CISOs, what’s in your work-from-home program?

I wrote previously of what the key ingredients are for a successful travel program might include, as it was a topic which had not garnered much attention over the course of the past couple of years as pandemic took hold. What most entities have experienced since early 2020 is the IT scramble to accommodate the migration by employees from onsite and in their seat, to off-site and sitting wherever they could find internet access. Just like that, CISOs found themselves having to formulate work-from-home (WFH) policies, implementation and procedures.

The shift was swift, and while some companies did nothing but allow the employee to access their networks via an external internet connection, others took a more programmatic approach. One such entity was XYPRO. According to Steve Tcherchian, CISO and chief product officer at XYPRO, he observes the shift was swift, “We had lost the air cover that the office security infrastructure provides, we had to quickly adapt our WFH procedures and controls to address a situation where everyone was required to work from home at once.”

Multi-factor authentication first followed by technical controls

XYPRO prioritized steps putting multi-factor authentication (MFA) at the top of the list to “ensure all services were adequately protected against credential attacks,” Tcherchian continues. “Some of our staff had never worked from home and were ill-equipped to work efficiently.” He further observes how, “oftentimes, work on computers doubled as school computers.”

In sum, the implementation was an infosec nightmare. To rectify the situation, Tcherchian cataloged the changes that XYPRO rolled out to help ensure their remote workforce was as secure as those working from within security afforded by the office.

• Require MFA on all services
• Maintain BYOD devices at a certain OS/patch level
• Install antivirus tools and keep definitions current
• Properly secure Wi-Fi
• Prohibit company data from BYOD devices
• Do not shared computers
• Assign corporate computers or cloud workspaces for employees who had to share computers for their children’s school

This was followed, Tcherchian advises, by implementing technical controls to include mobile device management and the ability to remotely wipe the employee devices, which may include personal, non-company data. He notes that employees “voluntarily enter into our BYOD program.”

While remote work is at its apex, so are credential reuse attacks, says Bojan Simic, CEO/CTO of HYPR. He shared how “according to ESET research there was a 768% increase in RDP [Remote Desktop Protocol] attacks targeting remote workers in 2020. The number of virtual private network (VPN) users also increased by more than 54% in 2020, while MFA adoption remained relatively flat.”

Similarly, Mike Puglia, chief strategy officer at Kaseya, emphasizes the need to mandate the use of MFA and conditional access policies. Those working from home or at a far-flung beach bungalow “make extensive use of cloud apps and one can no longer make assumptions based on physical location or device.”

A few entities were impacted less than others, as was the case with Abnormal Security, which according to its CISO, Mike Britton is “a ‘remote-first’ company, which means we treat all employees as work from home. Our policies and procedures are designed with that operating model in mind. We reinforce that security is a critical aspect of how we operate, and the expectations of good security habits and requirements apply whether working from your home, a local coffee shop, or the office.”

Onboarding employees for remote work

Britton continues how Abnormal has a well-defined automated process that onboards the employee, who is provided a “company-issued laptop that is configured according to our security baselines and centrally managed.”

The devices, Britton explains, “leverage an enterprise SSO [single sign-on] solution that requires multi-factor authentication to access any company resources. All devices have endpoint detection and response (EDR) software and web filtering at the endpoint level to prevent access to malicious websites.” Additionally, via a third-party solution, he emphasizes “these devices are monitored for compliance and to prevent employees from making changes.”

While David Matalon, CEO of Venn, notes a Harris Poll showing that 71% of Americans admit to working around their company’s security protocols, when a protocol asks them to work in a non-natural way or cumbersome manner. His team “enjoys the notion of ‘freedom without compromise.’” Venn employees are permitted to use any device, anywhere. This is possible using a platform that “ensures all work-related data is secure and eliminate the possibility of enabling unrestricted access to such data with cutting edge DLP [data loss prevention].”

Need for a BYOD policy

Venn embraces the BYOD without exception, and it, too, has in place a methodology to “enable administrators to pull back or wipe all work-related data as required,” Matalon says. “Unlike traditional remote management monitoring, which wipes an entire device’s data, the secret sauce for Venn is being able to execute that same level of protection while ensuring that employee privacy is protected, too. LocalZone focuses exclusivity on separating work-related data from what is personal. If a wipe is required, an administrator can protect all work relating data while not interfering with the employee’s personal and private data.”

Puglia of Kaseya reflects how “most companies do not have a comprehensive BYOD strategy. They have a policy that enables employees to get email and maybe a few apps on their phones as a matter of convenience when the employee is not on their primary device. Organizations need to re-think their BYOD strategy to embrace access and more importantly, security, no matter what location or device users are on.”

All the policies and procedures already in place need to extend to every user and device no matter where they are as the physical boundaries of the office no longer apply. This may explain why Tcherchian led with the requirement of having MFA in place as the first bullet point in XYPRO’s migration to all employees working remotely, all at once.

Work from home requires a comprehensive architectural plan and decisions to be made, some which will increase the operational expenses of the CISO’s span while also increasing the security of the company. The aforementioned, examples from industry, highlight the diverse opinions on how to tackle the WFH conundrum, be it BYOD or company issued devices, both require process and procedures to implement securely.