Given the situation that many companies, organizations and government agencies have been forced into working remotely due to COVID-19, it is imperative to give some thought about corporate security.

Using a VPN for New Stay-at-Home Workers

Millions of employees are now working from the confines of their own homes in an effort to keep businesses running smoothly. In most situations, employees are told to use their existing laptop computer or are issued one to use at home. They are also provided with a virtual private network (VPN) connection for connectivity to their respective places of employment. This makes for a valiant effort to keep critical corporate, organizational or governmental information secure.

But just how secure is it? VPN connections generally provide a good secure encrypted session to a workplace facility. (Many of these VPN tools utilize two-factor authentication, as well.) The VPN connection forces all external communication to traverse the workplace facility before being allowed out onto the “wild” open Internet.

For example, Susan is connected to her corporate email system via VPN, and she receives a legitimate company email with a link to a partner firm that is offering products or services only to employees at a vastly discounted rate. Susan clicks the link and is then taken to the partner firm (over the internet).  This traffic was initiated from Susan’s work laptop over a VPN, and using her mail client, she was connected to her corporate mail server. The mail server then forwards the clicked “link” request onto the corporate network and then on out to the Internet to complete Susan’s request.

A Lack of Control over Remote Workers

Everything discussed above sounds like it falls within the bounds of corporate security. But what is happening on that company-owned system when it’s NOT connected via VPN? What if the tele-working employees decide to only connect to the VPN when doing corporate work? What about the rest of the time?

Unfortunately, it is hard to control the work habits of all employees. Maybe this perceived bit of downtime becomes a good time to catch up on fantasy sports leagues. Maybe there are online gaming sites just egging some employees on to visit.  Maybe some employees just like the idea of being able to surf the web without Big Brother monitoring my traffic flow. You get the idea.

A Call to a Proactive Security Stance

Many corporations, organizations and governmental agencies took the “proactive” approach to this and ensured that they outfitted the company owned computers or laptops with software that can assist them with ensuring their systems remain secure. As such, they now have the following running security-minded resources running on their workstations:

  • Compliance standards and corporate policy that remain in place while systems are deployed away from the safety of the corporate environment.
  • Anti-virus software that makes sure malware does not end up on their systems.
  • Tools that monitor critical files, software, running services and much more in a “connectionless state” to ensure their corporate baselines remain unaltered.
  • Solutions that run vulnerability scans on a schedule.
  • Programs that caches “deviations, change, discovered vulnerabilities and suspicious log events”, while off-VPN and forwards this activity to the workplace facility at the next active VPN connection.

But many do not. That’s the problem.

Is your company, organization or government agency ready? Can you be counted as one of the “pro-active” businesses? Or will you be seen as “reactive”?

In our scenario above, it is conceivable that employees who use “unprotected or not appropriately protected” systems will encounter malware unknowingly or that a bad actor will gain control of the system and adjust policy controls to allow software to run at the next reboot. The dangers have been there for years.

So I ask again: is your corporation, organization or governmental agency ready?