Posted 3 months, 2 weeks ago
The rapid spread of the coronavirus around the world is causing lightning-fast changes in almost all areas of our lives, and it can be hard for even the most diligent newsreaders to keep pace. As with any volatile situation, hackers are exploiting the fears and confusion over the virus to perpetrate phishing scams and gain access to sensitive information—but this isn’t a typical, run-of-the-mill crisis: on the one hand, things are so serious that some hackers have actually promised not to launch new ransomware attacks against any healthcare targets during the pandemic—on the other, the US is warning of an ‘unprecedented’ wave of coronavirus scams already in the works.
All of this complicated by the fact that attackers have wider threat surfaces to target than ever. As companies transition to remote work across the board due to various stay-at-home and shelter-in-place orders, the digital workspaces being employed by companies of all sizes are about to get a major stress test. It’s one thing to plan a deliberate rollout of new security measures and applications in order to get your workforce ready for increased remote work—it’s another matter entirely to transition to a digital workplace on a moment’s notice. Companies have had to dive into new realities with both feet, and figure out the security end of the equation after the fact.
This means that it’s absolutely never too late to ask the question: how can businesses have employees working from home in a way that optimizes security and decreases the risk of a data breach?
Any sysadmin can tell you that maintaining security for a distributed team is easier said than done. Keeping your attack surface small is difficult enough when everyone is in the same place and good digital hygiene is easy to enforce. Once your users start going remote, things get even harder. Why? For starters:
Many of the other challenges you’ll face are the same ones that you run into regardless of whether your users are working remotely or not—save for the fact that compliance and oversight are made much more difficult by decentralization. For instance, it might already be your corporate practice to encrypt your email traffic, but if users are reading and sending messages from their personal devices your encryption measures might not cover your users effectively. Identity management for encryption for users is difficult enough under the best of circumstances. To wit, in a recent survey, 74% of respondents said their companies don’t even know how many keys and certificates they have—to say nothing of where they are and which ones are expired.
So, what can you be doing to make your digital workplace more secure and decrease the potential for data breaches, business email compromise, and fraud while your users are working from home? We’re glad you asked—there are a handful of best practices that can help you form the foundation of a more secure remote IT environment:
As a starting point, best practices like these can help you set up a remote working environment that won’t add additional cybercrime risks to your operation. But they’re an incomplete solution without end-to-end encryption for all corporate communications. Real, robust end-to-end encryption provides three benefits that are especially crucial when your workers are adapting to new realities:
When the risk of malicious actors snooping on users’ web traffic is higher than ever, confidentiality is of the utmost importance. By the same token, users working with networks or devices at home that are already compromised or compromise-prone make integrity and authenticity incredibly important. Why? Because if you can be sure that you’re communicating with who you think you are, and that you’re reading messages that haven’t been altered, only then can you be sure that you’re not falling prey to man-in-the-middle (MITM) attacks or Business Email Compromise (BEC) attacks. With that possibility removed, you can conduct your business remotely with much more confidence—knowing that your team isn’t going to get taken in by scammers or fraudsters and your information isn’t going to leak.
Unfortunately, this seems to be a huge pain point for most organizations. Even without the specter of remote work looming above various operations, the state of corporate email encryption is abysmal. The same report cited above found that fewer than 4 in 10 respondents felt that their organizations had enough IT and security staff to effectively manage PKIs, with generalized confusion as to where the responsibility of PKI management even lies. As such, nearly three-quarters of surveyed organizations reported dealing with unplanned outages and downtime as a result of a result of mismanaged encryption certificates. If this represents the state of encryption management in a time when there’s no global pandemic to speak of, it’s difficult to imagine that these same companies would be able to successfully secure a digital workplace.
The preceding paragraph might have seemed a bit bleak—but we assure that not all hope is lost. It is possible to manage PKIs successfully–or even better, to operate securely without a PKI—without laying out a large number of operational resources, just as it’s possible to give your remote users a secure foundation on which to build out their other best practices.
How, you ask? Simple: automation. By taking the human element out of key management entirely, you can greatly reduce, or even eliminate, the manual effort that stymies most corporate attempts at end-to-end encryption. What might this look like in practice? Here are few things to consider:
As you can imagine, the features we’ve been outlining above would be indispensable to a secure digital workplace—especially if they were part of turnkey solution that put very little strain on sysadmin resources.
When it comes to managing a digital workplace, p≡p for Email helps you lay a strong foundation of automated encryption. This means completely seamless integration, automated key management that’s invisible to users, and a structure that allows for the same “identity” to be maintained seamlessly across multiple devices. It’s fully decentralized, open source, and peer-to-peer, and it requires no special skills to use or install. Whether your team is centralized within the same office or spread across the globe, you can use p≡p to enable users to establish trusted communication channels and remove the guesswork from avoiding things like email phishing, CEO fraud, and business email compromise.