Millions of people have begun heading back to the office after nearly two years of working from home. While the return of some office-based working is a positive sign that the Covid-19 pandemic is slowly coming to an end, some experts fear that this could have significant cyber security implications for businesses.
The pandemic has seen vast numbers of people work remotely. And whether or not they had permission from their employers, many workers used personal mobile devices to stay in touch with bosses, colleagues, customers and other key stakeholders during the pandemic.
Unfortunately, consumer devices aren’t always protected by stringent cyber security defences like corporate electronics are. So, they could potentially harbour malware and other security vulnerabilities. Even if employees only used corporate mobile devices for remote working, they would have been connected to personal Wi-Fi networks and could be less secure as a result.
Whatever the case, hundreds of thousands of mobile devices – many of which could be potentially insecure – are suddenly reconnecting to corporate networks. What are the risks of this? And how can firms mitigate them?
A cyber security pandemic
The influx of new devices joining corporate networks for the first time will result in major security problems for businesses, says ESET security specialist Jake Moore. “There is simply going to be a deluge of malware and bugs being transferred onto these once secure platforms,” he warns.
To counter these threats, businesses must secure their corporate data and networks. But, according to Moore, this requires multiple layers of security and the cooperation of everyone inside the organisation. It shouldn’t just be left to cyber security teams to handle.
“Before you allow any non-company-owned devices onto the network, the data must be made secure, and if possible separate with guest networks, secluded sensitive areas and access given to only those who require it,” he says. “If any third-party device enters the network, it is highly advised to ensure a robust, company-approved antivirus solution is on the device and scans are carried out before joining the network.”
Because many employees use mobile devices today, there’s a risk that sensitive business data could get into the wrong hands when they’re taken outside the office. Moore explains that businesses can ensure that the data stored on mobile devices is secure when offsite through the use of full-disk encryption. “This must be enforced as mandatory for any device which leaves the building,” he says.
During the pandemic, many smartphones may have become compromised with serious cyber security vulnerabilities and will likely pose a threat to corporate networks as offices reopen. “The use of mobile app management can help network admins to be aware of what exactly is running on their network and take advantage of being able to control mobile devices remotely,” adds Moore.
BYOD fundamentals
Modern businesses should already be aware of the cyber security challenges of employees using their own mobile devices on corporate networks because these issues existed long before the pandemic, according to Immersive Labs application security lead Sean Wright. “This risk should already be covered by a security policy and enforced by appropriate device management solutions,” he says.
But Wright believes that the return of employees to office-based working will likely test this to some degree, with more people resulting in a greater number of risk points. He says one of the best ways to resolve this problem is by setting tight user permissions.
Enterprises that allow employees to use their own mobile devices on corporate networks should stress the importance of implementing security patches. “The really important factor here is patching,” says Wright. “With consumer devices increasingly vulnerable, the devices connecting to your network should be up to date.”
Another vital consideration for businesses with bring-your-own-device (BYOD) initiatives is to ensure personal mobile devices operate on an isolated network, says Wright, adding: “The first thing an attacker will look to do is move laterally. This will deny them that opportunity.”
Andrew Hewitt, a senior analyst at Forrester, believes that the use of mobile devices on corporate Wi-Fi networks can be hazardous for organisations without a combination of device compliance, up-to-date certifications and identity and access management (IAM) capabilities. “However, with a strong foundation of unified endpoint management and IAM, this is not likely to be a major issue,” he says.
He also urges businesses and professionals to be wary of SMS-based phishing attacks, which have risen exponentially in the pandemic. “You could imagine a hacker sending out what seems to be an emergency notification from an office building when in reality it’s a phishing attempt,” says Hewitt.
An influx of malware
Many businesses have allowed their employees to work on personal mobile devices over the past 18 months. But because consumer devices are typically less secure than corporate devices, they could have picked up all sorts of malware during this time and subsequently pose a danger to corporate security networks as offices reopen.
Martin Riley, director of managed security services at Bridewell Consulting, says: “As employees return to the office, there’s a risk they could be bringing compromised or less secure devices back on to the network, whether through the introduction of malicious apps or malware-infected devices.
“A lot of organisations are also overconfident in their current mobile device management and security capabilities. This is especially true if the organisation does not have a mature and integrated end user device management capability to underpin enterprise mobility technologies.”
Riley says the biggest challenge that IT teams will likely face when dealing with these issues is to get the balance right. For example, enforcing lots of cyber security restrictions on mobile devices could potentially affect productivity and user experience. But on the other hand, a relaxed approach may leave businesses vulnerable to serious cyber security threats.
It’s vital that security responsibilities are not left in the hands of the users alone. Users need ongoing education Martin Riley, Bridewell Consulting
He believes that the right answer is to enforce a zero-trust security model so that no individual or device is trusted. “This means separating users and devices as much as is reasonable for your business from corporate assets such as data, applications, infrastructure, and networks and following the Identify, Authenticate, Authorise and Audit model [IAAM],” says Riley.
With new online threats constantly emerging, there’s also an onus on organisations to provide their employees with security awareness training. Riley says: “It’s also vital that security responsibilities are not left in the hands of the users alone. Users need ongoing education on the risks, types of threats and best practices.”
Because employees are increasingly relying on mobile devices and applications for work purposes, Riley urges organisations to include these within the scope of security controls, testing initiatives and anti-phishing technologies.
He adds: “By ensuring the use of a modern mobile endpoint and application management suite, organisations can enforce corporate policies on authentication, data management and patching, providing flexibility for the end user while improving risk management for the business.”
Taking immediate action
In the future, Capgemini cyber security director Lee Newcombe envisages organisations being able to connect “dirty devices” to corporate LANs with lower risk. But he says this currently isn’t possible due to the legacy model of flat and relatively unprotected internal networks.
“We are not yet living in the nirvana of a zero-trust world, with internal microsegmentation and every access request being subjected to a variety of security checks prior to being granted,” he says.
As a result, businesses need to take extra precautions when personal mobile devices are being used on corporate networks. First, Newcombe recommends that businesses ask their employees to ensure anti-malware signatures are up-to-date and delete any non-standard software before entering the office.
Newcombe also encourages businesses to conduct device posture checks remotely and on connection to the local network if they have the capabilities. Another important step is to use security monitoring solutions for identifying malicious activities within the internal network. And firms shouldn’t neglect server-side anti-malware solutions by focusing their attention on other areas.
Although lots of businesses are reopening their offices with the easing of lockdown restrictions, the general consensus is that hybrid approaches will define the future of working. And as employees continue to use mobile devices at home and in the office, organisations must strengthen their cyber defences accordingly.
Jitender Arora, chief information security officer at Deloitte UK, encourages businesses to adopt strong phishing defences, endpoint detection and response systems, essential security services and web proxies in a bid to improve the security of their hybrid working environments.
For some people, returning to the office may be an exciting prospect after nearly two years of remote working – it’s iron-clad proof that the troubles of the pandemic are beginning to fade away and that better things are around the corner.
But what many people don’t realise is that their mobile devices may be potentially unsafe and, when connected to office networks, could possibly harm their employer’s IT infrastructure.
As a result, workers must ensure their devices are fully up-to-date and secure. And businesses must strengthen their network security so that insecure mobile devices don’t provide cyber criminals with a point of entry into corporate systems.
