Why implementing remote working all at once is bad for IT security (and what to do about it)
·
Thursday, April 9th, 2020 
The Covid-19 crisis has upended life as we know it in innumerable ways, from sports leagues temporarily shutting down, to international borders tightening, to organizations asking people who can do so to work from home en masse.
It’s all part of a society-wide attempt to flatten the curve and reduce the “R0″ of the virus. And though it has resulted in widespread economic pain in many quarters, there’s a growing body of evidence that this approach is working from a public health perspective.
For many companies, though, this unplanned and significant shift to a remote workforce has been fraught with problems, mostly due to a lack of preparation time.
While some organizations had already kitted out staff with corporate laptops, their infrastructure wasn’t ready for everyone to work from home all at once. Some were left scrambling to procure, image and distribute enough machines to keep their workforce secure and productive from home. Others had to connect employee home computers to mission-critical systems via residential broadband and legacy virtual private networks (VPNs) – again, not ideal.
Still others have looked at beefing up their infrastructure using desktop-as-a-service (DaaS) or virtual desktop infrastructure (VDI) options to keep staff up and running.
The alternative, experts say, is a steep drop in security and productivity.
“If an organization hasn’t planned for large scale remote access,” explains Matthew McCormick, Titus director of Product Management, “things can grind to a halt pretty quickly.”
Sending everyone home at once can lead to big problems
Not all companies were completely caught out by the current work-from-home wave.
Remote work was a growing trend before Covid-19, after all, with the rate in the U.S. growing 173 per cent from 2005 to 2018 (compared to just 11 per cent for the rest of the workforce).
Companies like Twitter, for one, had already announced a distributed workforce initiative in February largely for what it said were competitive reasons.
Some companies, clearly, were better prepared than others.
For those who weren’t, diving into the deep end of the distributed teams pool immediately created several profound security issues:
- The lack of a network security perimeter among many improvised work-from-home setups means the likelihood of unauthorized sensitive data leaving the organization has skyrocketed, while employees using home computers connected to the web and personal cloud accounts almost certainly don’t have enterprise-grade security tools.
- The use of personal computers and cloud accounts to save sensitive corporate information has likely also gone up, along with the practice of emailing company files to personal email accounts, simply because employees are more apt to ignore security rules during a crisis to keep their productivity levels high.
- Residential WiFi networks and routers commonly found in most homes are more easily compromised than the enterprise-grade equipment in offices, increasing the risk of exposure and inadvertent leaking of corporate and customer data.
- The mass use of corporate VPNs, rarely robust enough to match the growth in remote workforce accessing the network, is leading to productivity bottlenecks which further complicate data protection. Most VPNs are also relatively insecure.
- The increased volume of email or instant message exchanges instead of face-to-face conversations have also increased, furthering the likelihood that more sensitive corporate data and PII is being included in email messages.
- The skyrocketing use of video conferencing tools by remote employees, which have their own set of security issues – like what happens when an employee mistakenly shares a secret document on their screen.
Although some companies initially papered over these and other issues, likely hoping the situation would last just a few weeks, more and more experts see Covid-19 as a catalyst for remote work becoming the “new normal” at many organizations.
That means that not only do most companies need to address these issues in the short term; they also must implement solutions with long-term feasibility.
Why email is suddenly more important than ever
No matter how many of these problems companies run into, the fact remains that remote work right now is ballooning: According to media reports, more than 1.5 billion people across the world are currently working from home (either by choice, or by decree).
Because the average office worker sends roughly 40 emails per day during a typical week, that equates to a global risk of around 60 billion emails every day that could contain sensitive information.
To put it in perspective, that means that a company with 1,000 remote employees is risking at least 40,000 emails per day that could contain sensitive or personal data.
It’s also safe to assume that, in the absence of face-to-face communication, many workers are now sending more emails than usual – because residential broadband networks in many regions are groaning from increased traffic, technical glitches from video conferencing apps is no doubt leading to an even more profound reliance on email.
Indeed, the reality is that now more than any other time in history, email has become the primary method of business communication. As it steadily increases in velocity and importance, organizations need to take extra precautions to keep it secure.
Data classification: Meeting the challenge by knowing your data
To meet this challenge, companies working feverishly to secure their IT perimeters must also stay focused on keeping their everyday business data as secure as possible – both for security and compliance reasons.
After all, data at creation (especially in email) often presents the greatest risk of something bad happening, simply because it’s so difficult to keep outgoing email content secure in real time without totally disrupting business users.
That’s why it’s imperative to balance the value/risk equation by keeping potential user disruption in mind, so organizations can minimize the risk of data breaches or exposure of sensitive data without productivity grinding to a screeching halt.
But to achieve this, it all starts with knowing your data intimately.
Organizations can deploy data security automation software tools that use machine learning to help companies automatically identify where their data lives, evaluate its sensitivity, and then apply appropriate rich metadata to documents.
This metadata, in turn, activates their downstream security ecosystem when sensitive data is flagged.
And the best part? All this data discovery and classification for sensitive data can be automated, running in the background without end users being involved.
Companies can further improve their data protection strategies by proactively keeping data loss prevention top of mind among remote staff, something typically achieved through posters or lunch and learns at the physical office.
Data security products can automatically remind users to be careful every time classified sensitive data is created, shared or otherwise handled (even outright blocking that data’s dissemination to unauthorized parties, if necessary), extending a company’s security awareness program to even the most remote home office.
How Titus helps keep PII and sensitive data safe
One way Titus has helped organizations looking to identify and assess all that data created, shared and consumed via email is through Titus Classification Suite for Windows, Office 365, Outlook Web App, or GSuite.
It allows businesses to maintain optimal data security regardless of the device used, by informing users and policies through a flexible and customizable classification metadata schema on what information should be secured and how it should be handled.
Titus Accelerator for Privacy, on the other hand, uses deep learning to examine emails and files at the point of creation, automatically identifying personal data and applying protection where appropriate.
“Titus software is made for this situation,” says McCormick. “We don’t care how people are working. We’ll protect the data based on corporate policy. The fact that people are suddenly working remotely doesn’t matter so much to us.”
These are exceptional times, but the Titus solution remains steadfast – and considering the Wild West-style remote work scenarios playing out across the world, perhaps more important than ever.
Whether your users prefer a Mac, a PC, a thick client or a thin one, Titus has the data classification tools to minimize the risk of data breaches or inadvertent exposure of sensitive data – whether your workers are located down the hall, the other side of town, or in another country.
