The transition to working from home came with a lot of challenges – especially when it comes to cybersecurity and technical needs. Ed Ko, Co-founder and Director of Information Security Services of CampusGuard, shared insights on those challenges, and offered potential solutions higher ed institutions can put into action.
Overview of CampusGuard
CampusGuard is a cybersecurity and compliance company that works primarily with campus-based organizations (like higher education institutions) with complex environments. They protect information like cardholder data and personally identifiable information (PII) and make sure that institutions meet the latest, most effective security standards.
They take a proactive approach to protecting computer systems – performing vulnerability scans to find potential weaknesses across the organizations they partner with. If any are discovered, they’ll work with the institution to improve and get security levels back where they should be.
CampusGuard is a certified Approved Scanning Vendor (ASV) and a Qualified Security Assessor Company (QSAC) and our team members hold a wide array of additional industry standard certifications.
Evolution of work environments
One of the most obvious changes that institutions saw due to COVID-19 was the places their staff work from. Open office spaces, access to private meeting rooms, “ad hoc” meetings in hallways or break rooms – many aspects of the typical office environment simply didn’t translate to home offices.
Kitchen tables became work desks, spare corners became offices. Now, people work wherever they can find the space to do so. Virtual meeting rooms like Zoom or WebEx may have been foreign tools earlier this year – but at this point, many staff members are near-experts.
One of the biggest concerns, from a technical perspective, is the equipment staff are using to perform their work. Do they have a laptop they can work on (and is it provided by your institution)? Do they have access to a secure network?
With as quickly as institutions needed to find solutions to help answer those questions, challenges came out of these transitions that had to be addressed.
Challenge 1: Network security
Arguably the most severe challenge institutions are facing (or had to face) was the security aspect. Sensitive information that was previously protected by secure, on-campus networks is now being worked on at home.
The IT team that worked so hard to keep internet access safe and running smoothly now doesn’t have much control over the home networks of staff. They can’t control internet providers, router types, internet activity throughout the day. Personal computers, game consoles, tablets or mobile phones using the network – these all have a potential impact on the overall success of their home network.
How to solve it
The first step, Ko recommends, is making sure all computers and accounts are secure and in order. Virtual private networks (VPNs) were originally designed to offer flexibility and maintain (but not improve) the level of security an associate would have if they were in the office. Due to the encryption and secure measure VPNs offer, however, they’ve become an additional layer of security for networks that would have otherwise remained unencrypted and relatively unprotected.
Adding in multi-factor authentication (another step staff need to take to log on to their computer or account) is another great way to protect information. Additionally, make sure that staff members are on Wi-Fi networks that use strong, secure passwords.
Challenge 2: Physical security
Outside of sensitive information that lives online, physical documents that include that information needed to be addressed as well. Ideally, there would be a locked room, file cabinet, or briefcase to keep those physical files safe – but how many staff members actually have access to these methods?
Remind employees to refrain from sharing pictures of their remote workspace. If they’ve accidentally left passwords or documents with PII out and about, it’s an issue that could have easily been avoided.
How to solve it
Make sure staff members aren’t just using a dedicated work space – but are protecting it as well. Encourage them to keep all work files together and in a safe place, and set boundaries with family members or roommates. Ko himself mentions his children – if his youngest son accidentally sends an email while he’s away from his desk, private information is in danger.
Challenge 3: Telepresence and overall privacy
Tools like Zoom are great ways to interact with students or other staff members online, but issues like “Zoombombing” (the act of dropping into a meeting unannounced, often with lewd or obscene content) posed a significant challenge for institutions and classrooms.
For staff members living with family or roommates, being able to have a completely private conversation over the phone can be difficult. Sometimes, that’s little more than an inconvenience, but for those working in departments like human resources or payroll, having information open and readily accessible is a potential security threat.
How to solve it
Institutions need to almost be overly clear when outlining new procedures and training for staff. Though it may seem mundane, having a baseline allows staff across the organization to be on the same page and keep information safe. Working from home is a new world with new threats, and it’s important to be prepared. Even when staff members walk away from their computer for a minute, make sure they lock their computer.
Challenge 4: Readiness for remote
For the physical act of moving staff members to their new home offices, hardware was another big question mark. Departments that were already using laptops have seen less of a challenge, but for those that weren’t, it was incredibly important that any personal devices used for work were secure.
How to solve it
As much as possible, Ko recommends making sure that all remote employees are only using institution-provided equipment to work. Doing so eliminates one more variable and potential weak point that can be targeted. Checking email on personal phones is extremely convenient, but without the right security measures, it can also be extremely dangerous.
Challenge 5: Cybersecurity
Crime doesn’t sleep. Cybersecurity has, rightfully, been top of mind for institutions throughout the entire process. Criminals aren’t taking a break because of the pandemic – they’re taking advantage of it. Resources, information, money are all potentially even more in danger now that staff are working from home.
How to solve it
Certain best practices, like role-based access to certain documents or systems and strong password requirements, may seem commonplace, but it’s good to revisit them. Have any roles changed? Things that need to be addressed?
When it comes to password requirements, Ko actually recommends steering clear of the traditional “replacing letters with numbers or symbols” approach. Doing so isn’t actually difficult for computers to guess – but is unnecessarily difficult for humans to remember. Instead, he recommends simply choosing four random, unrelated words and creating a brief story or mental image to remember. He also recommends using a password manager to keep track of the passwords you don’t use on a day-to-day basis. (Here’s a link to some of the best ones.)
Make sure to only save work files on approved desktops, servers, or institutional cloud accounts. If you have a personal Google Drive or Dropbox account, keep it for personal, not work. Professional versions of these platforms have more specific security measures in place designed to protect you and your institution.
A note on social engineering
In IT, social engineering is an act of deception used by hackers to gain confidential information they can use to their advantage. In one analogy, Ko compares social engineering to a magic show. It’s all about misdirection. These “social engineers” create a distraction (often with some level of urgency) that reels in their target. They may, for example, cause a network attack that occupies the entire IT team – meanwhile, they sneak in emails that normally would have been caught.
For social engineers, emotion is key. They create trust by sending emails from the “Help Desk” or fear by threatening their career or savings. If they can pique your curiosity enough to get you to click a link, send information, or unknowingly perform a negative action, they will.
Being overly skeptical or cautious isn’t the right answer to security from home, says Ko. What’s more important for the everyday remote employee is to know what “normal” looks like. Is it “normal” that their boss would send an email like that? Is it “normal” that IT would reach out to you individually? Normal looks different for everyone – so each person needs to sit down and really think about what it means for them. If you don’t know what “normal” is, you won’t know what “abnormal” is.
The “new normal” of remote office work has come with a lot of changes – but with the right preparation, your institution and associates can be confident and secure every day.
This information (and a bonus Q&A session) is also included in “Working From Home and the Cybersecurity Implications”, an on-demand webinar you can view whenever you’d like.