Type to SearchView Tags

Does the Shift to Work-From-Home Leave Security Vulnerable?
Abhisek Das Senior Project Manager | November 30, 2020
347 Views

Co-author: Badrinarayanan S

Our stars are not alone to define our destiny - The unfathomable spirit of the human race to cope with any situation has changed the course of history multiple times. Be it the invention of fire or the wheel; humankind has always retaliated to conditions with the appropriate response over centuries. When COVID-19 first appeared, businesses were not prepared for such an unprecedented situation. But over time, people learned to live with it and strive for excellence in the transformed world.

Zero-touch contact centers, home offices, artificial intelligence, and augmented reality/virtual reality are mere stepping stones in pursuing excellence and digital transformation. Addressing these COVID-19 challenges were not so simple– its contagious nature, the patients' many undefined symptoms, and complex socio-political angles made it extremely difficult to devise a proper and focused response strategy. While enterprises decided to isolate their workforce and let them work from home, other challenges came into the picture.

'Working from home' typically means not working from the office. Even though work from home looks simple by appearance, the actual task at hand is more challenging– the absence of office not only voids corporate facilities but also poses a risk toward cybersecurity. Over the years, organizations have understood the importance of protecting the business' particulars and intellectual property for themselves and their customers (a significant distinguishing factor); realizing unauthorized information in colored hands will be futile for data security.

The absence of offices not only voids corporate facilities but also poses a risk toward security.

But, this gargantuan change in working, in terms of lifting onsite employees and shifting to remote home-based locations, made their cybersecurity vulnerable, as hackers are trying to usurp company and customer information, and crackers are trying to break the enterprise security framework. These attackers are creating new work-from-home challenges, exploiting all opportunities by setting traps, sending phishing emails, innovating unconventional means to crack data security, and gain access, control, knowledge, insight of information, identity, and frameworks.

Work from anywhere sounds interesting, intriguing, and concerning. However, working from a less secure, crowded, unclean, demotivated, interference-prone workspace with a poor work ethic, non-standard organizational policies, a less mature authentication, and authorization process, public or shared Wi-Fi using a personal device, the use of unauthorized apps, and leveraging of public collaboration platforms, etc., are just a few setbacks enterprises are facing for this transformation in work culture.

According to a market study, corporations focus on stringent access control, end-point security, and VPN connectivity amid work from home to ensure end-to-end encryption, authorization, and access mechanism to ensure righteous access to resources. They are also prioritizing organizational change management initiatives to train and motivate people for robust cybersecurity. But unprecedented times require disruptive solutions. Taking conventional measures is a mere foundational activity for overall security alignment. We should go above and beyond that.

Thieves are smarter than cops. They are more proactive than reactive. Attackers are improvising to dodge traditional security nuances, creating newer means. As an example, attackers follow and study the object to devise a behavioral pattern. Remember, enterprises are not the only entity that benefitted from modern analytics and intelligence; attackers are reaping value out of it as well. Attackers connect the dots across platforms and stalk objects to lay lucrative traps, making it more difficult even to detect, leaving aside conventional retaliation strategy.

So, organizations are leveraging AI/ML-driven security strategy with a robust framework to address these security threats. But still, there are many situations where organizations are still trying to find an answer:

  • Work from home can be done from a relative's house, friend's home, or a public place apart from one's own home; this not only increases the scope of IP theft either from personal or official devices but also the risk of physical security
  • Unwanted people overhearing/peeping into communications happens while attending calls/responding to messages/emails from public places 

We must understand these people are not so-called attackers, or sometimes they don't even want to steal information willingly. Let's take a closer look at the below scenario:

  • A is an employee of Organization' A'
  • B is an employee of Organization' B'
  • A is socially associated with B

Now, employee A got to know about a stream of communication between employee B and his colleagues, which revealed that Organization B is bidding for an RFP released by Organization ‘C'. Employee A may grab that piece of information and pass it on to others knowingly or unknowingly.

There can also be a scenario where the employee lets their family members use a personal device for certain important transactions from a humanitarian ground (a banking transaction, immediate hospitalization, ordering groceries, etc.). While the employee is trained in security standards, and the DOs and DON'Ts, the family members aren't, and it may expose the device to attackers.

We did some studies and have seen incidents in which people stole a common friend's identity and hacked the account on their mobile. Through mobile, they start extracting personal information and controlling the device to get access to more premium information.

On a personal front, this data comprises personal information and financial data, and on the organizational front, it is IP or end-customer information. As a whole, this changed scenario left security vulnerable, and even if organizations are taking stringent measures, there is always a little more left to do to prevent exposing the enterprise to risk.

Sounds depressing? Absolutely Not. Over the last decade, we only talked about digital transformation, but COVID-19 accelerated it. Enterprises have now started to believe that innovation is the only key to survival. The same is applicable for security.

Over the last decade, we only talked about digital transformation, but COVID-19 has accelerated its adoption.

New challenges require refreshed ways to take them down:

  • Continuous authorization, continuous access without impacting UX
  • Bio-metrics-driven, location-driven rights control 
  • Changing level of access and running resources on a separate and isolated instance for guest users and based on where they are (differentiating GPS coordinate-based grant of packet rights) 
  • Location- and surroundings-aware authorized devices to work 
  • Enable VM to work remotely
  • Ethical hacking as a service to gauge and repair vulnerability
  • Encouraging employees to continuously try and hack into their organizations or point a finger into a lapse percolated up to fix with the InfoSec team of the organization
  • Differentiated approach from organizational change management– reward and recognition to find security glitches 
  • Human-focused approach– treat employees as essential assets over-treating them as resources to deliver work

But we can't stop here. We can't allow stalkers and attackers to gain the upper hand. We must continue, and we must innovate to revolutionize security and safeguard critical information while still driving digital transformation. Gone are the days when the job was left to antivirus software and firewall rules to block unwanted programs and people to come in. We need the enterprises to continuously evaluate flaws around frameworks and initiatives and innovate for futuristic measures.

While revolutionizing the process and technology aspect of security, we must understand– it's the people who will drive it. Organizations are meant for the people, run by the people, and deliver value to people. We should start keeping the people aspect as the focal point as they are modern-day ‘knights’. Relying on their chivalrous code of honor, ethics, and morale can change the tide of war at any point in time. A refreshed outlook, overall sensitiveness, and a robust strategy to practice security with continuously innovating processes and technologies, along with a full human-centric execution model, will help us fill the gap in the security space. Let's join hands and be part of this global transformation together.

While revolutionizing the process and technology aspects of security, we must understand that it’s the people who will drive it.

To learn more, please visit hcltech.com/cyber-security-grc-services

References:

  1. Facebook identity theft, which may lead to leaking of information https://www.alabamanews.net/2020/06/16/what-the-tech-how-hackers-can-steal-your-facebook-identity/
  2. Forbes study https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/?sh=45ad3ace360f
  3. Apps to hack phone remotely, where link(read : Traps) sent by ‘so called’ friend (which is actually imposter account) https://www.whatmobile.net/Features/article/5-best-apps-to-hack-someones-phone-remotely
  4. Old common ways to lure people (achieved through identity theft by imposter) https://xnspy.com/hack-someone-cell-phone.html
  5. Forbes alert to TikTok users https://www.forbes.com/sites/zakdoffman/2020/04/13/tiktok-users-beware-this-is-how-hackers-can-swap-your-videos-for-dangerous-fakes/?sh=7022ccf13cc8
  6. Incident in Tibet https://www.forbes.com/sites/thomasbrewster/2019/09/24/whatsapp-fakes-hack-tibetan-iphones-and-androids-to-steal-facebook-data-and-more/?sh=7672d2b3713d
  7. https://www2.deloitte.com/content/dam/Deloitte/sg/Documents/risk/sea-risk-cyber-101-part10.pdf