With the sudden and dramatic shift to the work-from-home model (WFH) in early 2020, IT security teams have raised a host of important questions. How secure is corporate data saved locally on unvetted, uncontrolled machines? Are corporate machines inherently secure in WFH deployments? Is there an increased likelihood of data leakage and other cyber-breaches in the WFH environment? For TrendzOwl, the recent history of cybersecurity tells a complex story, raises a host of additional questions, but ultimately also reveals new possibilities for the WFH model going forward.
- The Shift Home: Cybersecurity Gains New Prominence
- The Epiphany: Corporate Devices were No Panacea
- Corporate Control, Security, & Management: ThinScale
- Journey’s End: A Surprising Conclusion!
The Shift Home: Cybersecurity Gains New Prominence
In the United States, the Federal Bureau of Investigation (FBI) was warning of a sudden jump in cyber-risks. The Bureau described how both domestic and international hackers were taking advantage of America’s increasing online activity. In May, 2020, the FBI claimed there already had been a 300% increase in cybercrimes reported.
According to VMware, by the summer of 2020 there was a disturbing uptick in even more sinister attacks. There was a 90% increase in criminals encrypting files and demanding a ransom to restore access. Attacks in which data or networks were destroyed was up 102%. And island hopping, in which criminals take over company digital transformation efforts by using their networks to attack customers and partners, increased by 33%.
In other words, with the arrival of Covid and the shift to the WFH model, it had become clear that the corporate security perimeter had been broken. In the words of Emily Mossburg, a global cyber leader at Deloitte:
This was compounded by ad hoc security controls early on, as companies scrambled to get employees up and running. Now, as the crisis drags on, companies are realizing employees may need to work from home for the foreseeable future. There’s a transition from ‘a solution that was built together with duct tape and string and chewing gum’ to more ‘robust operationalized solutions.’
The Epiphany: Corporate Devices were No Panacea
Andrew Homer, a Morphisec vice president of security strategy and business development, noted that,
“We’ve seen anywhere between a doubling or a tripling of the amount of attacks that we blocked since Covid. When I say about a tripling, that’s over 170,000 attacks a week across the five million endpoints.”
Homer went on to describe a situation in which organizations weren’t able to guarantee employees were working on secure devices or trusted Wi-Fi connections.
While Morphisec’s findings suggested that up to 56% of employees were using personal computers to work from home, it was clear that homeshored employees working on corporate devices were proving to be a vexing issue as well.
Morphisec found that corporate devices are often exposed to other individuals in the household.
“We’ve seen a tenfold increase in the amount of adware, [which] is games, or unwanted software on these devices,” added Homer. “That’s indicative of kids using their parents’ machines. That’s really concerning because adwares have become the delivery mechanism of putting malicious, highly nefarious malware onto these machines. Now that we’re outside the corporate network, the endpoint itself has become ground zero.”
It’s also important to add the sheer number of anecdotal reports of users simply utilizing their own OS while working from home despite delivered corporate machines. And even VPNs are a risk, as a lot of tech can find a way around them. VPN services protect the data to and from the VPN provider, but not to the destination. Remote locations often remain insecure. And VPNs are not always activated.
Corporate Control, Security, & Management: ThinScale
ThinScale’s ThinKiosk is a software-defined thin client specifically designed to help enable organizations to provide high levels of endpoint security on corporate machines for WFH programs. ThinKiosk applies the relevant policies and settings, blocking, but not overriding the device’s OS; with ThinKiosk machines the agent has no opportunity to leave the secure UI installed on the device.
- Thousands of agents can be up and running quickly, easily, and securely without the need for additional hardware.
- The agent’s device can only be used for work Only the agent is using the secured device (no family or third parties have access)
- Each agent is in effect using a trusted WiFi connection
- Each agent is in effect no longer using a personal computer
- The risk of data leakage from lost or stolen machines is eliminated
- The risk of deactivated VPNs is a non-factor
Journey’s End: A Surprising Conclusion!
One thing the journey through a decade of cybersecurity history shows is that corporate machines are not inherently secure, especially at home. Devices deployed with VPNs, portals, and basic lockdown policy can be relatively easy to get around for the resourceful hacker. Indeed, home Wi-Fi networks pose risks to company data; updates to home router software are often neglected, and many home networks have weak firewalls or lack them altogether.
Or consider how many employees fail to closely follow the guidance they’re given. It only takes one mistake to cause costly damage. Verizon’s 2020 Data Breach Investigation Report found that phishing is one of the top threats, with 22% of data breaches involving phishing.
But there’s a larger lesson here too. The fact is, most employees already use a personal device for work, and the trend seems unstoppable. In May, 2021, Techjury provided the stunning statistics. According to Microsoft, a full 67% of employees use their own devices for work, regardless of the official BYOD policy. Even if forbidden, many people are using their personal devices in some form for their work.
In the wake of Covid19, we’ve made some surprising discoveries during the cybersecurity journey. Relying on traditional methods of WFH provision poses massive security risks. But by properly securing corporate machines, an array of vexing security issues can be largely avoided.
For more information on how corporate machines fall down when it comes to work at home security, see this white paper written by Stephen Loynd on the subject: