The pandemic has changed the face of the workplace. Many companies have rapidly moved online as their bricks and mortar outlets are close during lockdown and foot traffic drops to zero. Another common theme is office workers now working remotely and working from home using BYOD devices,
Remote working, working from home, and BYOD raises serious IT security concerns, particularly for malware attacks and corporate data and intellectual property security.
Many of the concerns are the same as for directly connected users, the propagation of malware through the corporate network, malicious attacks initiated from apparently trusted sources, and corporate data theft, usually financial information Intellectual Property.
BYOD (Bring Yor Own Device)
The big concern IT has is a lack of control over the end-user device. For IT BYOD has several significant implications:
- Increased user support when a non-mainstream device fails to connect to the corporate network;
Many cheaper smart devices are clones of the major suppliers’ devices, with cloned operating systems. The network connectivity component might have outdated software and incompatible security configurations. If they can be connected, they may not operate correctly. Support sites giving upgrades and fixes are either non-existent or extremely difficult to find.Support staff can spend many fruitless hours trying to connect them.
- Mingling of personal and corporate data, potentially leading to data leakage; and
Data leakage has happened when mistakenly forwarding a confidential corporate email to a personal addressee. Often a personal device is used by another family member or a friend. That can again lead to data leakage.If the device is hacked, the hacker can extract corporate data. If that includes the corporate email address list, it could help phishing exploits.
- Management of lost, stolen, and departing employees’ devices.
This is possibly the most severe potential security breach. If a smart device falls into the wrong hands, the new user may gain full access to corporate systems. A disgruntled ex-employee could sell corporate information on the Dark Web. A device must be reset to factory settings immediately after being stolen, lost, or when an employee leaves the company.Many organisations have addressed these matters by creating BYOD policies stating that only certain devices will be supported and require that the device is set up by IT prior to connecting to the corporate network. They set up a Mobile Application Management (“MAM”) environment. MAM separates personal and corporate data and allows IT to remotely manage the device and reset the device to factory settings, thereby deleting all corporate data.In some cases where a device is password protected, the device can be automatically reset after a set number of incorrect passwords.
Working from Home
Working remotely and working from home are essentially the same thing and present the same security concerns. The only difference being the means of connection. Working from home is usually over a fixed link, for example, fibre to the home. Remote working is a connection by the best means available, perhaps WiFi in a public space or a hotel or café, or over a cellular connection in areas with no WiFi.
The first step is to secure the connection using a Virtual Private Network (“VPN”). The VPN has two components, one at the corporate network end, and one on the user device.
When the user starts to connect, the two VPN components have a conversation to establish an insecure connection. The user then enters access credentials which are verified by the corporate site. Some implementations enter the credentials automatically. Doing so bypasses the point of the security system and is not recommended.
When the challenge/response phase completes successfully, the client on the smart device and the corporate components agree on an encryption key pair used in the online session and open a secure VPN channel between the two.
With a fixed link from home, the VPN is permanent, renegotiated when the home device restarts. Remote devices establish a new connection each time they connect.
A remote user with a VPN has the same basic rights and privileges as a local user. They might be reduced by restricting the ability to upload and download material and access some corporate functions like access control.
BYOD and remote working increase the potential for data theft, but only if appropriate policies for device management are missing, malformed, or ignored.