Historically, corporations that had established work-from-home programs using company-supplied hardware and software had a limited number of security issues that needed to be managed for their employees. Since the employees used company-owned and preconfigured systems, the employer had the opportunity to create a controlled environment for their remote users.
Then along came COVID-19 and mandatory stay-at-home orders for millions of workers. All of a sudden, employers who had no or only a limited number of employees working remotely could easily have almost their entire workforce working remotely, exponentially escalating the firm’s cybersecurity vulnerabilities and risk.
BrightSight, a Netherlands-based security ratings company, last month published the results of a survey it conducted with more than 41,000 companies concerning the issues of employees suddenly working from home on potentially compromised networks. (In the U.S., BrightSight is known as BitSight.)
The survey results likely won’t surprise CISOs a great deal, especially when users are running personal assets on personal networks that have not been vetted by the corporate IT team. According to the survey, 45 percent of users had malware on their home networks compared to 13.3 percent of companies that had malware on their networks.
The research also found that 25.2 percent of employee-owned networks have one or more services exposed on the internet. Of those, 61.2 percent have an exposed cable modem control interface, an exploitation channel commonly used by internet-wide attacks.
It is important to remember that employees, even some with a technical orientation, often use routers and cable modems with default settings. If that default setting includes the username and password of an internet-facing router or cable modem, it is a veritable invitation to attackers.
While BrightSight found the two biggest threats to be what a security pro might expect — phishing and malware attacks and risky user behavior, the next two threats fall squarely in the sweet spot for the security team in charge of IT asset management: changes to assessing and monitoring vendors and the rapid onboarding of new vendors. Ensuring that the asset supply chain is safe is critical, but the new normal of work-from-home can throw a wrench into the finely tuned machine that is your company’s vendor vetting process.
The axiom of, “You can’t protect what you can’t see,” is magnified when you can’t vet vendors with whom you have no direct access. How can a CISO’s security team ensure the myriad of hardware and software their users choose to purchase at home and use for business purposes have safe and secure products? From a compliance standpoint it gets worse: How can you ensure your network meets compliance requirements — and potentially isn’t using prohibited hardware or software — if you do not have the purchase control over those assets?
The bottom line for the asset management team is to make sure your company has specific, written policies and procedures for work-from-home employees. While you might not be able to control the network to the extent you do within the confines of your company or even your cloud provider, you still can create policies and procedures for your remote employees that can limit your risk. While you cannot remove all the risk associated with remote employees, basic security hygiene can eliminate a large percentage of the most common and basic attacks. Significantly reducing risk is always a win for the white hats.