Humans and VPNs – some of the biggest remote work risk factors
Human error and VPN vulnerability are among the biggest risk factors in the new remote and hybrid work environment, according to experts addressing a remote work security webinar hosted by KnowBe4 Africa in partnership with ITWeb last week.
The human element in a remote environment
Anna Collard, SVP of content strategy & evangelist for KnowBe4 Africa, said remote and hybrid work was here to stay, with a new survey carried out by KnowBe4 and ITWeb having found that 91% of employers believe remote and hybrid working will continue in future, and 34% saying they would continue to work from home for good.
Collard said remote work was raising new concerns about enterprise security, with user behaviour and Wi-Fi networks among respondents’ top concerns.
The human element is one of the biggest security risks in any organisation, she said. “At home, workers can be distracted, they might share devices with family members, and stressed workers revert to heuristic thinking mode, which makes people more vulnerable to social engineering,” she said. “Organisations have to recognise this and equip people with the tools to be more secure.”
Risks around routers and VPNs
Charl van der Walt, Head of Security Research at Orange Cyberdefense, said that while the number of attacks on remote workers had not necessarily increased during the lockdown, and in some cases had actually decreased, there had been some changes as a result of the shift to work from home, with home routers and VPNs bringing new challenges to enterprise security.
Said van der Walt: “This tech, which is critical in our stack, is out of our control. Consumers are using free Wi-Fi or cheap consumer grade tech to access our corporate networks. Those devices are not built with security in mind, and are jammed full of vulnerabilities. And the fundamental point is security practitioners can’t control it. The home Wi-Fi router enjoys an extraordinary level of influence over the user’s devices and operating system.”
“When the pandemic broke we saw massive demand for enhanced services for VPN to protect remote workers, but another shift occurred at the same time – the number of publicly noted vulnerabilities on those devices increased significantly,” he said.
A poll of webinar participants found that 87% did not have any control over their employees’ selection of home routers.
Van Der Walt noted that home routers are typically insecure, or insecurely configured, and are therefore a target for attackers. While the ‘tunnel’ a VPN creates should protect users against threats from an untrusted or compromised access point, out-of-the box and common configurations generally do not address the threats identified when the access point is considered malicious. He said: “If someone else controls the access point, then they can threaten the endpoint.”
Van der Walt said: “We expect VPNs to offer equivalency with the corporate LAN, but we’re not sure that is correct. We tested six products in four configuration states to find out. It showed that off-the-shelf configuration did not mitigate any of the six threats we tested. However, through proper configuration, most of the threats were mitigated."
For enhanced security, van der Walt said new paradigms should be considered, including true zero trust models.
Get the KnowBe4 free security awareness resources for home users here: www.knowbe4.com/coronavirus-security-awareness-resources
Get the Orange Cyberdefense white paper on securing remote workers here: https://orangecyberdefense.com/global/white-papers/whitepaper-securing-your-remote-workers/