By Michael Kachitsa
When the COVID-19 quarantine hit in mid-March, it created an unprecedented situation in which the number of remote workers skyrocketed beyond anything anticipated.
“The only analogue of this scale I would say is 9/11, and that was fairly regional,” says Sean Gallagher, a threat researcher at Sophos. “It wasn’t a national thing like this is, and it wasn’t nearly for this period of time.”
Gallagher was working remotely from Baltimore for a New York company. All his fellow employees in New York were displaced for several weeks.
“We had to figure out how to operate without the office for nearly a month,” he says. “But that was very regionally specific. This is a much broader problem.”
The nearest thing most companies may have experienced to COVID-19 is something like a hurricane or other natural disaster, all of which are regional. This crisis has scaled beyond any plans companies had in place to deal with remote workers—and with that has come a level of insecurity that has also been unimaginable.
“It’s not something that might’ve been in most companies’ disaster recovery continuity business plan,” says Gallagher. “But it is certainly not unprecedented in terms of the need to be able to flexibly handle ongoing operations with employees not in the office.”
Moreover, the vast move to remote work is an exacerbation of the human element that “is often—frankly always—the most uncontrollable component of cybersecurity risk,” says Bob Moore, director of server software and product security at Hewlett Packard Enterprise.
All large organizations can arrange for some users to work from home, but until recently, few ever tried to have nearly everyone work from home. If existing security tools and procedures are inadequate, what do you really need to do to make the situation acceptable?
We asked a handful of security experts three questions. Here are their answers.
Common instructions came from every computing security specialist we spoke with, starting with the need to equip your computer with a virtual private network (VPN) so that all of your activities are done on your company’s network, not on your own, looser, more vulnerable one. This is just one difference between office security and remote security.
“In a workplace environment, you typically have a well-structured, highly controlled work environment where there are tight measures and controls on the type of traffic that can flow, what type of authentication is used, and what type of data can be stored,” says Tim Ferrell, cybersecurity architect at HPE.
Others agree. “At most enterprise or business locations, there are firewalls and the network is monitored by a networking team,” says Mick Wolcott, partner at Goldman Lockey Consulting in San Francisco. “Whereas at home, you’re basically just either doing Comcast or AT&T or something like that, and you don’t get the behind-the-scenes where we examine the traffic that’s coming in. We can’t tell if there’s malware that’s been downloaded or where it’s been clicked, and we can’t keep an eye on events in the background.”