assets. Employee education is the first line of defense.
One solution to securely enable work from home when Bring-Your-Own-Device (BYOD) practices are in place, is the use of a Mobile Device Management (MDM) solution. MDM is designed to empower remote employees with mobility and productivity, while maintaining an adequate level of security. But those solutions are only as good as their implementation and management by the organization. Data loss prevention (DLP) software can also help lock down a home environment, but requires specific policies and procedures, such as disabling the USB ports. If these policies are too restrictive, an employee may find it more difficult and less efficient to work from home than from the safety of the corporate network. Adversely, if the policies are too relaxed, then the risk of unauthorized access or disclosure of data is much higher.
From conversations with A-LIGN customers, we have found that most organizations begin with a combination of VPN and multi-factor authentication, or they adopt a zero-trust architecture, but that is only the start. Speaking of architecture, every organization needs to understand its own architecture in order to identify its threat surface. Penetration testing can also help to identify and highlight some of these risks.
Ultimately, it comes down to the importance of knowing where your assets reside, and implementing the appropriate security training, policies and procedures needed to protect them. NIST published its Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, which focuses on many of these remote work challenges and solutions. We also recently recorded a webcast – “The New Norm: The Realities of Remote Work” – that delves into this topic in greater detail.
Contact A-LIGN to learn more about our wide array of penetration testing options, including network layer testing, mobile application testing, web application testing, wireless network testing, and remote social engineering.