A Q&A with Ron Raether of Troutman Sanders, LLC, and Jason Smolanoff of Kroll
The current COVID-19 outbreak shows no signs of slowing down, especially in the United States, and until an effective vaccine can be widely distributed, remote work will be encouraged if not required where possible. As we’ve already seen, however, these ad hoc home set-ups can pose significant risks for data loss and privacy infringements. We talked to two experts, Ron Raether of Troutman Sanders, LLC, and Jason Smolanoff of Kroll, to get their insights on securing remote work as a new normal.
With the influx of remote workers, what are some of the cyber liabilities or regulatory issues that concern you?
RR: One of the things we’re seeing now, months into the pandemic, is that our clients are not immediately going back to pre COVID-19 work habits—they are either going back to the office in phases or only certain workers are going back on specific days and staying home on others. That flexibility (and inconsistency) presents its own challenges. Now you have an even more transient workforce to deal with and no real patterns for a critical mass of the user base. In my own practice, for example, I might log in one day from New York, on another from Dallas or San Francisco. If I have an anomalous intrusion detection system looking for IP changes, it’s going to impact and possibly confuse the algorithms. Physically going back and forth to the office to home also means people will be transporting documents and devices, creating more risk and new physical security concerns.
How do you see the risks associated with remote work evolving over time?
RR: When the pandemic first hit, it was a question of business continuity and quickly finding solutions. Now that this is ongoing, we should have business continuity practices in place. I’d expect that we will see formalization of best practices and the like focused primarily on the need for flexibility and rapidly changing requirements.
JS: The foundation of business continuity and IT operations in the initial migration from an office to work from home environment were designed to provide employees with fast access and speed to network resources. Unfortunately, in the first days of COVID-19 lockdowns, information security was subjugated to business continuity and IT operations and often overlooked or ignored. Now that we know remote work is here to stay for a while, many companies have learned that they need to better align internal processes with their revamped security strategies to evolve with new forms of business delivery.
Can you address the risk around remote desktop protocols (RDP)?
JS: RDP is just one method of accessing a corporate network from home. There is nothing wrong with using RDP—it’s just that most companies are deploying it in a configuration that has shortcomings, including the use of single factor authentication, which has been one of the leading causes of unauthorized access in the last few months. Many of our current clients were the victims of credential theft. When combined with a single factor authentication scheme, this leads to network intrusion and possibly data compromise. Another example is weak passwords. For a gazillion years we have been telling people to use long complex passphrases—at least 15 characters or longer—and we still see pet names, alma maters, and other easily guessable passwords used. Finally, home wi-fi networks need to be securely configured as well. I can guarantee you that if I drive around my neighborhood, I will find that 85 percent of folks are not changing the default administrator credentials in their home routers. Basic information security “blocking and tackling” would go a long way to improving corporate and personal information security.
What other specific threats are you seeing?
JS: The threats themselves haven’t exactly changed—phishing, social engineering and ransomware events have largely stayed the same but the attack surface has expanded with people at home, outside of the protection offered by the office network. We have also witnessed an increase in “watering hole” websites—where attackers making replicas of sites people frequently visit, such as those with information about COVID-19 statistics, driving people to the fake site and using that to infect their system with malware. Other recent threats are unemployment assistance and PPP loan fraud, intrusions into companies conducting vaccine and treatment research, and data theft from healthcare organizations.
What can a CEO, CIO or risk manager do to mitigate these risks?
RR: We need to continue to emphasize secure practices and update policies accordingly. If people are working from home, make sure they are not sharing a computer with other family members. At the very least, if they are using a personal computer, they need a separate log-in so other people can’t access their data. Given that many workers will be transitory, we need to be more aware of potential phishing attacks and wire fraud schemes via email compromise and train workers accordingly. It’s still the same three-legged stool in terms of physical, administrative and technical controls, we just need the proper teams and procedures in place to avoid widening any possible cracks in our security posture or quickly eliminating any that we may discover.
JS: We strongly encourage basic information security blocking and tackling to include: (a) Implementing and enforcing the use of multifactor authentication for remote access corporate resources; (b) using a robust managed detection and response platform; (c) a robust identity and access management strategy based upon the principle of least privilege, use of long password phrases; (d) a rigorous approach to vulnerability management; and (e) developing a management commitment to information security. I have advocated for these basic steps for the past twenty years. The majority of computer intrusions are a direct result of these basic steps being ignored or more likely, being subjugated to IT operation considerations.
I’d like to thank these industry experts for their thoughtful insights from a technical and legal perspective. Jason’s advice about MFA when utilizing RDP is spot on, as experts advise that this long-standing vulnerability has been targeted even more frequently in the work-from-home environment. And Ron’s comment about the “same three-legged stool of physical controls, administrative and technical controls, and policies and training” is a good reminder about the baseline standards of care required and the importance of bedrock safeguard measures. We see these themes frequently underscored in our annual cyber claims study.
Please find inside your eRisk Hub portal some resources that addresses this issue, such as a free Covid19 Work From Home Cybersec Policy, and learn more about Breach Plan Connect™, an instant IR plan that can be accessed at a moment’s notice during a crisis from a BPC mobile app.