It’s been about two months, and there has been a seismic shift in cybersecurity and the workforce in general. Work-from-home was always a long pondered goal of environmentalists and sociologists, but for many it has remained only in the realm of possibility. However, the arrival of the pandemic turned work-from-home into reality – almost overnight. According to a recent Gallup poll, a staggering two-thirds of Americans were working from home in the days before lockdowns starting lifting.
Back in March, articles flooded websites and magazines with handy work-from-home tips, and everyone approached work from home with optimism and gung-ho zeal. But now that we are three months into the pandemic, what are some of the more in-the-trenches takeaways for MSPs?
Work-from-home is here to stay
Many experts believe that a sizable percentage of the workers who headed home will stay at home. Employers will see value in less overhead and less crowded offices. While working from home may have substantial environmental benefits, the changes are causing some tremendous difficulty with cybersecurity.
“There’s a difference between managing the cybersecurity needs of 2000 employees on one or two internal networks, versus the cybersecurity needs of 2000 employees in 2000 different places on 2000 different networks,” says John Gray, a cybersecurity consultant in Las Vegas. “Working from home has created major cybersecurity headaches.”
VPN usage shot up in the early days of the pandemic and, Gray adds that had cybersecurity experts were hopeful that remote employees were adhering to cybersecurity best practices. But while VPN use has become ubiquitous, so has corner-cutting by employees not used to balancing work, screaming kids, curious pets, and chatty spouses along with their work.
Data compiled by researchers at cybersecurity company Tessian reveals that 52 percent of employees believe they can get away with riskier behavior when working from home, such as sharing confidential files via email instead of more trusted mechanisms.
Perhaps more ominous is that the lack of constant monitoring has 48 percent of workers believing that they don’t have to follow cybersecurity best practices.
“I don’t think the vast majority of employees are duplicitous, they are just being lazy and sloppy, which is easy to do in the comfort of your home,” Gray states.
As the economy ramps back up, but employees continue to stay home, MSPs need to spell out the cybersecurity dangers associated with employees working from home.
No one – including MSP owners – wants to hear this, Gray says, but MSPs and IT departments need to make home security audits a priority. As the studies show, cybersecurity corners are being cut, and that is exposing many businesses to enormous risk. People are comfortable at home. If someone is laid-back enough to work in their pajamas at home, it is highly unlikely that they are going to be putting too much thought into 2FA. But if they aren’t, someone needs to. That “someone,” Gray advises, is an MSP.
Home audits
This is a tough issue, according to Gray, you have to respect an employee’s privacy while protecting a company’s data. This is a tightrope walk that MSPs and others have to walk. But you can’t have employees storing proprietary company documents in a home laptop that is riddled with malware.
Some MSPs are rolling out security programs that track and monitor employee cybersecurity practices at home. One such example is Netsurion’s managed SIEM solution, Event Tracker. “Our protection is portable; it travels with you,” says AN Ananth, president at Netsurion, and co-creator of EventTracker. “Still, you don’t have to be a large MSP to use remote monitoring.”
Beyond this, “There are plenty of programs, free and otherwise, that MSPs can use to monitor work from home employees,” advises Gray. “You still aren’t going to mitigate all risk this way, but it provides an additional guardrail.”
Home audits should include voluntary or mandatory remote monitoring of employee’s personal and workplace devices to ensure compliance and best practices.
Best practices training
Three months into the pandemic, one thing is clear: education is vital, it works and is comparatively cheap.
“I ran a cybersecurity-from-home workshop for a small company, and you could see the lightbulbs going on in people’s heads. They weren’t making a connection between the need to bring their cyber-hygiene home, but once I walked them through the dangers of poor cyber-hygiene from home, the company saw an 82 percent decrease in incidents,” Gray says.
People, Gray adds, view their homes as fortresses and they are not.
“I have seen people do things at home that they’d never dream of doing in the workplace such as storing medical data improperly, putting credit card information in document files, just so sloppy, but when they’ve had effective, immersive training in best practices of working remotely, we see results,” he says.
MSPs, Gray advises, may need to rethink their whole pricing packages post-pandemic to emphasize more layers of cybersecurity to encompass the legions of work-from-home employees.
“The typical MSP pricing model doesn’t factor that in,” Gray says. He predicts some push-back from clients, but that once MSPs make a strong case for the changing cybersecurity landscape, resistance should weaken.
“The biggest certainty right now is change. Nobody knows where this train is going, so the best we can do is take stock daily and adjust accordingly,” Gray concludes.
Photo: Daxiao Productions / Shutterstock
