We’re roughly six months into the world’s sudden, unplanned leap into a work-from-home (WFH) lifestyle. And most of the IT policies thrown together to handle the switch are definitely showing their gaps. We recently had a conversation with Pratum CEO Dave Nelson and PC Matic FederalPC Matic Federal President Terry McGraw to hear their insights on what we’ve learned so far and how organizations should be adapting to the new threat landscape.
Here we share the second of two blogs featuring an edited transcript of the conversation with these cybersecurity leaders. You can watch the full video through the player on this page.
What legal concerns arise with increased use of personal devices?
Terry: I’m not a lawyer, so I’m not providing legal advice. But anytime you’re extending a corporate view into a privately owned device, there are innumerable complications that open both the business and the person up to liability.
I think we need to train, coach and even enable. Provide for your home users’ antivirus or VPN solution. Help them lock down their own environment with training tips. Make sure the basic blocking and tackling is done. But when you try to extend your visibility down to that device, that’s when you open yourself up to a morass of liability concerns. Employees may wonder, “Who’s accessing my camera? Did they access my files?” As a business leader, I don’t think I want to get into that environment. I think the better way is to just assume everything is dirty and lock down your internal data systems rather than trying to play Whack-A-Mole at the end user level.
Dave: I totally agree. I’m also not an attorney, so this isn’t legal advice. But you see companies that have been sued because they wiped a phone when an employee left or they took a laptop that they thought had data on it, and it turned out to be an employee’s private laptop.
What happens when something doesn’t work at someone’s house? Are you going to send a tech out there to fix it? Is that a new job description that you’re supporting all that hardware?Dave Nelson CEO- Pratum
Once you start taking some responsibility, you’re taking some liability. What if that network becomes part of a breach and you had responsibility for keeping it secure? You have some liability for that breach.
Get your HR team involved. Get your legal team involved. Don’t just rely on your general business legal counsel. You need somebody who really understands tech law and how it’s applied. Also look at employment law as well, because in certain states you can do things with employees you can’t do in other states.
For example, how do you deal with break time or with leave? Do you disable somebody’s access when they’re on leave so that they can’t claim later that they weren’t really on leave because you made them check their e-mail?
Terry: You have to be sensitive to data being removed from your controlled environment. Put policies in place that say, “Don’t download docs.” You can’t always prevent it, but you can have a policy in place that says if you do this, we’ll terminate you.
There are clever ways you can control data at very low costs. A lot of the Google and Microsoft Office solutions are very inexpensive for small business. And using those can help your business efficiency as well as improving your security position.
What training should organizations be offering remote workers?
Terry: Don’t assume people know the control measures you have in the office. I guarantee they probably don’t. And if you have teenagers, I know doggone well security is probably the last thing on anybody’s mind at the house.
Don’t assume that workers’ home systems are patched, that they have a good antivirus solution or that their router is locked down. If you can’t control that physically, then you have to do it through policy and training.Terry McGraw Presiden- PC Matic
If you don’t have a formal training program, leverage one like KnowBe4. In my last organization, we sent out a newsletter with best practices to leverage with your family. Give it to mom. Give it to the kids. Show them things to do to be safe at home.
I would be sure to use some specific social engineering training in there.
Dave: The best scams? You won’t see them coming. The best con men are the ones you trust and believe. That’s where people get taken for big, huge scores. Train your employees so they understand they’re under attack and being targeted.
What are some new social engineering threats you’re seeing?
Terry: Sadly, some of the things are playing on human nature. At a company in the Middle East, one of their young IT members was blackmailed for his credentials by an e-crime group because they hacked into his home computer and found illegal material on it. In the end, he was caught both for giving up his credentials and for having the illegal material on his computer.
You’ve seen deep fake videos. Well, there’s enough of my voice samples out there that you can string together a deep fake of my voice, and it will sound like a nearly normal conversation. Let’s say one of my subordinates gets a call from me where I say, “I need you to wire this money for a merger and acquisition conversation we’re having, and I need you to do it by end of day today. Don’t let me down.” Click. My team should know the business process is to send a text or e-mail to me validating the request. Conversely, if I get a text or e-mail, I pick up the phone and confirm it.
With those two-party check systems, a lot of the social engineering stuff comes apart.
What new technologies have the most potential for helping us spot emerging threats?
Dave: We’ve relied a lot on patterns in the past. Those are still useful. But we need to start looking more at user entity behavior analytics. What’s outside of the normal pattern? Maybe I just got an e-mail from Terry, but I’ve never gotten an e-mail from Terry before. The content of that message is that he’s asking for a specific transaction. That makes it a greater risk. So now I can assign a risk score that says this e-mail from Terry is really high risk, so we need to evaluate it.
It’s also about patterns on devices. If a device usually comes in through this API and accesses this data, but all of a sudden it tries to access other data or comes through another API, all of these things can increase the score of the riskiness of that behavior. How do I analyze that? What threat patterns do we have?
The machine learning and AI that can predict some of that are very much in their infancy and won’t change the world tomorrow. But there are some really good prospects for how we can start seeing these behaviors in a new light and not rely on humans’ little hairs on the backs of our neck going up.
What is your biggest concern over the next 3-6 months?
Dave: Distractions. People don’t know what they’re doing with their kids in terms of school. They don’t know if they’re ever going back to the office. They don’t know if the temporary processes they’re struggling with now will remain. All of those distractions take us away from security stuff.
Terry: Small businesses, especially, were already under pressure from the economic impact of COVID. Ransomware attacks and the prevalence thereof will put way more of them out of business. The average ransom last year was $63,000. If you add in remediation and containment costs, most small businesses will never recover from that.
I don’t think time is on our side. Now is the time to come together as a community. We always give lip service to it. But we’re still fighting in our own foxholes, and the enemy plays across that entire infrastructure.
What are you optimistic about?
Dave: I think the same thing that’s made it difficult is the same thing that will make it better. When things are going well, there’s this idea of “Let’s not change what’s working.”
It typically takes some kind of catastrophic event for businesses to stop and say, “Where do we go from here?” No one was willing to upset the apple cart before. Now business leaders are saying, “If I’m facing a massive transformation, let’s put it all on the table.”
Terry: I agree: Never let a good crisis go to waste. This is going to force us to accelerate things we’ve known about for a long time. Zero trust architectures are not new. Multifactor authentication is not new. Distributed environments are not new.
In the larger sense, I’ve always been impressed by the human spirit’s ability to endure and overcome the greatest hardships. It’s time for us as a community to do more sharing and communication and be less risk-adverse about sharing communication across party lines. But at the end of the day, this too shall pass.