Why remote working isn’t the security nightmare you think it is

Posted on 2020-03-19 by Matt Strahan in Business Security

A couple of days ago we posted up tips and advice to deal with this period of remote working. It’s a scary time not just for our health but also for our security, with organisations suddenly needing to have everyone to stay away from the office and to work from home, safe from the coronavirus.

For today, I’d like to provide a bit of reassurance: this period of remote working probably won’t present new risk to your organisation. Don’t get me wrong – there’s still a lot of risk in cyber security, but having a whole bunch more people working remotely probably isn’t going to open you up to new threats.

Your physical security probably isn’t as good as major hosting providers

I’ve dealt with a fair few physical intrusions and penetration tests. It turns out getting into your average company environment and connecting to their network isn’t all that difficult. This means that the physical “perimeter” for an organisation has slowly faded and, quite frankly, was never really there.

Ideally organisations shouldn’t provide inherent trust for anything on their internal network. With good internal security it should be “you connect to the network and you get access to everything”. Organisations should be performing internal penetration testing anyway to make sure that devices connected to the internal network can’t compromise their infrastructure.

Given that organisations can’t rely on physical proximity for trust, does it really matter if the trusted devices are within that physical proximity? When you discount the effectiveness of physical controls, the security model suddenly doesn’t really change when you throw remote working into the mix.

You know who does have really good physical security controls? Datacentres for AWS and Azure. Unless you work in defense, your physical security controls probably aren’t as good as theirs. I’d trust the physical safety of a cloud server way more than I’d trust the physical safety of that server in your server room.

In the end, the different physical location of your end user devices shouldn’t really affect your security model, rather you should treat internal devices like remote workers anyway. Because of this change in mindset, I’d argue that an organisation setting themselves up for remote working can make themselves more secure not less! They rely less on the false security of their physical premises.

It’s all about the endpoint… but it was all about the endpoint anyway

The security of the endpoint becomes critical for remote working. If the endpoint is compromised then your organisation’s data and infrastructure could be at risk.

That’s all true…but is that any different whether the user has gone to the office or not? Most endpoints are laptops that workers bring in and out, so the prospect of someone stealing the device or sneaking some malware onto the device doesn’t change between working on-site and remote working. Exfiltration of data isn’t particularly difficult if you’re in the office. If anything, a compromised endpoint is more dangerous in the office – it could lead to attacks on other endpoints.

In office working you have the security of your server, the security of the user’s account, and the security of the endpoint. All of this is identical for remote working. When all the traffic between the endpoint and the server is encrypted with TLS, the infrastructure in between becomes a bit less important. Again, this means the security model doesn’t significantly change.

If a window is open it’s open, no matter how many people are in the room

One facet of this new challenge in coronavirus is that we’re not just having one or two people work from home, or a person working from home one day a week, but a significant part of the work force working from home. This makes people nervous – more people remote working means more risk right? Or does it?

If someone works from home one day per week, you’ve already set them up for remote working. They have their SaaS accounts, their online single sign-on, their VPN, and their email on their phone. Whether they’re in the office one day per week or five, they still have all this access anyway. You should be concentrating on the access they have not how much they use it.

Similarly, having more people convert to the remote working workflow will probably not increase your risk significantly. You have already rolled out the infrastructure – if there’s a vulnerability in that infrastructure it’s there no matter how many people are using it.

The benefits of remote working are huge and there’s probably no going back

Gitlab has a great list of benefits of remote working. They include more flexibility, less stress, better safety and better communication. Employees can spend more time with family and less time on the bus and train. They tend to be happier and have a better work-life balance. For organisations you could have increased productivity and lower office costs, which could result in huge savings for the business. It could actually achieve “more for less”.

Remote working will continue to increase and I feel this might be a huge tipping point for it. Once people are given the opportunity to work remotely it will be very hard to completely take it back. Even when the pandemic is over, I’d be willing to bet a lot of people might still appear in the office every so often, but it won’t go back to a 9-5 office job.

This means that any work you put in now won’t just be for a temporary hold-over while we wait it out. Instead, it will be putting in the foundations for what may be the new normal of remote working. Whether you like it or not, remote working now has to form a core part of your security strategy.

This is still a time to be wary because people will take advantage of it

A constant lesson in security is that when someone’s down there’ll always be someone who will be willing to take advantage of it. These times are no different. As hard as it is to maintain concentration during a pandemic, we still need to be wary because there will be people who are looking to take advantage.

That said, we should all make sure we’re putting our effort into the right places. If you missed our post about security precautions for remote work, go review it. Meanwhile, if you have any more questions or issues, or need a bit of advice, then get in touch with us or email us at [email protected]. We’re here to help!

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Andrew Neel on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn