By Rajiv Dholakia, Chief Products Officer, VERA

For the last few months, organizations everywhere have been forced to confront the new reality of extended remote work. The pandemic disruption has revealed some stark realities about securing teams that must rely on tele/videoconferencing, mobile devices and the cloud, as well as securing the data they create and use to conduct business.

The current moment is accelerating trends we've seen over the last 10+ years regarding the growing number of devices and methods used for accessing data. We went almost overnight from a privileged subset of knowledge workers working remotely to almost all knowledge workers doing so. But add to that psychotherapists, government employees, bankers and those in many other industries, and we have an astounding amount of sensitive data now living and moving outside of security and perimeter controls.

As a result, employers have been forced to confront how their go-to technologies interact under maximum load - and the results have been mixed at best. Tools we've relied on to date are now being heavily taxed; we're seeing the impact on users, their devices, the organizational resources they access, the Software-as-a-Service applications they use, and the very way networks are administered.

Insider Security Pitfalls

In the stress to maintain productivity through the crisis, well-intentioned remote workers may be adopting practices and behaviors that introduce additional risk.

For instance, many are turning to VPNs to access corporate resources, and that is a good thing. But while deploying a VPN is better than not, they shouldn't develop a false sense of security that a VPN is a magic bullet. In practice, many VPNs aren't configured to fully inspect traffic, spot malware or police where users go on the network.

The myriad conferencing and file-sharing offerings now available can also pose problems. Network congestion is clogging access, and performance is often spotty for the thin connectivity in many homes. Realistically, no matter what apps are sanctioned by IT, employees will use any uncongested service that allows them to communicate.

Interfaces and usability are also an issue. There is little tolerance for calls to the Help Desk or looking up Quick Start guides. These times remind us that in many security-vs.-usability tug-of-war battles, security can too often prevail in the design of apps and interfaces. When security settings are not clear and lead to error messages, or when a corporate-required collaboration app proves too difficult, employees will simply use other tools.

Businesses with the foresight to have created business continuity plans (BCPs) are probably best suited to help employees remain productive while sheltering in place. However, they're intended to cover a finite period, in which control is sacrificed for continuity. Months into the pandemic crisis, we've reached the point where most continuity plans end. The current moment is like nothing BCP planners, or any of us, have previously experienced. BCP playbooks don't address compliance, detect insider abuse or identify other blind spots related to data security risks. 

A Proliferation of Cyber Attacks  

Anytime the nature of how things work with one another changes, new attack surfaces open up. Predictably, there's an explosion of cyber-attacks related to the pandemic. Bad actors well know that the spike in remote work creates rich opportunities for tapping old and new threat mechanisms.

For instance, phishing has taken a large uptick, as remote employees may be confused by messages disguised to look like they're coming from legitimate sources. The goal of phishing is usually to obtain credentials that allow an attacker to access sensitive unprotected resources. Because there are now larger attack surfaces and more concerted attacks aimed at them, there's a larger loss of data and greater potential for damage to your business and to infrastructure as a whole.

Even scientific research data around a Covid-19 vaccine is not safe. Recent statements from the FBI, DHS' Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre warn businesses and research institutions of malicious actors out to steal cutting-edge medical technology. 

Securing the Future

There's a long road ahead until this situation resolves. Along the way, we're learning some difficult lessons, but those can serve us better into the future if we pay attention.

There is no security silver bullet that will solve all of these challenges. The last decade of migration to our modern computing infrastructure means that data security is far beyond the perimeter, and now requires a set of links in a protective chain of approaches.

We must look to building blocks and best practices, including a renewed focus on fundamental cyber practices essential to establishing strong protection. Make sure your operating systems and patches are up to date; enact multi-factor authentication; make sure files are appropriately encrypted, both for internal use and for external use. If you don't have these basics in place, additional, more costly measures are not going to matter.

As leaders struggle to steer their businesses and their workforce through this disruption, revisiting fundamentals, educating workers and applying some common sense will help make cybersecurity one less thing to worry about.

##

About the Author

Rajiv Dholakia is the Chief Product Officer at VERA and a 30+ year veteran of Silicon Valley with global experience in leading public and private companies from ideas to IPO.
Most recently, Rajiv was at Nok Nok Labs where he led the creation of a world-wide phishing-resistant standard to modernize authentication and replace passwords. Earlier, Rajiv was VP & General Manager at Symantec, responsible for the operations of PGP TrustCenter, a Cloud-based platform for Identity, Encryption & Trust Services for users & devices. He has worked at Taligent, Sun Microsystems & IntelliCorp in senior technical leadership & business roles.

Rajiv is a mentor at UC Berkeley's SkyDeck accelerator and an invited speaker at conferences on security & entrepreneurship. He also serves on the board of the Northern California Girl Scouts on the strategy & STEM committees.