By Urpo Kaila, Head of Security at CSC
The clear line between work and our own time disappeared a long time ago. Only few of us keep work related matters in a well-defined box of time, place, people, and tools. Instead, we bring work to our home and process work related issues almost constantly, over email, chat and in web services.
As we know, the covid-19 pandemic has given a further boost to remote work worldwide. In the job market, the opportunity to work remotely is often considered to be a huge benefit. By working remotely, you can avoid tedious commuting, participating physically in unnecessary meetings, and focus on your actual job task. A good team spirit and a feeling to belong in a community has partly diluted despite fancy (but open-space) premises and smooth talks about company spirit and values.
Whether we like it or not, I think there has been a permanent global shift to work more remotely. I did also myself, for reasons which I cannot identify, hesitate for many years to work partly remotely. The covid-19 restriction gave me the little push I needed. I have since been mostly working from my little cabin in the northern parts of the Bromarv municipality in Southwestern Finland and absolutely love it! Very good 4G connectivity, an ultra fast fibre connection coming next year (IF the EU kindly decides to grant financial support to the project) and the woods and the sea directly accessible from my front door. Now when we return back to normal, I too need to figure out how and where I want to live.
However, behind every cloud there is another, darker security cloud. Our security frameworks and security requirements still live in a world where staff is behind company or university firewalls in more or less secure premises. The big shift to cloud services, which from the security point of view means an irrecoverably outsourcing your data to American IT providers, has already changed the picture on server side. Remote work means that organisations lose at least partly the control of the client side and of the premises.
Security is about managing risks and balancing security against usability in a sensible manner. This covers organisations, but it also covers you when you’re are working remotely and have more control and responsibilities to protect your account and your data.
Let’s start with the most common risks in remote work. The basic and fundamental security routines are the most important, just as hospitals will fail if their staff don’t wash their hands over and over again.
If your work includes handling personal data and providing services to customers, users or clients (this covers almost all lines of work), the first thing to check is that you use a secure and up-to-date workstation, also in your home. Do not mix work and pleasure, but rather have another workstation for games, social media and for your family. If you work with sensitive data, be very restricted to use your work-workstation for other purposes. By default, for professional purposes the workstations should be administered by an organisation, self-managed workstation with local admin and root or su (superuser) rights pose always a risk and do not comply with requirements for processing sensitive data.
Your home network is also at risk. Home routers and home WLANs can often be easily compromised, and smart IoT devices in your home disclose data. Use sturdy and unique passwords (> 14 characters), close public access to your demilitarised zone, and use your VPN connection for all work related matters, if possible.
The other obvious, but continually ignored risk is to protect your data from unauthorised eyes and ears. When travelling or visiting public places, I constantly overhear discussions which I definitely would not like my provider be babbling in public about my company. Protect your screen with a privacy filter and do not open or discus non-public matter in public places in the first place! Also remember that your beloved spouse and children must also not know about your work data, however much you trust them. Your dog or cat are in a kind of a grey area, perhaps you can disclose some details to them. Nu’ff said.
Also remember that technology has changed the battlefield and the need for situational awareness on data leaks. Many people today use smart noise reducing earplugs when working in public or shared location. These headphones reduce noise but improves greatly the audibility of talk, making it possible to overhear discussion from quite a long distance, as a security officer from one of a national research centre just told me. I own semi-smart headphones for grouse hunting, to be able to notice a bird behind the bush. Never had I thought that these could be used for cyber espionage as well.
Finally, do not ever do the classical blunder of talking with earphones loudly about business matters in public places. Everybody hears you, you make a fool of yourself and your employer and you break the law, contracts and the trust of your clients.
Workstation – check protection of your data against eavesdropping or tapping – check. What about protection of your identity and your account?
The most common path to compromise your data is to hijack your account and your credentials. There is always a catch in the current unprecedent wave of phishing attacks, there is always somebody who swallows the snake-oil offer in the phishing emails and open the door to the data. Therefore, at least separate as much as you can, internal work and any activities on the web. Use at least different browsers for different purposes (one for work, another for work related web usage, and perhaps a third for checking news or your private emails).
As the old saying goes, at free services on the internet, you are not a customer but the pig to breed and to be sold on the markets for personal data. Read for once the “We care about your privacy” notices on any big web site. Everything your browser discloses about you, and that’s a lot, will be transferred to tens of hundreds of merchants for personal data. I always reject all consent, object to all ‘legitimate purposes’, and reject all transfers or my cookie data to shady media companies. Americans, who are sometimes very straightforward, do not use the cookie euphemism but talk about spy trackers. Do not accept them.
A free password service sounds good but perhaps a little bit too good. I would not use the cloud based password services which comes with browser for work purposes, specially not if you work with sensitive data or with critical IT services. There are transparent applications available for password management, for example KeePassXC. For less important personal purposes I can use the browser provided password service secured by multi factor authentication or well-known and ensured commercial products such as F-Secure Id.
The consequences of your account getting in the wrong hands could be nasty and hurt you and your employer. Phishing messages sent with your credentials, searches of customer data or malicious surveillance or compromise of your infrastructure, just to mention a few.
There are a lot of traps and dangers for our accounts during remote work. Most of them are true also when we are working from our offices, because we carry our private matters with us 24/7. For organisations and for my security peers, supporting their staff during remote work I would give one piece of advice. Make user-friendly but very clear guidelines about what is allowed and what is prohibited. Try to minimise grey areas.
I am currently evaluating a number of master theses on information security in a yearly contest organised by industry and research. This year we have received some excellent papers on security awareness building. The short version of the message from contemporary research is, that horror stories and deterrence of administrative sanctions are not enough. The carrot is better than the stick also in this case, and the strongest force to ensure security awareness is a good team spirit, commitment, professionalism and work ethics.
Few of us can or want to work in a bunker and under a cone-of-silence when working remotely. There will always be risks but we must cope with them in a responsible and sensitive way. Make your remote work secure, but enjoy also the benefits of remote work.
However, at some point in time, when we have the covid-19 properly under control, it would also be nice to meet in the real world, in person, face to face.
About the author
Urpo Kaila (CISSP, CISM, GCIH, GCED, CIPP/E) is a seasoned Head of Security at CSC – IT Center for Science Ltd. Urpo has handled many incidents of many types and managed a lot of crises. He is a member of the steering committees of SIG-ISM and WISE and also participating in EOSC Future and LUMI Security Interest Group.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021