In the wake of COVID-19, many organizations are considering a permanent shift to telework. Having employees work from home provides a number of benefits to both the organizations and the employees; however, it also introduces the organization to cyber threats. Beyond the increased threat of attack from external actors, the processes and technologies needed for telework appropriately call for a reassessment of an organization’s third-party risk management strategy.
Telework Creates New Third-Party “Partners”
Most organizations are accustomed to managing some level of third-party risk. In fact, 94% of companies allow third-party organizations to have accounts on their networks. This enables these partners to potentially access, edit, or exfiltrate an organization’s sensitive data.
When employees and core services move to infrastructures that are outside the network perimeter, the concept of third-party risk changes dramatically. Bad actors may compromise home networks and present themselves as the trusted employees in an attempt to access files or move within the network.
Home Work Environments and New Network Infrastructure
When employees are working on-site, the organization has complete control over and visibility into the network infrastructure. Prior to network traffic reaching an infrastructure controlled by a third party, it is forced to flow through perimeter-based monitoring solutions which are capable of identifying and blocking potential exfiltration of sensitive data.
With telework, employees are working from their home networks. Many of them have access to virtual private networks (VPNs) to protect the confidentiality of their connection to the enterprise network. However, in order to meet the demand for increased VPN accessibility, many organizations have adopted split-tunnel VPNs which allow direct routing of traffic bound for the public Internet.
As employees move outside the network perimeter, new organizations are granted access to a business’s network traffic. All traffic that flows through a VPN ultimately relies upon the security of the software created by the organization’s VPN provider. Any traffic routed directly to the public Internet provides visibility into an employee’s home Internet Service Provider (ISP). With telework, a business’s cybersecurity now also depends upon the security of these external organizations.
Increased Reliance on Cloud-Based Solutions
Before the pandemic and the sudden shift to telework, many organizations had already begun transitioning to cloud-based solutions for critical business processes. The need to support a remote workforce, however, has accelerated this shift for many organizations.
With a shift to cloud-based infrastructure comes the need to properly secure these cloud environments. In the cloud, an organization relies upon their cloud service provider (CSP) to secure the underlying infrastructure. The cloud customer lacks visibility into these low-level systems and must trust their CSP to monitor and secure these systems appropriately. It is also important to securely configure the data within the cloud infrastructure as attackers are using this as a main entry point.
Cybersecurity Threats to Collaboration Platforms
One of the most visible effects of the shift to telework was an increased reliance on online collaboration platforms. Meetings that were previously held in-person were moved to Zoom, Teams, Slack, WebEx, GoToMeeting, and other collaboration platforms.
When using many of these platforms, the platform’s creator has access to the meeting video and audio. In most cases, the platform offers end-to-end encryption with keys generated and maintained by the platform itself. This means that a compromised key server or malicious actors within the organization could potentially allow unauthorized access to meeting video containing sensitive internal data.
How MorganFranklin Can Help
Supporting a secure and sustainable telework program is possible; however, it requires careful consideration of the associated cybersecurity risks. MorganFranklin advisors can help an organization to identify the new risks created by a remote workforce and how to design and implement security controls to meet an organization’s risk appetite.