Cybersecurity When It Comes To Remote Work Means Zero Trust
Source: COGNITIVE WORLD on FORBES
A conversation with Alex Willis, BlackBerry’s Vice President, Sales Engineering and ISV Partners
This week, more companies are sending their employees home as the coronavirus spreads across the United States. As the World Health Organization declared the current crisis a pandemic, schools are closing in the United States. As remote work becomes the norm for employees and companies, an important discussion that’s taking place in IT organizations is the discussion around cybersecurity.
Whether your organization has an extensive cybersecurity initiative in the event of a crisis such as this pandemic or not, there are things that you can do now that your employees are working remotely.
You can use this opportunity to increase cybersecurity awareness across your organization.
This week, I had the pleasure of speaking with Alex Willis, BlackBerry’s Vice President, Sales Engineering and ISV Partners to understand the issues around cybersecurity when it comes to remote work.
In today’s world, the remote worker needs to be able to do everything they can do from their desk if you want your organization to remain productive and competitive. Users won’t accept anything less, so it’s also a retention strategy. But, allowing employees to access critical business systems and data from machines and networks you don’t manage or trust means the risk grows exponentially.
Alex Willis, BlackBerry’s Vice President, Sales Engineering and ISV Partners
What should companies be concerned with when it comes to remote working?
There are different categories of remote working. First, you have remote working with corporate laptops that are managed by the organization. The organization has an understanding of the security posture and they have controls in place. Then, you have remote workers who are working on their own machines. I think it boils down to two things around security. There’s endpoint security, making sure that the endpoint itself, whether it’s a laptop or an iPad has the right security base so that hackers can’t steal data or use that machine as a conduit to the corporate network. The other area is around data leakage.
Organizations need to prioritize the security of their data and where it’s going. You don’t want data leakage, either intentional or unintentional. There’s more than one-way data that can be leaked. Users often engage in risky behavior to simply get their job done – for example forwarding a corporate email with attachments to a personal email account for easier editing or printing on a home computer. Now that attachment is sitting exposed on a personal computer that could be infected with malware. And unfortunately, sometimes users leak corporate data intentionally. Both of these scenarios are manageable.
What is the Zero Trust Principle in cybersecurity?
One of the core principles in cybersecurity that’s taking shape these days is around zero trust. That’s how companies can provide a much higher level of security and if done right, can provide a much better user experience.
The Zero Trust tenet means that from the start, every action is not trusted. In a Zero Trust model, in addition to authentication. there’s constant monitoring to ensure abnormal or risky behavior is identified immediately and remediation steps can be taken. Monitoring includes how users interact with an application, from what network, from what device, during what time of day and other variables. Using artificial intelligence and machine learning, a behavioral profile can be built for each user. It’s important to monitor that so that you can identify unusual circumstances and the only way to effectively do that is with artificial intelligence so that remediation can happen at the speed of computers.
Passwords are not enough. Even multi-factor authentication is not enough because once authenticated, you’re in. After successful authentication, you need to constantly monitor the device, the network, the application and the data. The reality is that with each action the user takes, they are being authenticated. Because, at each step, security is looking for abnormalities against a profile that was built about how they do work. BlackBerry Digital Workplace is built on BlackBerry ‘Zero Trust’ architecture. It provides a much better level of productivity. Organizations are happy because it’s a much higher level of security.
When we talk about big data and working remotely, we often talk about Cloud Computing. What are some of the misconceptions that people have about security around Cloud Computing? What can organizations do to secure their data on the Cloud?
If you are using a Cloud or a SaaS solution, you are trusting that vendor with the security of your corporate data. Even if you can, that alone does nothing to protect the endpoints that are accessing that data.
For example, some organizations won’t allow a direct connection to a SaaS resource from a machine that they don’t manage or a network that they don’t control. In these cases, they would require conditional access rules to be in place so that if users want to access the Cloud resource, they have to tunnel through the corporate environment. Now the company can put in place DLP software, filters, antivirus screening, all of those things are in place. So what if you want to expand access to remote workers on home computers? Just because your data is secured by an external company, it doesn’t do anything to prevent data leakage once the data is being used on the device itself, if that machine isn’t also managed.
How much does trust factor into cybersecurity when you trust your employees to work remotely?
Every company has this policy that you can’t share company information with anyone outside of the company. But, in the IT world, it’s about enforcing this. There are two ways to address it. You can address it with HR. If someone uses that data improperly, then they are going to have to answer to HR. They could get fired. Usually, by that point, the deed is already done. It’s too late. IT policies are designed to prevent these actions from happening in the first place.. Limit copy and paste, file save-as, export, etc. Sometimes, you can only use data online. You are not allowed to download data. It’s not really about trust here.
Companies of course trust their employees to do the right thing. But, the other problem with just trusting people is that employees don’t always do this on purpose. It’s not always intentional, especially when it comes to data leakage problems. You can trust them. This is a good employee. But, you have to understand that the problem grows when the tools the organization provides don’t give employees the ease of use or everything that they need to do their job. In those cases, the employees will find ways to get their job done. They are not trying to be bad employees. But, that situation then exposes the company to additional risk.
Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done. Then, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.
In the era of big data, especially when data is used by AI and machine learning, data integrity becomes more critical. In this environment, can you talk about some of the cybersecurity issues that come with trying to maintain data integrity?
One of the core tenets of cybersecurity preparedness is maintaining the integrity of the data. It’s not just that someone can steal the data, someone can also change the data. That’s obviously important for the data we collect from our partners, customers and what we need to do our job. Also, when you get into IoT, now you have devices that are collecting data. It’s not enough just to protect the data in transit or in the backend, you must also protect the device itself so that the data that’s being collected is actually accurate and you can maintain that level of integrity as well.
For the remote worker, you have to make sure that the endpoint is fully protected so that not only malware and attackers can’t steal data but they can’t change it. For instance, financial and healthcare institutions in particular need to be aware that protecting the data also means maintaining the integrity of the data as well.
For medium-sized or small companies that don’t have a sizable IT team, what are some immediate things that they can do related to cybersecurity to enable their employees to work from home?
The size of the company doesn’t matter in terms of cybersecurity preparedness and developing a response plan to cybersecurity. The difference might be that a big company might have a whole team dedicated to cybersecurity and they have consultants working to help them. Regardless of organizational size, cybersecurity planning and response readiness are critical and achievable.
If you don’t have a team and consultants, you can use published frameworks, such as the one posted on the NIST website. They have a framework that anyone can use. It starts with the basics. It’s identifying the networks that you have, who has access to them, what systems are on your network, what’s critical to your business, what applications do you need, what data do they produce, how do you store that data, etc...
One of the key things about developing a good cybersecurity process isn’t about the resources or the team. Cybersecurity is everyone’s job. Even in a small company, if you have your database expert, they have a role to play in your cybersecurity. Your cybersecurity team is not going to know everything about your database if you are the database expert. Even in a small company, you need to bring everyone in from your teams, you start to put answers in for the cybersecurity framework. Then, you start to understand where you are. Understanding where you are and what your security posture is, you can start to assign tasks to your owners to implement better practices. These best practices are widely documented. Again, go to the NIST website and look at that framework.
Who in your organization should have a cybersecurity mindset and help with implementing the NIST framework?
Not just everyone in IT, everyone in your company has a role to play in cybersecurity. If you are in IT and you manage a system, then you absolutely have a role to play in cybersecurity because you are the one who can document your system expertise and use that to help define accounts, access levels, etc… But, everyone in your company has a role to play, even end-users who are not in IT. They need to be aware of cybersecurity concerns. What does phishing look like? If I think that something is happening, who do I call to notify of such incidents? On the other end, the person who has just received the notification has to have a plan in place to address the situation. This plan has to be developed, practiced, so that when there’s a real event, then nobody has to wonder what you have to do. You can just implement the recovery plan, or mitigation plan or response.
Let’s say that I’m a project manager for a startup. I always log into my company’s network using my home computer. Today, I received alerts on my home computer that said viruses were downloaded on my computer. I use my antivirus software to clean the viruses. But, I honestly cannot be sure if all of the virus has been removed before I logged into my company’s network. Should I be alerting someone in my company?
We try to mitigate that. It’s going to be difficult for a large organization to provide home IT support for every user. We want to ensure that the machines are protected with minimum effort. This is especially true for medium-sized companies that don’t have large-scale IT support teams. For remote workers, this is a scenario that needs to be documented by the organization what they would like their end-users to do in such a scenario. If the company doesn’t communicate this, some users might ignore this and just say, “This is not a big deal. My antivirus will take care of it.” Some users might think that this is a big deal and the sky is falling. So, they need to know what is the most productive response. If you document the event and then provide self-service capabilities, remote workers will do it. If what you want them to do is easy, then they are going to do it. So, just make it easy for them.
We can manage very tightly the hardware that’s deployed if the company is the owner of the device. When users bring their device, then at BlackBerry, we provide capabilities to secure the organization’s applications and data such as BlackBerry Digital Workplace without compromising the privacy of the individual.
Alex Willis, BlackBerry’s Vice President, Sales Engineering and ISV Partners
What are the biggest risks of not putting in place a cybersecurity plan for your remote workers?
If you have a data breach, you will potentially be dealing with productivity loss, lawsuits and fines, not to mention the damage it’s going to do to your reputation. So, the risk of not implementing a cybersecurity plan is high. Remember, much can be done to prevent breaches, but nothing is 100%, so a cybersecurity response plan is absolutely critical to mitigating these risks, shorten the duration and get back to productivity.
In the age of innovation, what has changed in the cybersecurity landscape?
We now have an array of technology that wasn’t available before. This gives the ability to provide much faster and much more capable tools. On the cyber side, the main difference is artificial intelligence. Not only are companies like BlackBerry using artificial intelligence to provide preventive or protective measures, the bad guys are using AI, too. If the hackers are using AI to search for vulnerability, it will be difficult for humans alone to keep up with that. So, it’s important to use AI to counter these types of threats. For example, nowadays, the power in my iPhone is greater than the power in my laptop, right? Of course, I’m going to want to use that power. Now, for companies, we have to worry about the exposure and the risk that extending productivity beyond email creates. That’s manageable. We have tools today to do that.
Jun Wu is a Hybrid Journalist for Technology, AI, Data Science. She has a background in programming and statistics.