How to Secure Your Remote Workforce

Hank Schless  00:07

Hey everybody, welcome to the Lookout podcasts. My name is Hank Schluss. And I'm your host. Today we're joined by David Richardson, or as we call them here, DR. DR is our VP of Product Management here at Lookout. And he’s actually been here for over 10 years, which makes him one of our true vets at Lookout. So we're pumped to have him here. And in his time, it's really been cool. You know, he's really been helping mold the mobile security market. And with the work he's done on the product side and more –– which maybe you can tell us a little bit about –– he's actually got more than 45 patents related to mobile security, which is, which is pretty awesome. So really, really excited to have you on here, DR.

‍

David Richardson  00:41

Well, thanks, Hank. Appreciate that warm introduction. So thank you for that. This is a space that obviously I feel very passionately about, think I just crossed 11 years with Lookout, and it's flown by real fast. And yet somehow, you know, the last two months here have felt like another three years or something with all the challenges that have been going on, and all of the kind of rapid change throughout pretty much every industry, every organization, every geography around the world. 

‍

Hank Schless  01:11

Yeah, for sure. And kind of before we get into all that, I'd be really interested to know, just since you've been –– I mean, you've basically been in mobile security, some would argue pretty much since the genesis of it as a real industry. And even now, we're still seeing a lot of growth and a lot more recognition in the market. You know, when we talk to security teams or digital transformation teams, mobile is becoming way more of the conversation now. So could you speak a little bit to some of the bigger growth and change trends that you've seen in this last, I guess, 11 years now?

‍

David Richardson  01:41

Yeah. So I mean, we definitely went from a world where mobile devices were primarily being used for personal use to primarily being used for business with the rise of Blackberry, then the rise of the iPhone –– which, you know, initially was very much a kind of consumer focused device –– and the proliferation of Android around the world. There was a lot of skepticism, I would say, in the early days, especially on the enterprise side, of: Is anyone ever going to do anything more than emailing, calling from mobile devices from mobile operating systems. And I think with larger phones, faster phones, better productivity apps, iPads, tablets, all of these things coming to market, we are now seeing that absolutely every single person thinks that their mobile device is now a crucial part of their work life and of their productivity suite. And one of the most interesting trends that I've seen in recent years is the blending of desktop and mobile with products like Chromebooks that in many ways behave like mobile devices, or iPad OS coming with the magic keyboard, with a trackpad. Similarly, you have the desktop operating systems actually kind of migrating towards a more mobile look and feel and a more mobile approach to security as well.

‍

Hank Schless  02:59

Yeah. And what's been interesting is that we've all been kind of thrown into this new world. And it's really shedding a lot of light on cybersecurity. So kind of the main thing, the main issue I guess you'd call it, at hand, is really remote work. It's cool to see that the majority of companies have really been able to transition into this remote work model. I think that, you know, companies like ours, other technology companies have had a little bit of an easier time with it just because of how they were already set up. But none of that is done without a massive amount of effort from internal teams. And that's across the board. So what are some of the biggest security concerns for those teams as they build out and maintain this remote work model?

‍

David Richardson  03:34

It's a great question. Definitely, there's always a trade off between productivity and security, or user experience and security. So what we're seeing as the most common trend in those that are saying that things are going well for them is that they already had robust adoption of the cloud and of mobility and have capabilities to support work from home –– had robust business continuity in place. And then where we're seeing other organizations struggle, obviously, let's just take a moment to acknowledge the fact that those of us that are primarily in the knowledge work industry, we are fortunate in these situations. The majority of our work can be done remotely through any screen that we have access to. But where we've seen organizations struggle are where they're trying to rapidly deploy cloud access or rapidly rollout a mobility program. When you roll this kind of program out very deliberately, then you get the opportunity to put the proper security controls in place and the proper policies in place and really have the thoughtful discussions of how much data access should someone get from their personal device. When you're doing this haphazardly, in a crisis situation, your first call is most likely to get people to be productive –– make sure that people can do their jobs even if it means relaxing policies. Rolling out any program like this deliberately means rolling out the proper mitigating security controls in place at the same time in parallel. And I think also, very importantly, as you need to understand, is this a temporary change? Because no one here has a crystal ball, no one knows when and in what form, the world really gets back to normal. Remote workforce could be a big part of the world moving forward, or everything could return to the way it was three, six, nine months from now.

‍

Hank Schless  05:31

So, I guess, so now that we've got everyone working from home, right? We're all very settled into this WFH model, if you will, and, you know, we're connecting to corporate networks, we're going through VPN, we're using connections that might not be quite as secure as the network at the office, maybe, where they have certain protections in place. That's got to be a pretty big headache for I guess IT specifically and obviously security, too.

‍

David Richardson  05:53

Yeah, no, no, absolutely. I mean, when you're connecting devices from home networks through VPN, while at the same time, you know, your spouse may also be working from home, your kids may be going through their education programs, over Zoom or other video conferencing facilities, or goofing around and playing video games. At home, you've got this all happening on the same network. And it's sort of an extension of your corporate network now into the home network, where it may not be sufficient to know that the corporate device that someone is using to access data over the VPN is secure. Because there could be other devices sitting on that network that you know, may or may not be secure, and Internet of Things devices. You've got some Google Home or Alexis or smart refrigerator or something like that, or baby monitor that's connecting to this same WiFi network that probably hasn't received a security update in quite some time; it may be introducing its own security holes into the network. So you're essentially bridging your home network with the corporate network in this process, and increasing the number of endpoints that can potentially access and compromise corporate data in this process. And many organizations have sort of been relying on the traditional perimeter of your VPN, or NACK, or your secure web gateway or whatnot, to protect your corporate data and to ensure that only compliant devices are able to access corporate data. But what we're seeing here is that you may need to think about a different way to approach security entirely, one that doesn't rely as much on the perimeter. And, you know, there's lots of buzzwords in this area around, you know, zero trust. Assume any device that's trying to access any of your corporate data inherently may be insecure.

‍

Hank Schless  07:34

And it seems like part of this is that a lot of companies, yes, they've been forced into remote work, but they've also been forced into embracing a BYOD deployment model. And, you know, we've seen that increasing over the last couple years. We've seen more people doing that. But obviously, this means that employees are accessing their corporate data from the same devices their personal apps are on and there's definitely a crossover. Kind of a gray area starts to exist of okay, what can access what when a personal app asks for certain permissions. Does that affect the security posture of a device and, you know, kind of with corporate policies, there's a whole slew of things that someone could say makes it riskier to be doing that. And, like you said, when you don't really have the time to implement a policy like that, that you kind of are forced into it, you know, there are going to be holes and gaps at the start. So how can people address those and then mitigate the threat that exists from this kind of forced-to-BYOD situation a lot of people are in.

‍

David Richardson  08:34

You really hit the nail on the head there, Hank, about the dual nature of all mobile devices, right? Like, it really doesn't matter whether it's a corporate issue device or your BYOD device that you're using to access data, every single device is going to be a mix of corporate and personal data, whether it's your corporate device that you have used to take pictures of whiteboards as well, as, you know, taking pictures of your kids with the same device in there. That data is now intermixing in your camera roll. Or it's your personal device that you may be accessing social media from this device and accessing your corporate email or taking notes. There's sort of… No matter how you approach mobility, it ends up being it feeling like a shared device. And I think there's a perception also that like, even if your company gives you a phone, that it's your phone, and you can use it how you want because it's on you all the time. It's in your pocket. It tracks your location. It listens to your conversations. I feel like we don't quite have the same attachment to our laptops or other devices where we're like, okay, that's the company laptop, I do work on that and maybe I feel a little bit guilty anytime I do anything other than work on that device. Nobody feels that way about their mobile device. They definitely feel like this is their device. But sorry, let me wander back to the question at hand here in this type of situation, you know, where you've got data on devices that are both personal and work devices. How do you mitigate the risks that are introduced in that environment? And the first thing I would say, especially when you're trying to do something like this rapidly: Look to the tools you already have. If you have a mobile application management solution, a productivity suite like Office 365 or G Suite, look to the controls that they have. Because they will have some controls around doing things like: requiring that there's a PIN code set on these devices, requiring that they maybe run a certain operating system version, require that certain security settings are enabled on that device, disable things like copy/paste. Cross across the work-personal boundary. Make sure someone can click on a file in Microsoft Word and click share and then click with Facebook and then click send and they just accidentally share this to their their social media account. Make sure that you've got those controls in place, like, first and foremost. And there are other places you should look too. You should look at your identity and access management solution or your single sign-on and see what controls they may have. So they may be able to do things like mandate that only managed devices can access certain cloud resources or mandate that the device needs to at least be coming from a certain country or a certain IP range or something like that.

‍

Hank Schless  11:27

So we've talked a lot about networks being at home managing the devices, how that can kind of, like you said, maybe spook employees a little bit to bring it under full management when it comes to the employees themselves. What's, in your opinion, just as, like, just as a security expert, what's kind of the best way for people to approach… that makes sure that everyone's on the same page and, you know, enough of a temporary measure that they're, you know, understand the reason that they need to do X, Y, and Z or enforce certain policies.

‍

David Richardson  11:55

Yeah, I mean, I think it absolutely falls to the organization, especially if you're doing something like temporarily relaxing a security policy, you need to let everyone know why it's okay, but what they need to do, which can be a paper policy, like, right? It doesn't necessarily… In a perfect world, all your policies are enforced all the time by technology. But you can put paper policies in place, too –– right? –– which is to say something like: “You shouldn't be sideloading applications onto your mobile devices that you're using to access…” Or, in a perfect world, you deploy, you know, a Mobile Threat Defense solution to be able to impose those restrictions. But in the absence of that, you can communicate that as a paper policy. Temporarily tell people, “Hey, if you want to set up corporate email on your device, just make sure you follow these basic rules; we're gonna enforce the ones we can, but we can't necessarily enforce them all. But we'll try to enforce them at some point in the future.” So I think that's, you know, that onus is definitely on the employer to make that information clear. I think also, as we think about training in general, like phishing training, for example, we need to definitely consider the mobile device and the whole context of the mobile device as a part of those exercises. So the majority of phishing training solutions out there pretty much look at corporate email. They're looking at how to spot a phishing attack that's against your corporate email account, and ensure that you don't respond and provide information or click on links. But you need to think about the entirety of the phishing surface, which, you know, includes personal email as well. You can just as easily get phished on a personal email, SMS iMessage. Apple has done such an amazing job of convincing people that their devices are secure that people think that nothing could possibly go wrong if I'm on my iPhone or if I'm on my iPad. That's not true. You can get phished from any device.  You can accidentally enter your email and password into the wrong place on any device. You can be tricked into installing something you shouldn't install. You can get tricked into connecting to a network you shouldn't connect to. These things can all happen on any device. Mobile devices have the same problems that computers have; they can face exact same issues

‍

Hank Schless  14:10

There. Yeah, 100%. And then you see it every day. I think, was about six weeks ago, everyone at 

Lookout got an email saying someone in our employee base has been infected with COVID-19 and open this attachment to read what you should do or something like that. And, you know, obviously, we're all, because of the world we live in, pretty well trained and being able to spot that. But, I mean, if you open something like that on a phone…

‍

David Richardson  14:35

Yeah, I think especially in that context, you know, where you're receiving something that's piggybacking on a current event and presenting a sense of urgency. It was telling, you know, essentially, you may have been in contact with someone who had COVID-19 and here's how to find out if you were and to read more details about it. This is designed to cause you to turn your brain off to get scared. And to do something quickly, without thinking twice about it.

‍

Hank Schless  15:09

To bring it back to the remote conversation a little bit, I feel like most people are probably less cautious at home, because you're not in that mindset of being in the office back a little more instinctively.

‍

David Richardson  15:19

I think there's truth to that. We also see that in the sense that people are more eager to click on links on their mobile devices where they're, they're on the go, if you see a website that doesn't quite look correct on a desktop, that might raise more alarm bells than when you see little minor formatting issues on mobile. It's like, that's sort of par for the course sometimes. We see those types of things and you can't see the full URL bar; you don't have that full insight into… You might see, like… Legitimate login pages might say something like www dot Microsoft Oh, dot dot dot, and you don't know, oh, dot dot, dot… it's not as easy to hover over a link. On iOS, they've now made it so if you accidentally press a little too hard on the link that you're trying to long press on to check its source, you are opening it up in a quick look view that's actually loading the page on your device. You know, it's very difficult to apply some of those best practices that you might have learned in another context. You know, it's more difficult to apply them in this context. And then combine that with the fact that working from home, you might be sleep deprived, you might have screaming children running around the house, and all sorts of things like that going on that's affecting your brain power a little bit more than usual. And yeah, you might just go, “Oh, no, what happened now?” and click on the link.

‍

Hank Schless  16:40

Yeah. So, kind of just wrapping things up here a bit, looking a little bit to the future. The other bit, a couple reports have come out about, you know, how much of the remote workforce is gonna stay remote? Of course, people are talking about how long this will go on. But how do you think that with all the focus that's been on security recently this is all going to change the way people approach the home office, and even the greater mobile employee –– right? –– once we get back to traveling? Do you think that’s what's been going on recently –– how people are shifting things around? We'll pull that home office and that mobile worker more into the conversation and into the remote work idea?

‍

David Richardson  17:20

Yeah, I think so. I think every organization, you know, especially for knowledge workers, you need to consider remote work as part of the standard operating procedure. I'm not saying shut down the office or anything like that. I'm definitely not advocating for that. I think physical location is an amazing resource, especially for collaboration for creative, absolutely, brainstorming, all all of those kinds of things. But I think you should consider that some percentage of every knowledge worker’s time, it should be assumed to be remote. But as a result of those changes –– which will make your whole business, I think, more resilient overall –– that basically means changing fundamentally the way that you think about securing your workforce as well. Because any perimeter based solution that you're using is only going to protect now a fraction of your employee base at any given point in time. So you really need to think about moving beyond work perimeter related protection mechanisms, because they're not applicable to all use cases. And they're not applicable to many of the emerging trends we are seeing, where people get direct access to cloud services from mobile devices and things like that. One question that I raise: How do you make the decision as an organization as to when you put a new service in the perimeter or in the cloud? Or how do you decide whether someone needs to be on the VPN to access it? Or if they should be able to get direct access through, like, a single sign-on solution or something like that. If it supports the ability for them to access it directly, then we do that. So it wasn't a security consideration? If it's capable of allowing people to access it directly, then we want them to access it directly. And I think that's the right trend. I think that's the promise of the cloud. And that's the promise of mobility. But it means that you shouldn't really be considering any kind of network perimeter security solutions that you have as even really relevant to the security of your corporate data. You know, if that's the stance that you're going with, and I think many organizations will increasingly kind of move in that direction.

‍

Hank Schless  19:35

Absolutely. Yeah. I agree. Well, cool. DR, I think that's about all the time we have for today. But thanks again for joining us. Really, really appreciate you sharing your expertise and your point of view on all this. And thanks to all of our listeners for tuning in today. You can always visit lookout.com to learn more about the state of mobile security in a more general sense and in the more focused context of having to secure a remote workforce. See you next time.

‍