Remote work and IT security: are the mechanisms hastily rolled out during the COVID-19 pandemic robust on the long term?

Although no one can measure all the consequences of the Covid-19 crisis, there’s at least one thing all experts agree on: the flex office, midway between the office and remote work, is here to stay! However, over half of those working remotely faced technical problems during the lockdown (source: ZDNet, in French). As a result, CIOs and CISOs need to answer a key question: are the mechanisms hastily introduced during the lockdown sufficiently robust? This is particularly relevant when it comes to security, as everyone seems to agree that the worst in terms of cyberattacks is yet to come (in French)… IT teams have had to become more responsive due to the COVID-19 pandemic, which means that time needs to be taken now to protect the future work environment on the long term. This involves analysing new use cases encountered due to remote work and auditing the associated security risks to ensure the right decisions are made going forward.

Remote work: the threats to IT security are very real

With the benefit of three months’ hindsight about the unexpected and/or inappropriate uses brought about by widespread remote work, it’s clear that CIOs and CISOs will be very busy in the coming months in terms of IT security.

Many organisations have had to contend with habits such as work devices being used for personal use and potentially being shared between family members, what’s more on home networks without much protection. Conversely, many people have used personal devices to log in to business environments. This “forced” BYOD shifts a company’s responsibility, given that it can no longer just protect the devices under its control and above all needs to protect users and their digital identity within the information system.

It therefore comes as no surprise that remote workers are more vulnerable to cyber threats and the risk of identity and access theft, as employees are logging into a company’s information systems through layers over which there is usually no control (personal Wi-Fi with unsteady speeds, personal computers, passwords that are less secure or even shared with other people, etc.). Cybermalveillance released a statement about these risks at the end of March 2020 and issued IT security recommendations for remote work during a crisis situation (in French).

Less secure personal environments are a preferred target for cyberattacks and especially ransomware or phishing email campaigns aimed at stealing personal data. The usual security policies and rules followed in businesses should also apply at home, but how many employees actually do so? How many companies take the time to conduct comprehensive awareness campaigns on the subject? How do you make users aware that they’re an even easier target when they’re at home? Some CISOs assessed this awareness by conducting fake phishing campaigns during the lockdown, using two of hackers’ favourite topics: financial support to make up for lost household income and COVID-19. The findings show that too many recipients are still opening these emails and that they therefore pose a genuine threat to a company’s information system.

Security measures hastily rolled out

Despite these threats, the lockdown forced IT teams to open up the information system to the outside world in order to keep business going. A study conducted by Censuswide for Citrix (in French) found that “while 70% of CIOs report that their organisation worked remotely at least one day per week, 49% had not made arrangements in their business continuity plan for having to make this shift to large-scale remote work. 46% found the transition difficult, with 74% of IT managers saying the situation was stressful.

Of the solutions hastily rolled out, VPN (virtual private network) was obviously a popular choice. A VPN, which allows users to access a company’s network from outside, was previously often restricted to certain mobile individuals and/or VIPs, rather than being available to all employees. Organisations justified expanding its use to a large population overnight by the need to be responsive and provide access to applications to as many people as possible in order to keep their business running, which marked something of a departure from their usual security policy.

For example, Société Générale had to shift 50,000 employees to remote work in Europe (in French). In the space of three weeks, the available remote access and VPN capacities were increased five-fold. Meanwhile, at other organisations, VPNs were sometimes overloaded due to not being adequately sized for the number of connections.

What’s more, certain remote access points hastily opened sometimes resulted in exceptional access being manually granted outside of the usual process compliant with the ISP (Information Security Policy). When IS administrators use several separate tools, this increases the number of administration interfaces and therefore the risk of an operating flaw. Conversely, those who take a centralised approach to managing access to all IS applications and services in a unified IAM platform have greatly reduced the potential risks around unsuitable access.

The security measures hastily rolled out have therefore taken businesses outside their usual scope of action, sometimes at the expense of compliance with information system rights. Now that the wave is over, questions urgently need to be asked about how to review authorisations.

Best practices for robust security systems in remote work

The world won’t look like it used to and educating users about cyber security risks in a flex office environment has become absolutely essential. Remote work is here to stay and employees need to be aware that certain habits create vulnerability.

More broadly, organisations now need to turn their attention to how well remote access is protected. The first stage is to audit and map all of the access points opened in order to identify then resolve the weaknesses in the solutions hastily rolled out. This will make it possible to counter attackers that once again made short work of exploiting the breaches opened up by these unprecedented circumstances.

This situation emphasises the need to achieve an airtight identity and access management strategy. Companies that were prepared beforehand and had already centralised the management of their single sign-on access points were able to more easily maintain control over and supervise the information system in real time. Furthermore, these same companies had no trouble handling the authentication peaks caused by employees remotely signing in to their work applications, particularly at the start of the day.

One of the cyber security and risk prevention lessons to learn from this crisis is that only a comprehensive and centralised approach to identity and access management allows businesses to unify rules and therefore maintain control over IT security.