A report from Verizon says that WFH policies are harming information security.
However, there doesn't seem to be any evidence of anything harmful happening, and I strongly suspect that the report is yet another opinion survey.
If there is any increase in security threats, I'm sure the real culprits are:
- a huge surge in spam, fraud, and phishing emails. This has been going on ever since the pandemic started, and it's gotten worse in the past couple of months.
- a lack of "work from home" policies on the part of businesses, and no real thought about the risks involved in simply sending people home and telling them to carry on as usual (in a highly unusual situation).
- no provision or budget for the computers, devices, and security software that might be needed to provide extra protection in WFH situations.
Any threats that exist will most likely derive from the sudden move to working from home, not permitting proper preparation and organisations having to play catch up. Certainly many organisations business continuity plans didn't take into account governments ordering the closure of workplaces and advising those who could to work from home. Many workarea recovery arrangements simply couldn't be used effective due to the social distancing requirements and over subscription by providers.
We are so locked down here with WFH its not funny. Cannot print, use a USB storage device, took Outlook off our phones, etc. Those who fail to comply have been immediately terminated. A year or more later we have been remarkably free of any real security problems. My suspicions lie in the 'naming and shaming' conference calls after the fact of course.
Point is, WFH can be done successfully but you really need to do so with an iron fist or face being nibbled to death with smaller incidents. Come to think of it, I don't remember having a conference call last quarter concerning who the client fired and why. Must be working.
Working from anywhere can be made secure if you have time to prepare and test. I was just brought into an agency in Jan 2020. The CIO was asking to purchase desktops. I asked "shouldn't we be looking forward to having a mobile workforce and get laptops instead?" He replied "No. Desktops are the way to go." 4 weeks later we were sent home. We had to scramble to find laptops to send home with employees. We ended up borrowing some from another agency until we could change our purchase order from desktops to laptops and wait in line with everyone else who all of sudden need to make their workforce mobile in an instant.
What did we learn?
Our VPN client couldn't handle the traffic so we had to upgrade.
Some employees didn't have work that could transition easily to work from home (WFH) or wasn't able to be done at home. So for those people we had to get creative and either let them take leave, let them be the only ones coming into the office, or pay them to go home and not do anything.
We had some employees who lived in rural areas where fast broadband Internet wasn't available (DSL was the best they could do and yes, I realize that DSL is technically considered broadband, but not adequate for their needs). So we had that issue.
We had some people that found out it was faster to work off of VPN (but they couldn't get to internal resources) so we had to work that out.
Our HR policies were very restrictive on telework so we had to upgrade those.
Some of supervisors didn't know how to "supervise" teleworking employees as they never had to do that before so there was that learning curve.
I think productivity suffered, I know collaboration did as well.
Oh yeah, we didn't have a great collaboration tool so we had to work that out.
Teleconferencing was a mess but we got it straightened out.
When our employees worked off vpn the computers didn't receive or update the security console so we had to keep asking employees to get on vpn so we could update stuff.
I tell all of this to ask this question:
"Was it WFH's fault or was it the agency not being forward enough thinking to develop a remote workforce ahead of time's fault? I implore you, if you are in a position of leadership, begin to think about how you can move your organization forward, not just keep it running.
Any time you have to make a rushed decision you often do not have time or the experience to think of everything. Organizations need to be careful rushing to fire employees if they were not fully prepared to securely implement WFH. I know if I were fired and there were not adequate rules and provisions set beforehand AND there was not clear evidence that I violated those provisions which caused the incident, I would be speaking to a lawyer and suing my company.
If the organization already have everything in place to support remote work, it's less of a risk since remote users were already protected by existing security stack, just now might ask for more stuff being opened/allowed.
Many organizations did not have solid infrastructure and security designed to support remote work, and were forced to do so in a hurry (often security is overlooked). That's where Work from Home contributed to the security risk.
As we moved to WFH, we struggled to get hold of enough laptops for those staff who didn't already have them.
@Steve-Wilme Same here. We had the technology in place for staff to work remotely but we definitely didn't have enough laptops to move almost everyone out. At times we had to pay a few hundred dollars more just to get our hands on anything our suppliers had available. We had been toying with the idea of switching out PC's for laptops with docking stations for a while. The pandemic made it even more evident that we need to move in that direction.