Companies Battle Cybersecurity Risks of Having More Remote Workers -- Journal Report
|06/21/2020 | 08:45pm|
By David Uberti and Catherine Stupp
Companies that moved to remote work because of the coronavirus now face another long-term question mark: security.
Stay-at-home workers have become targets for hackers, and they are exposed in a way that company networks aren't. The use of personal devices and internet connections, coupled with the anxiety of balancing work with child care and other tasks at home, has introduced a different set of weak points, says Tami Erwin, chief executive of Verizon Communications Inc.'s business segment.
Home Wi-Fi networks are often not well-secured, relying on weaker equipment, protected with insufficient passwords and shared by different users and devices -- which may become infected with malware that collects vital information. Home workers may also be more vulnerable to phishing scams that open up access to company networks, because they may feel less security-conscious outside the office. And remote work has prompted many workplaces to adopt applications such as teleconferencing tools that have their own security weaknesses.
"You've almost got the perfect scenario where people are less prepared, and bad guys have lots of time," says Ms. Erwin, whose division sent about 20,000 employees home in response to the pandemic, to join 10,000 more who already worked remotely.
In response to the shift, companies are urging employees to be more wary about cyber hygiene, as well as beefing up their abilities to investigate attacks from afar and turning to tools that authenticate remote employees or detect threats to their devices.
How many of the changes stick remains an open question as a battered economy forces corporate chiefs to rethink long-term spending plans and hiring practices. Still, the combination of factors will likely accelerate several broader trends reshaping cybersecurity.
Putting up a gateway
Virtual private networks, which keep data private even when it is shared on public networks, have long been used to allow off-site employees to access their workplace's perimeter defenses. Workers log in using passwords or other authentication tools to set up shop inside.
The huge numbers of employees now working remotely raises challenges for companies that use VPNs. Some workers have never used the technology before, and companies have to explain how to operate it and remind workers to be vigilant about using it.
Another problem: bandwidth. Too many users on a VPN can damage connection quality, so companies have moved to expand capacity to meet the staggering new need.
Equifax Inc. faced just such a surge in users. Before the coronavirus outbreak, around 10% to 20% of its employees worked from home on a normal workday, Chief Technology Officer Bryson Koehler says. But within one week's time in March, as lockdown orders went into place around the world, that figure surpassed 90%.
The company expanded its VPN technology so all employees could use it while working remotely, Mr. Koehler says, and a small team of network specialists worked around the clock during the first week to make sure the network ran smoothly.
British e-commerce company Made.com's VPN usage doubled after lockdown orders went into place in March, so Chief Information Security Officer Paul McCourt ditched physical keys employees used to log in. The USB key was clunky and a potential security risk if employees lost it, he says.
Now, Made.com employees access its VPN through the Okta Inc. platform. The system enables workers to reach different workplace applications by multifactor authentication, which requires users to provide more than one way to verify identity.
Moving further into the cloud
Some companies, though, have sidestepped the VPN question altogether. They are accelerating a move they had started making before the pandemic hit -- switching to cloud-based services.
These platforms, such as online versions of the Microsoft 365 suite, host corporate applications on their own servers, easing the pressure on company systems and offering employees more flexibility to access software at home.
Fearing the shift to home offices and personal devices could hamper developers' work, Microsoft Corp. Chief Information Security Officer Bret Arsenault moved about 32,000 employees onto cloud-based workstations within 48 hours in March. "That is the beauty of the ability of the cloud to both surge and scale," Mr. Arsenault says, adding that the shift will be permanent.
Thanks to that kind of migration, the cloud-computing market saw 37% year-over-year growth in the first quarter, according to Synergy Research Group Inc., and the pandemic could accelerate the trend.
"I believe this is an inflection point," says Sean Joyce, U.S. and global cybersecurity and privacy leader at consulting firm PricewaterhouseCoopers LLP.
There is a big trade-off to cloud services, though: They require cybersecurity teams to put new technology in place to monitor their workforce as closely as they could inside a company network.
Never trust, always verify
The pace of change could also help hasten a philosophical shift. Many cybersecurity teams previously viewed cyber defenses as a castle and moat, with firewalls and virtual private networks monitoring for unwanted visitors who were trying to come inside -- and assuming everyone inside had been vetted.
Now, with many more remote workers beyond companies' outer defenses, security professionals are focusing on securing individual employees and their devices. This "zero trust" model prioritizes verifying users' identities and devices at various checkpoints with passwords and other authenticators, says Stephen Schmidt, chief information security officer for Amazon.com Inc.'s cloud-computing arm, Amazon Web Services.
At the same time, teams limit access to sensitive material and use automated tools to scan devices and applications for abnormal spikes in traffic or unusual queries. The architecture is designed to detect attacks by people who have already made it inside networks, including disgruntled current or former employees.
"We've been on a journey to a zero-trust network for a long time," Mr. Schmidt says. "This really reinforced that that is something that has to be completed."
Getting past passwords
Along with adding new checkpoints within the system, companies are changing how you prove your identity at those points -- demanding a variety of identification methods instead of just traditional passwords.
Lost or stolen credentials comprised the second-most common cause of data breaches in 2019 after phishing emails, according to Verizon, while the leading form of malware was password dumpers, which extract credentials for crooks who seek access to company networks.
Enter multifactor authentication, which often combines passwords with other security measures, such as fingerprints or other biometric identification. Microsoft, for one, said last year that 90% of its employees no longer use passwords.
Multifactor authentication has also been critical for Swiss pharmaceutical firm Roche Holding AG as it secures its corporate applications while employees work from home.
Since the pandemic began, the number of employees connecting to the corporate network using a VPN roughly doubled, says Chief Information Security Officer Vicky Imber. To prevent bottleneck problems, Ms. Imber says, employees no longer need to log into VPNs to access certain applications, such as Roche's enterprise-software platform from Workday Inc. Instead, they use multifactor authentication to securely use those apps outside the VPN.
But employees still need the VPN to use applications where they access more-sensitive data such as financial information.
The shift away from passwords is a "no-brainer," says Frank Dickson, program vice president at research firm IDC.
"If I'm going to give you the keys to the entire house...I want to make sure you are who you say you are," Mr. Dickson says.
Mr. Uberti is a Wall Street Journal reporter based in New York, and Ms. Stupp is a Wall Street Journal reporter based in Brussels. They can be reached at email@example.com and firstname.lastname@example.org.