With faster internet, mobile hotspots, VPNs and cloud technology, the work from anywhere (WFA) model is becoming the norm for many organizations.
Employees love the freedom and flexibility of a mobile office, and employers are seeing an increase in productivity when embracing remote work. But this new freedom comes with a cost of increased security concerns for organizations—and their managed service providers (MSPs).
So, what can MSPs do to help keep their customers and end users safe? Liongard’s Jeannie Cain, Director of Information Security, recently sat for an interview to talk about changes in the security landscape, and the most important thing MSPs can do to help their customers be security-first.
What are the biggest changes in the transition to WFA? Has anything stayed the same?
Years ago, working remotely was different. I didn’t have as many meetings, and I didn’t interface face-to-face as much. I’d say it made me more introverted. But fast-forward to now, and where I once had 2-3 hours of daily meetings, now I max myself out at 6-7 hours.
I think the biggest thing that changed during COVID was not necessarily business- or security-related, it was people-related. During the initial transition to work-from-home, people lost a sense of balance and started working 12–15-hour days just because they weren’t sure how to effectively work outside of the office.
Personally, I have been working remotely now for about 8 years and I think I’m more successful now than I’ve ever been. One thing that helps me is to create a space so I can sink into work mode. And for me, that helps work not feel any different than if I was in an office. In terms of security, the thing that really changes when you are working from home is mindfulness about your work laptop. When you’re WFA, you have family and friends in your office space, so you want to make sure that your work stays private and that you put away any confidential information before you stop working for the day.
What are some of the other security concerns with a WFA workforce?
From a security standpoint, I think we loosened the rules a little bit when we made the transition to work from anywhere. When I first started working remotely, there were maybe 20-25% of the workforce doing the same. It was easy to manage equipment and users, and it was cost-effective. It was a smaller group of people who you could focus on and educate about security best practices. And then suddenly, it blew up overnight. So, instead of 15 employees with open internet, now it is 150 and we were all working so quickly we stopped educating users as much, and that’s where the security concern comes in.
One of the concerns for organizations that suddenly had a fully remote workforce was ensuring that employees are automatically logged in to the company VPN when they sign into their workstation. With tools like Zscaler, the VPN follows you, you don’t follow it, which is critical. Because then you have some perimeters and boundaries again for at-home working, versus I’m in the office and I’m behind a firewall. That world does not exist anymore, so the firewall must start following you. So, security suddenly shifted to see every laptop as an extension of the organization.
How can MSPs help their customers be more security-conscious and proactive?
There are a few things that come to mind here. There are different layers of security at an organization. There is a layer of network and VPN security that includes making sure something is monitoring user behavior. There’s endpoint protection which used to just be ‘antivirus’ but now is wrapped with intrusion detection systems (IDS) and intrusion prevention systems (IPS). Then there is the physical layer of the laptop or workstation.
When it comes to that physical layer of protection, one thing that makes me cringe: admin rights on a laptop! Because admin rights are not about the end user making a right or wrong decision, it’s about the things that you click, like a link in an email or text message. If a user clicks on a compromised link and doesn’t have admin privileges, that bad actor could only go so far before it died, because it wouldn’t have access to anything else. But when you put admin rights on a laptop, you are giving bad actors the keys to the kingdom if a user makes just one wrong click.
And then on top of that physical layer and everything else, you’ve got the human layer—talking about and educating about security awareness and best practices—and that’s more important than any tool.
Finally – educate, educate, educate. Let your customers know about security best practices, and help their employees understand why these security measures are in place and important. That’s the best thing you can do as an MSP.
Proactive security starts with unified visibility
Learn how Liongard gives you full visibility all the way down to your endpoints—schedule a platform walk-through today.