Tech publisher IDG tackled this topic last week in its #IDGTechTalk Twitter chat on “Protecting Your Perimeter in the Age of Remote Work.” Moderated by Kayne McGladrey, a global cybersecurity expert and thought leader, the panel posed questions to participants on IT security for remote workforces, which we’ve summarized here:
IDG: What are the biggest security threats posed by employees who are on vacation or working remotely?
One of the biggest threats, according to @mthiele10, is remote workers’ “casual and convenience-oriented” approach to security. “While away, they’ll often let their #infosec guard down,” tweeted @benrothke. In addition to unsecured Wi-Fi, outright theft of devices is also a risk. Remote workers should be careful about who can see their screen or overhear their conversations (say, on an airplane or in a café). In these cases, hackers don’t need to ‘hack’ — they simply eavesdrop or pry.
Participants agreed: This lack of security (including casual or careless human behaviour) means only limited data should be kept on the devices themselves; some suggested the use of burner laptops and phones. “Whole-disk encryption should be the new default,” tweeted @kaynemcgladrey. “If traveling to interesting places, use a loaner with a VPN to a VDI so reduced risk of exfiltration.”
IDG: Is it possible to truly secure your perimeter as more organizations allow #remotework?
Only a few agreed; @jckgld believes it’s possible, but it requires strategy and concerted effort to do so. “Few Cos I talk to do it effectively, especially in SMB,” he tweeted. In general, though, most participants feel it’s not possible to truly secure their perimeter. As @wlassalle tweeted, “You can’t put up a chastity belt on every point.”
Instead, organizations should assess their risk tolerance, decide how much remote access they will allow, and then train employees, monitor for abnormal activity and quickly address issues if and when they do come up. Participant @nyike says it’s better to monitor for abnormal individual activities and lock down key assets depending on context.
IDG: What about employees who travel internationally? Are there different #threats to be aware of?
Yes, tweeted @mthiele10 — it’s “like getting vaccinated for certain diseases” before traveling abroad. He says remote workers should never leave their laptop unattended, not even in the hotel safe. He also recommends scrubbing or rebuilding the laptop when returned. Participant @marthacisneros added that users should never buy hardware or software in another country, and “never connect an unknown USB flash drive to your tablet or laptop.”
Encryption laws vary by country, so remote workers should travel with as little data as possible on their devices. “Every foreign government has the right to inspect or confiscate anything that travelers bring into the country,” tweeted @benrothke. “Foreign travelers have no legal or practical recourse. Employees should therefore take as little stored data as possible, & make sure it’s encrypted.”
IDG: Is there any new or emerging technology in this space that can make #remotework more #secure?
For @benrothke, the ‘old’ infosec technologies still do the job. “Use of VPN, encrypted disk drives, strong passwords, endpoint security, remote wipe for smartphones & the like should be required for all remote workers,” he tweeted. And while some of these technologies aren’t new, they’ve evolved; many recommend the use of virtual desktops for remote workforces, as well as mobile device management.
“I use #MFA and #biometrics to access almost everything I work on. Someone has to steal my phone and pretty much face to steal my #fortnite account,” tweets @wlassalle. “Adopting logging tools, host protection and automation tools allows for faster remediation as well as better understanding if a device was ever infected,” adds @Callum_Butler. In terms of new technologies, 5G has potential to offer better security at the edge, according to @mthiele10.
The verdict: New (and tried and true) tools and technologies can improve security for remote workers, but IT can only do so much. A perimeter, after all, is only as strong as the organization’s security policy, IT strategy and user training.