For 25 years, I was a cybersecurity risk to my company. And during the last 10 years as a co-owner of a small business, I have remained a cybersecurity risk.
During the earlier part of my career, I was a consummate road warrior. I typically flew well over 150,000 miles per year—and that was just for U.S. domestic flights. And, of course, I toted along my trusty notebook computer to every airport, hotel, coffee shop and office-park lobby where I could grab a WiFi connection. While I usually did not let my computer out of my sight, I’ll admit that there were times where I used open, unsecured networks or left my computer open in my hotel room when I went down for a meal or to work out in the fitness center. Fortunately, I don’t remember experiencing a major malware attack or suffering a catastrophic incident of identity theft—then again, I probably wouldn’t have even known if I did.
Today, I don’t travel for business nearly as much as in the days where I had to clear my brain each morning so I could remember which time zone I was in. But now I’m an around-the-clock telecommuter, working from my home office away from a traditional setting where Security Operations Center personnel and systems can keep a watchful eye on my use of applications, data and services.
People like me are dangerous.
That’s because there are so many road warriors and telecommuters, something that is only likely to continue to grow. A Harvard Business Review study points out that CEOs around the world spend more than 50% of their time outside their company’s office, while even employees still “officially” tethered to traditional office-based desks are working away from their desks more than 50% of the time.
And in this era where the digitally armed road warrior and telecommuter are the rule, rather than the exception, the sad truth is that many organizations do not always impose and enforce strict policies that provide for good cybersecurity hygiene for mobile workers. And yes, that especially includes executives and even board members.
Sean Duca has a unique take on this challenge. As chief security officer for the Asia-Pacific region at Palo Alto Networks, Sean is a bona fide road warrior. He spends about 200 days a year away from home, mostly for business but also for personal travel, so he’s very aware of his responsibilities in ensuring that his digital assets (and those of his employer) are always secure. And, since he spends a lot of time talking and consulting with customers, he gets to see what other organizations are doing (or not doing) in protecting road warriors and telecommuters against cyber threats.
“Some of the things organizations should do are very fundamental, meat-and-potatoes steps,” he said. “Road warriors are often some of the biggest users of public cloud SaaS services and their laptop applications and operating systems must be continuously managed and updated, whether you’re talking about routine security patches, ongoing monitoring and management for unusual network traffic, or device maintenance.”
“SaaS-based applications, in particular, represent an important cybersecurity issue for organizations,” he added. “A road warrior no longer finds it necessary to come back to the corporate headquarters to access valuable information, so the CISO’s team can risk losing control over who is accessing applications and data, where that access is coming from, and what is actually happening to the data in terms of risk exposure.”
And, executives should avoid the siren song of the “free WiFi” signage in airports, shopping malls or public centers of any kind. “Ask yourself: What is the WiFi provider getting from you in exchange for providing you with free access?” said Duca. “You set up a user ID and password, and away you go—and you’ve automatically sent a signal to hackers that you’re now in play. Someone can easily mimic the free WiFi hot spot and collect a lot of information—personal information about you, and of course, gain access to corporate data like customer records and intellectual property files.”
This means that business leaders need to insist that anyone traveling on company business—or using a company-issued device or accessing a company application or database—must use updated, fully supported secure VPN connections back to the enterprise network, rather than those ubiquitous, easily access but highly vulnerable public networks. It also means that every organization’s full user base should be outfitted with multifactor authentication in order to harden security defenses when away from the relative safety of a SOC-control headquarters.
Similar steps are essential to protect an organization’s growing number of telecommuters. The notion of telecommuting has gained substantial support throughout executive offices because studies have demonstrated telecommuting saves money and raises employees’ job satisfaction. But like road warriors, telecommuters present their own unique set of cybersecurity challenges. And perhaps the most obvious is the fact that telecommuters are often using personal devices to access an organization’s most strategic applications and data.
“When your employees work at home, you open yourself up to risks when they user personal devices that are not always up-to-date on security, or are not being monitoring by your SOC for abnormal activity,” said Duca. “When non-sanctioned devices are downloading files ranging from spreadsheets to engineering drawings, you may have substantial governance and compliance exposure.
“Sure, we like it when our employees work at home in the evenings or over the weekend because it gives them flexibility and improves worker productivity. But what are they downloading from their personal cloud services onto their personal machine? Does that open up a point of entry for malware and file extraction?”
Duca stressed that organizations need to have well-thought-out, clearly defined policies for who can access which files, applications and services, from which machines and for which purposes. “If someone is using a non-corporate-issued devices to access corporate applications, the organization needs to control their ability to download certain critical files to their devices, or worse yet, to their public cloud storage service,” he said. “And if you allow them to use personal devices to access digital assets, you must be sure you know what those systems’ security tools are and if they are up to date. Or, you may want to insist that things like intellectual property and source code can only be accessed if a user is physically connected to the backbone network, or through a corporate-issued device.”
Just like organizations have learned to live with the security challenges associated with the Bring Your Own Device trend or by allowing employers to subscribe to public cloud services for work-related activities, business leaders and security executives need to have an open, honest and collaborative approach to cybersecurity for road warriors and telecommuters.
If those aren’t part of your overarching cybersecurity framework, you will undoubtedly regret it. And the really bad part is that you may never know how much at risk you are until a breach occurs and you’re the next cybersecurity headline and cautionary tale.
Mike Perkowski is an award-winning journalist who has covered the technology industry across a wide range of topics and trends.