COVID-19, Security and WFH: Myths and Misconceptions – Security Boulevard

admin on June 13, 2020 Leave a Comment

With COVID-19 stay-at-home orders still in place in many states, working from home (WFH) has become what is sure to be the new normal in the post-pandemic world. Given this, remote security should be at the top of every organizations priority list.

Yet, there remains a long list of common myths and misconceptions about remote worker security. And its easy to see how and why this can happen, especially in a world where staff went from working onsite to working from home practically overnight. But it is critical that businesses make themselves aware of what these myths and misconceptions are and address them with the urgency they require.

The list is long, so below are the five most pressing.

Video chat has exploded in to peoples lives over the last couple of months. What was until very recently used mainly as a meeting tool (with a video function that people often tried to avoid) has suddenly become an essential part of our everyday lives in the WFH environmentboth for work and recreation.

And the video app of choice has turned out to be Zoom. But many people are still operating under the misconception that Zoom chats are end-to-end encrypted when they are not. In fact, a number of privacy issues have come to light, such as Zooms iOS app sending data to Facebook without explicit user consent. While this issue has since been rectified, people are still operating under the encryption misconception when it comes to Zoom and other video conferencing apps, some of which are end-to-end encrypted and some of which are not.

Another common misconception that WFH employees are operating under is that VPN connections will work and that there will be sufficient bandwidth and licenses for VPN solutions. This may not be the case because VPN has always been somewhat of an afterthought.

Until COVID-19 took over our everyday lives, VPN was generally used only in special scenarios in which someone needed to work remotely or outside their usual working hours. Because of this, housekeeping, maintenance, management and administration of VPN are not very effective. Organizations dont have dedicated people to handle those things. VPN requires a lot of bandwidth and adequate licenses, and suddenly, with millions of us working from home amid the pandemic, everybody is trying to use VPN, which means issues with bandwidth and licensing that we just hadnt thought of.

VPN solutions also lend themselves to a common WFH security myththat VPN solutions are fully secure. They arent. Generally speaking, we dont see day-to-day housekeeping of VPN servers, such as patching. Compounding this, organizations are often not on the latest versions of their VPN.

This can mean a remote, unauthenticated user may be able to compromise a vulnerable VPN server and gain access to all active users and their plain-text credentials. An attacker also may be able to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Given this, and now that VPN has suddenly become so popularand is likely to stay that way in the post-pandemic worldwe need to make sure that VPN solutions are up to date and patched so that hackers dont see VPN as an easy vehicle through which to conduct an attack.

In some ways, it seems so obvious that personal device security is often a far cry from company device security, yet so many organizations allow personal devices to be used for company business without a second thought for security.

Its obviously a challenge even during normal times for remote security to be implemented on any personal device that might be used for company business. But during these extraordinary times, when companies had to set staff up to work from home literally overnight in many cases, its an understandable oversight.

Still, it can have catastrophic consequences if not addressed in the WFH environment. Firms must implement two-factor authentication, content filtering, identity and access management, encryption, auto backups, authentication and security monitoring to any personal device being used for company business.

These are some of the things that youd see in a typical corporate network, but we dont see on personal devices; its a long and dangerous list of disparities creating a myth of security that isnt there.

They dont, and this is particularly problematic in the current situation, given the massive rise in phishing and spam emails since the COVID-19 situation took hold.

And with the majority of organizations currently running their staff remotely, this problem is only magnified. The pandemic is giving rise to a huge amount of fear, uncertainty, anxiety, sympathy, greed and disorder, meaning clarity is easily taken advantage of.

This makes phishing emails even more effective because our defenses are down and we are sitting alone at home with no one to bounce ideas off, ask immediate questions of or get opinions from. We are vulnerable right now and hackers know it.

Its exceptionally important that companies stay on top of these latest and advanced emerging phishing attacks and stop operating under the myth that their remote teams are going to be able to spot a suspect email every time. They probably wont.

Read the rest here:
COVID-19, Security and WFH: Myths and Misconceptions - Security Boulevard

Related Posts
Posted in Encryption

Comments are closed.