How to Secure a Digital Workplace

Posted 3 months, 2 weeks ago

The rapid spread of the coronavirus around the world is causing lightning-fast changes in almost all areas of our lives, and it can be hard for even the most diligent newsreaders to keep pace. As with any volatile situation, hackers are exploiting the fears and confusion over the virus to perpetrate phishing scams and gain access to sensitive information—but this isn’t a typical, run-of-the-mill crisis: on the one hand, things are so serious that some hackers have actually promised not to launch new ransomware attacks against any healthcare targets during the pandemic—on the other, the US is warning of an ‘unprecedented’ wave of coronavirus scams already in the works.

All of this complicated by the fact that attackers have wider threat surfaces to target than ever. As companies transition to remote work across the board due to various stay-at-home and shelter-in-place orders, the digital workspaces being employed by companies of all sizes are about to get a major stress test. It’s one thing to plan a deliberate rollout of new security measures and applications in order to get your workforce ready for increased remote work—it’s another matter entirely to transition to a digital workplace on a moment’s notice. Companies have had to dive into new realities with both feet, and figure out the security end of the equation after the fact.

This means that it’s absolutely never too late to ask the question: how can businesses have employees working from home in a way that optimizes security and decreases the risk of a data breach?

Security Challenges in Remote Work

Any sysadmin can tell you that maintaining security for a distributed team is easier said than done. Keeping your attack surface small is difficult enough when everyone is in the same place and good digital hygiene is easy to enforce. Once your users start going remote, things get even harder. Why? For starters:

Wi-Fi security: Users might be checking their email and performing other work-related tasks on their own personal wi-fi, which may not be up to IT’s standards. If a user’s router is still set to the factory default password, for instance, a hacker could easily snoop on their web traffic. If they work on public wi-fi, that risk only increases.
Device security: For one reason or another, an employee working from might be more inclined to do some of her work on a personal computer or smartphone instead of whatever corporate-issued devices may be standard. These devices might not be receiving regular security updates, and in fact they might already be compromised by malware like keystroke loggers or other malicious software—meaning that hackers can get a bead on corporate activities through these unprotected or compromised devices.
Physical security: If your office has some sort of access control (as most physical offices do by necessity), an unattended laptop might not be a huge security vulnerability. But an unattended laptop in a coffeeshop? That’s an obvious recipe for disaster—and a completely plausible occurrence for a distributed team that hasn’t been educated on digital best practices.

Many of the other challenges you’ll face are the same ones that you run into regardless of whether your users are working remotely or not—save for the fact that compliance and oversight are made much more difficult by decentralization. For instance, it might already be your corporate practice to encrypt your email traffic, but if users are reading and sending messages from their personal devices your encryption measures might not cover your users effectively. Identity management for encryption for users is difficult enough under the best of circumstances. To wit, in a recent survey, 74% of respondents said their companies don’t even know how many keys and certificates they have—to say nothing of where they are and which ones are expired.

Digital Workplace Best Practices

So, what can you be doing to make your digital workplace more secure and decrease the potential for data breaches, business email compromise, and fraud while your users are working from home? We’re glad you asked—there are a handful of best practices that can help you form the foundation of a more secure remote IT environment:

Access control: Turn on two-factor authentication for your users, so that even in the case of a compromised password an attacker couldn’t necessarily access any private information. If you have a single sign-on (SSO) for a suite of applications, two-factor authentication can be especially important.
VPNs: VPNs are a fairly typical strategy that businesses use to improve cyber-security for remote workers. This allows users to access your corporate network remotely, in order to decrease the risks inherent in using public or private internet connections. Though these can be important tools, to make this strategy truly effective, you need to find a VPN that doesn’t slow down users’ connections too much and doesn’t feature an irritating or unworkable UI.
User education: Of course, when it comes to cyber-security matters, a little education sometimes goes a long way. Whatever your particular concerns are, it’s important to let employees know about them and give them concrete steps for how to mitigate risk. This might include trainings and awareness campaigns that raise users’ collective IQs about phishing, or it might be as simple as laying down strict guidelines for device and network usage.

Are These Best Practices Enough?

As a starting point, best practices like these can help you set up a remote working environment that won’t add additional cybercrime risks to your operation. But they’re an incomplete solution without end-to-end encryption for all corporate communications. Real, robust end-to-end encryption provides three benefits that are especially crucial when your workers are adapting to new realities:

Confidentiality: Nobody can read your messages other than the recipient.
Integrity: Nobody can change or alter your messages and attachments.
Authenticity: Nobody can impersonate you or any of your connections.

When the risk of malicious actors snooping on users’ web traffic is higher than ever, confidentiality is of the utmost importance. By the same token, users working with networks or devices at home that are already compromised or compromise-prone make integrity and authenticity incredibly important. Why? Because if you can be sure that you’re communicating with who you think you are, and that you’re reading messages that haven’t been altered, only then can you be sure that you’re not falling prey to man-in-the-middle (MITM) attacks or Business Email Compromise (BEC) attacks. With that possibility removed, you can conduct your business remotely with much more confidence—knowing that your team isn’t going to get taken in by scammers or fraudsters and your information isn’t going to leak.

Unfortunately, this seems to be a huge pain point for most organizations. Even without the specter of remote work looming above various operations, the state of corporate email encryption is abysmal. The same report cited above found that fewer than 4 in 10 respondents felt that their organizations had enough IT and security staff to effectively manage PKIs, with generalized confusion as to where the responsibility of PKI management even lies. As such, nearly three-quarters of surveyed organizations reported dealing with unplanned outages and downtime as a result of a result of mismanaged encryption certificates. If this represents the state of encryption management in a time when there’s no global pandemic to speak of, it’s difficult to imagine that these same companies would be able to successfully secure a digital workplace.

The Power of Automated Email Encryption

The preceding paragraph might have seemed a bit bleak—but we assure that not all hope is lost. It is possible to manage PKIs successfully–or even better, to operate securely without a PKI—without laying out a large number of operational resources, just as it’s possible to give your remote users a secure foundation on which to build out their other best practices.
How, you ask? Simple: automation. By taking the human element out of key management entirely, you can greatly reduce, or even eliminate, the manual effort that stymies most corporate attempts at end-to-end encryption. What might this look like in practice? Here are few things to consider:

With direct, decentralized, fully-automated peer-to-peer encryption, you can make encryption processes invisible to your users (and either eliminate or integrate your PKI). Their public and private keys are stored and managed automatically, and they only notice that some emails are flagged as “secure and trusted” and some aren’t.
This level of automation can and will greatly increase compliance, since there will be no extra effort involved. Compliance will improve even further if identities can be maintained across devices, such that users working from home can switch to any device on which the encryption solution has been installed.
If the text of every communication—regardless of medium—for every corporate user is encrypted, the threat of email phishing even in a remote environment goes down precipitously. If documents and attachments were also encrypted automatically, you’d see the same drop in risk regarding document-based attacks.

As you can imagine, the features we’ve been outlining above would be indispensable to a secure digital workplace—especially if they were part of turnkey solution that put very little strain on sysadmin resources.

How p≡p Security Keeps Your Remote Workers Secure

When it comes to managing a digital workplace, p≡p for Email helps you lay a strong foundation of automated encryption. This means completely seamless integration, automated key management that’s invisible to users, and a structure that allows for the same “identity” to be maintained seamlessly across multiple devices. It’s fully decentralized, open source, and peer-to-peer, and it requires no special skills to use or install. Whether your team is centralized within the same office or spread across the globe, you can use p≡p to enable users to establish trusted communication channels and remove the guesswork from avoiding things like email phishing, CEO fraud, and business email compromise.