Moving Communications to the Cloud to Support Remote Workers Opens Enterprises to Serious Security Threats
By: Arti Loftus
Originally published on Cloud Computing Magazine
The COVID-19 pandemic has forced nearly every enterprise, government agency and other organizations to move to a Work From Home (WFH) model, in many cases overnight, and with the uncertainty ahead, most “desk workers” will be interacting with systems and people virtually for months or years to come.
Some have learned the hard way that by not ensuring real time communications applications (voice, messaging, video, video conferencing, collaboration, including file and screen sharing), systems are being hacked, and valuable data stolen.
With the spreading out of hundreds, thousands or even hundreds of thousands of employees, the attack surface is naturally more extensive, with employees, contractors and partners accessing the Internet through Wi-Fi that may not be fully secured, and using “free” cloud-based applications like Skype and Zoom. Even when employees are using commercial applications, if those applications themselves are not locked down, with every piece of information, documents or databases that are accessed or shared, the risk exposure grows.
In more traditional office settings, risk only happens between the server, internal network, and computer, whereas virtual working adds many more variables, including smartphones, tablets, home computers, public Internet, WiFi and cellular network access, as well as a plethora of applications employees may use instead of official corporate systems, or applications customers or partners choose.
We asked Michael Fritzlo, Executive Chairman of Ironsphere, a secure access management software company based in the NYC metro area (the one hit hardest in the world, with more Coronavirus cases and deaths than any other region) to share what they’ve been seeing, and provide advice for IT teams who have been working harder than ever to support and manage distributed workforces.
“Like so many other enterprise infrastructure security solutions providers, we are constantly tracking the latest threats, and seeing a dramatic increase in the number of attacks, from phishing emails to ransom attacks, and extraction of private and confidential information when credentials are shared accidentally or intentionally,” Fritzlo said. “Providing training and reminders to remain alert to suspicious emails is an important start, but to truly control who has access to what systems, from which geolocations, at which times of day, identity access management and privileged access management is paramount.”
Fritzlo went on to explain that business continuity plans should always be in place and constantly updated, as more applications are moving to the cloud, including real time communications applications supporting small group meetings, all-hands company meetings, and interactions with customers (including through cloud-based contact centers).
“We’ve seen in-person contact center operations with over 1,000 agents moved from their physical facilities to over 1,000 homes happen over a weekend,” Michael Fritzlo said, “and these agents are handling unprecedented volumes of inbound calls from concerned customers wishing to cancel flights, hotels and rental cars, or from patients looking for answers on testing, healthcare benefits, and access to medical treatment. With every interaction, highly sensitive data is being shared and recorded. The U.S. government loosened restrictions for HIPAA compliance due to the emergency, which makes sense given the need to triage those who believe they have contracted the virus, but in doing so, also increasing the risk of private and personal data being shared – data that is incredibly valuable to adversaries. IT teams need to think through and secure all channels of engagement, from voice to chatbots, text and social media messaging, to video consultations.”
Some enterprises are securing data as it moves between the enterprise network and WFH employees using VPNs, which enables WFH employees to securely connect to enterprise networks, providing additional layers of security, including hiding the user’s IP address, encrypting data in motion, masking location and more.
“Most enterprises already have a VPN in place, but with limited seats, requiring IT teams to negotiate with their existing provider or to find new providers that can scale more efficiently and economically.” Fritzlo said. “Not all VPNs are equal, so it is important to select a service that allows for policies to be put in place and actively managed with as much automation as possible, and with built-in multi-factor authentication features.”
Fritzlo also explained the trailing risks which could lead to problems for years to come. “As employees start to access most or all critical systems for their daily legitimate business operations, which they were not allowed to access remotely before, the risk surface becomes much bigger. The average time between when a data breach incident occurs and is identified is 206 days and the average time to contain a breach is 73 days, for a total of 279 days.”
Breaches may not be immediately visible, but many organizations will find themselves as victims of breaches next year, if loosened security measures are not addressed”, Michael Fritzlo said. “Privileged Access Management has never been more important than it is now, as PAM solutions make it easier for IT teams to set up, monitor and dynamically manage credentials, including immediately shutting off access in the event of a breach. PAM can turn system credentials invisible to employees, which when compromised, account for the root cause of 80% of breaches.”
Fritzlo also said every device connected to the VPN must be registered and secured, including servers, gateways, desktop computers, laptops, smartphones and more. “Up-to-date security protection includes antivirus software, firewalls, device encryption and more. Passwords should be continually monitored and managed, especially for those employees or contractors who work with the most sensitive data – financial, personal, strategic, and operational. Automatically changing passwords and requiring two-factor or three-factor authentication is vitally important, especially in times like these.”
WFH is not just a temporary situation, Fritzlo believes. “As a society and business community, we went from zero to one hundred miles per hour, and when virtual collaboration and computing is secure, moving at one hundred miles per hour can be a good thing. Many of our clients have found that employees can be even more productive from home, can put in more hours (with no need to spend time commuting), and can cost less to support, as real estate and travel expenses are dramatically reduced. After helping them respond over the last few months, we are now having different conversations about how to sustain securing virtual working for years to come – not just for a few individuals, but for many, and not just in emergencies like COVID-19, but as the new norm.”
“This is a stressful time and having the ability to interact with each other is another important benefit of using video conferencing and more – allowing teams to be physically distant but socially connected. Providing productivity tools, including cloud-based communications available through the public Internet or VPNs is powerful, but without the right layers of security, extremely risky.”
With new software-based approaches and cybersecurity automation, organizations can protect themselves from one of the primary causes of breaches – adversaries taking control of privileged accounts by being able to “crack the code” on privileged users’ passwords.
When the COVID-10 pandemic began, no industry in the world was put under more stress than the medical industry. With cases climbing, and more people constantly wanting information on what to do, the medical industry turned to technology to meet the demand.
It is one thing when enterprises use automation, including AI, to improve the efficiency of their ERP, HR, accounting, and other systems, and of course, any enterprise system which collects, stores, and uses data should be fully protected, including a solid Privileged Access Management (PAM) solution as a core part of their IT architecture.