Even as President Joe Biden has called for every government employee to be vaccinated, and for companies with 100 or more workers to also require vaccines or have employees undergo weekly COVID-19 testing, the days of “work from home” aren’t likely to go away. Even when the pandemic ends, it is likely a sizable number of workers will continue to telecommute.
According to the HP Wolf Security report that was published earlier this month, 23% of office workers globally could continue to predominantly work from home post-pandemic, while an additional 16% could split their time between the home and the office.
That could have far-reaching consequences for organizations of all sizes.
The “Rebellions & Rejections” report from HP Wolf Security found that 83% of IT teams now believe that working from home (WFH) could be a “ticking time bomb,” as it could continue to present security holes.
Addressing the WFH Challenges
Because of the variety and scale of threats that organizations are now facing, cybersecurity teams have become part of the norm for IT. But these teams have been forced to work harder than ever to keep their businesses safe – and many of the cybersecurity pros are starting to feel serious burnout.
One factor is that they’re overworked trying to handle so many remote workers.
“Eighteen months into the work from home era of the Covid-19 pandemic, many IT shops still don’t have a good handle on how to enact cybersecurity outside of the office,” explained Saryu Nayyar, CEO of security research firm Gurucul.
“As a result, remote workers are actively bypassing standard security restrictions in an attempt to do their jobs, and in the process opening up security holes for exploit,” Nayyar told ClearanceJobs via an email.
“There has been a 72% increase in ransomware attacks since Covid-19 that corresponds to the dramatic increase in WFH and use of existing – and already infected – home computers,” explained Rajiv Pimplaskar, CRO at Veridium, a provider of end-to-end authentication platform for WFH applications.
“Bad actors can exploit such vulnerabilities and use key loggers and other MITM (Man In The Middle) attacks to appear like the legitimate corporate WFH user,” Pimplaskar added. “While enterprises and users are starting to adopt passwordless authentication methods like ‘phone as a token’ and FIDO2 for customer and Single Sign On (SSO) portals and enterprise applications, vulnerabilities still exist across entire categories of cases such as, third party sites, VPN (Virtual Private Network) and VDI (Virtual Desktop Infrastructure) environments, all of which are particularly vulnerable in the current WFH explosion.”
Constant Vigilance is Required in a WFH Environment
However, even those efforts may not be enough to keep everyone safe. Just as terrorists only need to get lucky once, and the counter-terrorists need to be constantly vigilant, the same is often true of cybersecurity. One wrong link clicked can be all it takes to compromise a system.
And unfortunately it may not be at that moment that a potential virus strikes.
“Malware can be awfully patient,” warned Jim Purtilo, associate professor of computer science at the University of Maryland.
“It will be ready when the conditions it was configured to exploit turn up. There’s always the danger that an office configuration might create those conditions – someone might injudiciously click a sketchy link from an unpatched platform – but many work from home arrangements blend more versions of more tools into the mix,” Purtilo told ClearanceJobs. “More variety translates into combinatorially more opportunities to open one of those unfortunate conditions for an exploit.
“We defenders must win every encounter – the attacker on needs to win once,” he added. “Work from home increases the attack surface, so nobody can be surprised if the cybersecurity teams tasked with policing that perimeter are running out of gas trying to keep up.”
Finding the Balance
Unfortunately, WFH is here to stay, and cybersecurity teams already understand that a compromise of security for business continuity may not be the answer. Yet, the teams have often had to cope with workers pushing back on the efforts to keep business secure. For workers, the ability to do their job remotely and efficiently is the top consideration.
The common ground may be staying in better communication, and for workers that may also mean giving up some level of privacy.
“Corporate security professionals need a better understanding of how remote workers are doing their jobs so they can work collaboratively in designing cybersecurity systems that meet those needs,” Nayyar added. “Monitoring activities in WFH environments and assessing the risk of specific activities should be a cornerstone of that effort.”