The Hidden Risks of Work From Anywhere

Joshua Brown, VP and Global CISO at H&R Block

Joshua Brown, VP and Global CISO at H&R Block

Crises, by definition, apply pressure to the status quo. In the case of the global pandemic, the implications of these pressures will take years to understand fully. Many organizations saw a rapid acceleration of efforts that had previously not fully taken root, fueled by an urgent need to deliver human elements of business continuity. Adopting “work from anywhere” (WFA) as a means of business continuity required rethinking legacy models of information security assurance; whether the shortcomings of those legacy models were already understood or not—particularly from a risk perspective—will have to be the subject of another article. For now, I believe we must countenance a largely ignored aspect of risk that WFA has amplified due to the sheer volume of remote workers and the realization that the relationship between employer and employee has fundamentally changed.

In the “great before,” it was common for employees to access company resources remotely. Typically, this was done via virtual private networks or VPNs. In the cloud era, many productivity applications became accessible via the open internet. And while this required some consideration as to how to secure that endpoint-to-public-cloud connectivity, substantially more effort was put into securing managed endpoints and securing cloud environments; put another way, we focused on securing work *in* the cloud, and not as much on securing access *to* the cloud. Some institutions chose to enforce controls on remote workers via tunnelling all traffic, regardless of destination, back through centralized points were existing (legacy) security stacks could be applied. Others applied a “zero trust” ideology, pushing controls to their endpoints and enabling greater efficiency and flexibility. Neither of these approaches explicitly recognized that our remote workforce was now operating continuously in a hostile environment where InfoSec and IT departments had neither visibility nor control.

Practically every IT environment has a basic process, and technical controls such as periodic password resets, anti-malware, firewalls, patch management and log monitoring; more mature environments have additional layers of safeguards designed to guard against other risks such as data loss and threats to business continuity. The typical home network has few to none of these things. When was the last time you changed your wireless password at home? Your non-corporate password(s)? Even if you are a seasoned IT pro, you are unlikely to have the technical means (or, let’s face it, the *desire*) to implement all the same safeguards at home. And what about when you visit your parents or grandparents for holidays? What kind of state is their home network in?

“Our workers have already adapted; it is time for our approach to supporting this model to adapt.”

The answer is that nobody knows for sure, but it is reasonable to expect that the situation is likely grim across the board. The security of your wireless network depends on the strength of both the encryption algorithm and the SSID’s password. The ability to access SaaS applications from any machine—even with the right entitlement and credentials—implies that you could access a relative’s Windows 98 machine in a pinch. Connecting a secure, corporate-managed endpoint via VPN might make you feel better, but if your home network is compromised, you’ve now bridged a hostile network with a secure one. That shouldn’t make anyone feel much better.

I think there are three things we must do to help mitigate this risk. First, we must be pragmatic in our approach; we cannot build a successful security strategy based on end users making the right decisions 100% of the time. They aren’t security experts, and we shouldn’t expect them to be, so user education will only get us so far. Our job is to provide a safe space with the maximum appropriate levels of flexibility and efficiency to support our business objectives. We should create guardrails appropriate to our environments and manage expectations through clear end-user communications and training (including how to secure your home network).

Second, we should recognize the risk inherent in the remote work model and embrace a framework that reduces the “blast radius” from any single compromised user. What this means will vary from organization to organization, but many of the tenets of zero trust apply. Validate the posture of any endpoint attempting to connect to company resources. Perhaps only fully managed devices are allowed to connect, and higher levels of authentication are required. Only allow access to one resource at a time and provide no other connectivity without re-validation and re-authentication. Each user is effectively a micro perimeter in this model, with lateral movement rendered nearly impossible. User and entity behavioral analytics (UEBA) has matured sufficiently that you can create an environment of adaptive access across your technology stack.

Third, we have to amp up our own monitoring, containment, and mitigation capabilities so that abnormal activity is detected quickly and terminated before significant harm can be done. You will have compromised endpoints, and you definitely already have users operating in compromised network environments. Whether you manage your own SOC or not, your tools need to be configured to alert to anomalies, and those anomalies need to be quickly analyzed and appropriately addressed. If your organization is of any size, you must combat alert fatigue and analyst burnout by applying automation wherever possible. Being aggressive with automatic mitigation technologies likely means that you will have a higher false positive rate, which means you will have to tolerate some inconvenience when a user password is reset out of an abundance of caution, or an endpoint is sequestered because its behavior looked different. Having a team ready to respond to false positives as quickly as true positives will ease these pain points.

Remote work has ushered in a new era of productivity and flexibility; employees and employers can reap these benefits if WFA is embraced while being pragmatic and clear-eyed about the risks (and sometimes, the investments) involved. What we cannot do is ignore these risks any longer. Our workers have already adapted; it is time for our approach to supporting this model to adapt.

Read Also

Strengthening Enterprise Security via a Multi-Faceted Approach

Strengthening Enterprise Security via a Multi-Faceted Approach

David Jenkins, Chief Information Security Officer,The Lottery Corporation
Effective Communications between CISOs and Key Stakeholders

Effective Communications between CISOs and Key Stakeholders

Kevin P. Gowen, Chief Information Security Officer, Synovus
Giving Cybersecurity a Business Lens

Giving Cybersecurity a Business Lens

Grant McKechnie, Chief Information Security Officer at Endeavour Group
Setting the Right Security Culture

Setting the Right Security Culture

Mackenzie Muir, Chief Information Security Officer at Allianz Australia
Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Yonesy Núñez, the Chief Information Security Officer at Jack Henry™
Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas