The Security Threat from Remote Work
Government users who are working remotely pose a significant security risk for agencies. They increase the threat surface via the endpoints they use and how they use them.
First, users could be working on personal laptops and smartphones, which are not known for having the baked-in security controls that come with government-issued equipment, says Alan Shark, executive director of the Public Technology Institute. Users might also be conducting potentially confidential or sensitive work on unsecured home networks while using those devices. Those devices may be shared by other members of a user’s household, which brings its own set of risks since that behavior cannot always be controlled.
“And it’s like the coronavirus,” Shark says. “I mean, it may not be you. You may have good digital hygiene, but somebody else in your family may not.”
Users may also be more susceptible to social engineering or phishing attacks when they are at home. “You have people that transit between personal information and personal emails and work emails, and I think they become a little more lax and they don’t maintain that sense of discipline that they might have in an office, which is always a challenge anyway,” Shark says.
Malicious actors are also sending out more COVID-19-related emails that may look both urgent and official.
Some of these threats can be countered by having users log in to government networks via a VPN, or by using virtual desktop infrastructure to give workers secure access to the applications and data on a desktop from any approved endpoint with a network connection. VDI is especially beneficial if users have a strong broadband connection, Shark says, but a slow connection can lead to a degradation in service.
Mobile hotspots running on a cellular connection can allow users to connect to the internet more securely, according to Shark. Multifactor authentication is also a tool that agencies should employ to enhance endpoint security, he adds.
Finally, agencies should engage in aggressive patch management and ensure that users are actually applying software patches on their endpoints. “There needs to be a set of checks and verifications to make sure that the machines are not just eligible for these updates but that they are actually being done,” he says.