Guest Column | June 4, 2020

COVID-19, Security, And Remote Workers – Common Myths And Misconceptions

By Vikram Chabra, NetEnrich

COVID 19

With COVID-19 stay-at-home orders still in place in many states, remote working has become the beginning of what will be the ‘new normal’ in the post-pandemic world. Given this, remote security should be at the top of every organizations’ priority list.

Yet there remains a long list of common myths and misconceptions about remote worker security. And it’s easy to see how and why this can happen – especially in a world where staff went from working on-site to working from home practically overnight, but businesses must make themselves aware of what these myths and misconceptions are, and address them with the urgency they require.

The list is long, so below are the five most pressing.

Zoom Meetings Are End-To-End Encrypted

Video chat has exploded in to people’s lives over the last couple of months. What was until very recently used mainly as a meeting tool (with a video function that people often tried to avoid) has suddenly become an essential part of our everyday lives – both for work and recreation.

And the video app of choice has turned out to be Zoom. But many people are still operating under the misconception that Zoom chats are end-to-end encrypted when they are not. Many privacy issues have come to light, such as Zoom’s iOS app sending data to Facebook without explicit user consent. While this issue has since been rectified, people are still operating under the encryption misconception when it comes to Zoom and other video conferencing apps, some of which are end-to-end encrypted and some of which are not.

VPN Solutions Will Work Seamlessly

Another common misconception that remote workers are operating under is that VPN connections will work and that there will be sufficient bandwidth and licenses for VPN solutions. This may not be the case because VPN always has been somewhat of an afterthought.

Until Covid-19 took over our everyday lives, VPN was generally used in special scenarios where someone needed to work remotely or outside their usual working hours. Because of this, housekeeping, maintenance, management, and administration of VPN are not very effective. Organizations don't have dedicated people to handle those things. VPN requires a lot of bandwidth and adequate licenses, and suddenly, with millions of us working from home amid the pandemic, everybody is trying to use VPN, which means issues with bandwidth and licensing that we just hadn’t thought of.

VPN Solutions Are Secure

VPN solutions also lend themselves to a common remote-working security myth – that VPN solutions are fully secure. They aren’t. Generally speaking, we don’t see day-to-day housekeeping of VPN servers, such as patching. Compounding this, organizations are often not on the latest versions of their VPN.

This can mean a remote, unauthenticated user may be able to compromise a vulnerable VPN server and gain access to all active users and their plain-text credentials. Also, such an attacker may be able to execute arbitrary commands on each VPN client as it successfully connects to the VPN server.

Given this, and now that VPN has suddenly become so popular – and is likely to stay that way in the post-pandemic world – we need to make sure that VPN solutions are up to date and patched so that hackers don’t see VPN as an easy vehicle through which to conduct an attack.

Personal Device Security Is Equal To Company Device Security

In some ways, it seems so obvious that personal device security is often a far cry from company device security, yet so many organizations allow personal devices to be used for company business without a second thought for security.

It’s a challenge even during normal times for remote security to be implemented on any personal device that might be used for company business, but during these extraordinary times where companies had to set staff up to work from home overnight in many cases, it’s an understandable oversight.

Still, it’s an oversight that can have catastrophic consequences if not addressed. Firms must implement two-factor authentication, content filtering, identity and access management, encryption, auto backups, authentication, and security monitoring to any personal device being used for company business.

These are some of the things that you'd see in a typical corporate network, but we don’t see on personal devices; it’s a long and dangerous list of disparities creating a myth of security that isn’t there.

Remote Workers Always Know How To Spot A Suspect Email 

They don’t, and this is particularly problematic in the current situation, given the massive rise in phishing and spam emails since the COVID-19 situation took hold.

And with the majority of organizations currently running their staff remotely, this problem is only magnified. The pandemic is giving rise to a huge amount of fear, uncertainty, anxiety, sympathy, greed, and disorder, meaning clarity is easily taken advantage of.

This makes phishing emails even more effective because our defenses are down and we are sitting alone at home with no one to bounce ideas off, ask immediate questions of, or get opinions from. We are vulnerable right now, and hackers know it.

Companies must stay on top of these latest and advanced emerging phishing attacks and stop operating under the myth that their remote teams are going to be able to spot a suspect email every time. They probably won’t.

About The Author

Vikram Chabra is director of the cybersecurity practice at NetEnrich.