The idea of working from home, a methodology now imposed by the pandemic, is something most businesses should get comfortable with. For many years, there has been resistance against the model, ignoring the implications of its implementation.
Now, after its sudden enforcement, something that no one could possibly predict in 2019, thousands of businesses around the world are discovering (and in many cases, experiencing) the risky implications of going WFH.
Having remote workers create a whole new set of challenges in the cybersecurity field. Teams are no longer working at the company facilities, where the infrastructure is robust and well-protected (ideally) but from their apartments and casual venues. This is a major security liability that too many continue to ignore.
New Problems
Working from home taps a rich source of cybersecurity issues that companies must take care of. From working while connected to insecure networks and using personal devices to lacking the proper methods to protect IoT devices and processes, challenges are abundant for modern businesses.
We also have the widespread use of insecure software. Take Zoom, for example, a piece of free software that became a quintessential tool since the quarantine started. The software also came with a plethora of security vulnerabilities that led to breaches for thousands of users, both on free and paid plans.
And on a different flank, we have to say that while the Internet of Things (IoT) has the potential to empower businesses, the technologies behind it are often lacking, by default, the cybersecurity standards we should be looking for.
In processes where IoT has become essential, there are multiple factors to consider. Devices, in most cases, lack the processing power and memory capacities to enable security features. This is the case, for example, of data encryption.
Which is even worse, the IoT device industry showed for many years a serious lack of concern for cybersecurity matters, leaving their products fairly unprotected. This is something that, naturally, has changed for the better but must do the trick as a reminder for organizations to take a closer look at the current security controls present in their devices.
Securing IoT Devices
In the IoT field, what should the companies be doing with their devices to guarantee security, control, and integrity?
The first step is to include IoT in their global security framework, a practice that currently is not the norm but the exception.
The Internet of Things Security Foundation released, very recently, a new version of their security framework for businesses to take into consideration. The IoT Security Compliance Framework recommends some of the following actions and practices:
- IoT devices’ processor systems must have an irrevocable hardware Secure Boot process.
- IoT devices must have controls to prevent the access and use of unauthenticated software.
- Software updates for the devices must be digitally signed, have a signing certificate, and signing certificate chain verified.
- IoT devices’ reset passwords must be always unique to each device in a product family.
Besides these general recommendations, organizations must do the work to guarantee authentication mechanisms and processes for the IoT devices. Authentication should exist on multiple layers: device, user, and system.
At this stage is where companies should oversee the implementation of close-fitting security controls.
Future-Ready Businesses
Working from home is unsafe and reckless by default. This means that, unfortunately, businesses have to go the extra mile to protect their assets while their professionals are away, operating in less-than-ideal circumstances.
In what may be bad news for many organizations, the current WFH situation could be very far from changing. We could be facing a “definitive” work culture, a work style that has come to stay. And while the switch towards WFH was inevitable, COVID-19 sped it up tenfold.
This means that sooner or later, companies will have to invest to protect their operations accordingly. Undoubtedly, when it comes to cybersecurity, sooner is always better.