The Second Order Effects of Remote Work: How Covid-19 has Transformed Our Security Needs

For most of 2020, COVID-19 caused millions of employees across the workforce to abandon their office and work from home. As a result, employers have had to rapidly adapt their environments to accommodate remote work — including allowing for a host of new software tools. In that sense, the first-order effects of WFH are clear: Embracing the new-for-some types of applications employees use to communicate, collaborate and operate (ie. popular tools such as Zoom, Slack, Google Drive, Hopin, Figma and Loom). But the second-order effect of working from home is that these major behavioral shifts and widespread use of new tools present hidden challenges — particularly around security and handling sensitive data. Although it remains unclear when and how we will reemerge from pandemic-related precautions, it is obvious that remote work is here to stay. This means that this novel and growing attack surface demands more attention — and a new approach when it comes to security.

We’ve already started seeing promising developments in the space as well as a few pockets where we’re predicting continued innovation. Here’s an overview.

1) Data Loss Prevention

Data Loss Prevention refers to tools and policies put in place to prevent potential data breaches, sensitive data leaks and exfiltration. DLP is not a new concept. Companies like Forcepoint, Zscaler, Symantec and others have offered DLP products to the marketplace for several years. And DLP tools take many different forms, such as multiple security control points for network protection, endpoint-based technology to control information flow, data identification, data leak detection, etc.

What’s different today, however, is that a new crop of cloud-native DLP tools have emerged with the acceleration of cloud products, especially during COVID. These new tools typically employ advanced machine learning to proactively detect sensitive data leaks or attacks, and automatically remediate and quarantine information to prevent public exposure.

Recently, we heard about an interesting example of this program in action. As everyone transitioned to working from home, they had moved all ~100 employees to Slack, including some FP&A employees who were used to sharing sensitive data through more traditional means. One employee accidentally posted a file of highly sensitive credit card numbers in a shared Slack channel. But the company was using Nightfall, which automatically detected the credit card numbers, anonymized and masked them, and quarantined the information from the rest of the employee base. The incident was then documented and flagged to the security manager to ensure necessary guardrails could be implemented.

This type of data leak is one that we’ll likely see more of as millions of employees continue working remotely and onboard new products.

2) Virtual Private Networks

Virtual Private Networks (or VPNs) are private networks that encrypt and transmit data while it travels from one place to another on the internet. The purpose of a VPN is to add security and privacy to public and private networks by masking your internet protocol (IP) address and employing encryption tactics. These, too, are nothing new: Corporate VPNs have long been table stakes in the security toolkit, and consumer VPNs like ExpressVPN have been popular for several years — especially for people who often surf the web on an unsecured Wi-Fi networks, or foreign travelers looking to view Netflix from their home country.

As many of us are well aware, traditional VPNs haven’t always lived up to the task. Legacy products can be cumbersome to set up and a nightmare to maintain. Moreover, most corporate VPNs were never designed with the modern workforce or fully distributed teams in mind, resulting in laggy Zoom calls and slow-loading apps. As employees work from shared and unsecured public networks, security teams are scrambling to replicate office VPNs into the home — and the shortcomings of existing solutions are becoming increasingly acute (VPNs are now the second-largest attack vector for ransomware). Luckily, we are starting to see a renaissance in this previously muted field.

Coinciding with the start of COVID lockdowns, a modern open-source VPN protocol called WireGuard was released in early 2020. WireGuard utilizes state-of-the-art cryptography (e.g., noise protocol framework, BLAKE2) and a simple network interface to offer a fast, modern and easy-to-use alternative to traditional corporate VPNs. Meanwhile, a new crop of startups like Tailscale and ZeroTier are building modern VPNs on top of WireGuard that require little configuration or any new firewall rules, and allow employees to work in a worry-free way. Tailscale’s vision, for example, is to “remove overhead and complexity from the long tail of software and operational problems that people face every day.” Twingate is another startup building a modern alternative to legacy VPNs.

This is the sort of ethos that we expect to persist long after COVID, as VPNs evolve to meet the demands of a modern work environment that is increasingly anywhere.

3) Better Security Policies and Management

At the end of the day, no matter what fancy products can be deployed, everyone in an organization has to be aware of the risks and challenges associated with new tools and remote work — and empowered to mitigate them in some ways. That’s where something as simple as evolving and codifying security policies is essential. Security leaders and CISOs need to be proactive in implementing updated security policies and manage access and permissions to help reduce attack surface area. While comprehensive identity and access management tools like Okta help ensure remote authentication is secure and frictionless, forming even basic rules on an “app-by-app” basis can be helpful.

Take Zoom, for example. Zoom is perhaps the fastest-growing product (in terms of usage) during Covid. This has led to a predictable increase in attacks and hacks through Zoom. There are basic measures employees and management can put in place to reduce the likelihood of these attacks, for example: checking meeting links; using virtual waiting rooms; locking meetings, etc. This requires some understanding on the security team’s part of how tools are being used. It’s counterintuitive, given adoption may actually be higher, but the days of SaaS creep and bringing-your-own-tools may in some ways be over as increasing scrutiny of toolkits becomes vital. We are even seeing startups like Theta Lake building independent solutions to add additional security and compliance for collaboration platforms and videoconferencing tools like Zoom.

I expect we’ll also see other basics, like multi-factor authentication, finally become the norm. MFA adds extra layers of security and permissioning to ensure only the right users gain access to an account. And though adoption has been steadily rising, heightened leakage risks will likely make MFA — and tools that facilitate it, like Duo Security — must-haves for any organization.

Keeping remote work in check

The trend toward more flexible, remote-friendly work has been inching forward for years now, as technological progress and adoption of the cloud made that more possible. But 2020 is the year that much of the world moved to remote work for the first time, driven by necessity more than opportunity. This impact will be long-lasting: Even once the threat posed by Covid-19 is behind us, this culture of remote work is here to stay — as are remote-working tools and their attendant security risks. Modern organizations will continue to want their employees to be as productive as possible by using their preferred tools, but this desire will have to be kept in check against the major security and data leak challenges associated with working from home. Fortunately, by employing the right tools and laying guardrails in place, remote work can be a (reasonably) happy, productive and secure endeavor.