Due to COVID-19 changing the workplace environments for a lot of companies and enterprises there has been forced corner-cutting in cybersecurity. The virus has forced a lot of companies to empty their office buildings and move everything – and all of their employees – to remote locations and into the cloud in early March 2020. What has lead to the shortcuts in security was not just the instant changes to working from home, but the fact that all of this had to be done in just a very few days.
In the past, I wrote about security issues with the Internet of Things (IoT) security which is still showing increased problems to this day. Especially as the IoT devices in home environments are access by virtual private networks (VPNs) that sometimes spreads malware through the pipeline – which does lead to a mess.
A recent Verizon mobile security report put it bluntly as can be.
Almost half of the respondents admitted that their company had knowingly cut corners on mobile device security. That’s an increase from our 2020 report when the figure was 46%. The proportion rises to two-thirds [67%] in our IoT sample. And of those remaining, 38% (27% IoT) came under pressure to do so. Another way of looking at this is that 68% came under pressure to cut corners and 72% of those succumbed.
There is one major note that needs to be said – that this is just a survey. How many Cybersecurity Professionals knew that they were going to have to cut corners when it came to the timeframe to get employees of their companies and enterprises to work from home at a moment's notice? People who work in cybersecurity know how easy it is for data to be leaked – so in my personal opinion, the data presented by Verizon is most likely conservative numbers over the reality of the numbers presented.
Dual Local Area Networks (LANs) in Home Offices
This is pretty simple to achieve, and pretty inexpensive overall. One good idea is to buy an additional router – this will sharply reduce the exposure to any of the issues from consumer-grade devices in the home from kids' games, IoT devices, and the risks from God knows what websites and downloads may happen.
The policy rule for this is simple. Create a corporate-only LAN where all corporate devices must use that LAN and only that LAN. That means a dedicated laptop, phone, or tablet solely used for work purposes.
Revisited and Revised Bring Your own Device (BYOD)
I need to stress this one to everyone. The idea is to completely go through the policy and review how the company and enterprise handle the bring your device – but not abandon it. The more you think about it, there are way too many variables to pursue that route. The companies and enterprises need to decide what the plans are for late 2021 and all of 2022.
When the companies and enterprises moved to BYOD – not everyone has, of course – but they had to under different circumstances. There has always been some risk management of employees bringing their own devices. It usually goes something like this.
Let's do it, but considering that ninety percent of the communications are not done on personal mobile – there is a limit to how much trouble that is going to get us in.
This is honestly the same logic that has permitted some major issues with security in home offices before COVID-19 ever happened. This is also given that companies and enterprises have had around ten percent or fewer employees working from home – some had considered it unnecessary or not cost-effective to spend a lot of money to secure these people.
As for today, with so many more working from home and so much more activities happening from remote sites via mobile devices that the bring your device needs to be strongly reconsidered.
Let's go back to my first suggestion again – the dual LANs. There is a limit to the risk management if the employee gets inside a device that is also accessing high-risk sites and downloads. To benefit the most from the enterprise-only LANs – you need to get very strict with the policies – which means rethinking the bring your device policy.
Mobile Device Management
Unlike bring your device, the idea here isn't to choose whether you should use Mobile Device Management (MDM) or not – it's more about choosing which provider to choose and if it's time to upgrade or revisit your configuration setup. With mobile taking over how we interact with data – the control mechanism – rethinking mobile device management in 2021 will most likely lead to different decisions.
One outcome to take from this is you may be able to justify the costs of a higher-level solution now. You should always crunch the numbers, have the meetings, and review product options to find out.
I am willing to argue that mobile device management has advanced greatly in the past few years – so now it's all or nothing anymore – everyone had to rush to get a solution up and running, but a lot of employees in a company does not need the access levels which they were given. You always have to remember the least-privileges principles when it comes to access to products. Now since they have given out access to everything, they are needing to start to take back the privileges that are not needed by different employees.
I've seen several friends complain about what we are going to call the popular user – this is the person, and often management level, that says "I'm just doing my job."
This usually always means that "Your requirements for enterprise security take too much time and effort for my liking. I am trying to do my job, and I want more convenience of doing it how it has been for the last year." This started right at the beginning of the pandemic when virtual private networks (VPNs) were seeing a massive increase in usage – while a lot of employees were sidestepping them to get their work done. The managers usually applauded those efforts or just flat out ignored them.
To them, that proved that the corporate and enterprise security professionals hadn't done a good job of selling the benefits of adhering to security policies to employees. This seriously needs to be evaluated as well.
A lot of companies and enterprises have learned a lot of lessons in the last year about strong cybersecurity policies – some good, some bad, and they are revisiting their policies over again to make sure they end up with a more secure environment for their employees to work in remotely. If you are not thinking about revisiting security policies in the past, you should seriously take a look going forward now.