Realities on IT security and how Campus X addresses them within our own infrastructure.
By Sergei Biliarski, Campus X's award-winning IT Manager with 11+ years of experience
2020’s peculiar events quickly urged (almost) the whole diverse workforce - from the standalone freelancer to the large multi-national corporation - to adopt a fully remote workstyle, regardless of whether they were ready or not.
Basically overnight, companies had to instruct their fleets of office workers to find a suitable IT setup wherever they were stationed, and stay productive, for an unknown period of time.
Table of Contents
What was the impact on companies?
Some companies were more prepared than others. Specifically, IT (but not only) organizations who had already invested in cloud-first and decentralized infrastructure strategies (e.g. AWS, Azure, GCP), modern communication and collaboration tools (e.g. Microsoft 365, Google Workspace), and mobile employee hardware, reaped the benefits of their insightful IT strategies.
Those organizations reported that they found this transition to be quite straightforward and almost painless.
However, others were not so lucky. Many established corporations, and even smaller organizations, still rely on legacy centralized IT models, be it for regulatory compliance purposes, rusty security policies, or plain old inertia. Many of these organizations keep all their valuable data and communication in-house in large, protected data centers and highly secure internal networks.
Thus, it was no surprise they struggled immensely to quickly apply their IT security standards to the work-from-anywhere, bring-your-own-device world.
What happened? This either left the companies’ IT systems with large security holes to preserve employee productivity or the opposite – they brought their loads of policies and procedures forward and restricted all kinds of access, blocked personal devices, created hoops of approvals, and ultimately crippled employee efforts to accomplish almost anything. In turn, this resulted in lower productivity and plummeting revenues.
Facing new challenges
Soon thereafter, the first group began to struggle too.
Although cloud- and mobile-first companies initially took the lead in adopting the new workstyle, many were not quite prepared for the next challenges down the road.
Firstly, home networks began feeling the immense strain of modern online work and study life. Imagine two working adults who are constantly and simultaneously requiring high-bandwidth low-latency connection for conference calls, quick access to large file resources, as well as sharing and collaboration tools. In the meantime, their kids engaging in real-time online learning.
Also, productivity began to suffer. Some sought escape from their crowded homes to better focus on their work. And while it is indeed fun to spend a few days tapping away on your laptop in a wooden cabin in the middle of nowhere or sipping a cold drink on a sunbed near the sea, people quickly realized that those conditions are way more suitable for what they were initially designed for – a short disconnect from corporate buzz and recharge of their mental batteries, rather than consistently delivering productive output.
Hackers and security breaches
In addition to the drop in productivity, a new threat appeared. Enter the black hats. Hackers and other malicious actors moved in for the kill.
Millions and millions of people exited the security boundaries of their organizations and started doing important work and accessing private data from a wide variety of home-grade unpatched routers and insecure publicly accessible Wi-Fi networks.
Furthermore, employees got so used to the constant change in workflows and using new corporate-provided tools every day, that they were readier than ever to click on any link in any email that looks somewhat legit and includes words like “IT department”, “new policy”, “remote access” and punch in their work credentials without a second thought.
"Threat actors are adapting quickly as the landscape shifts to find new ways to capitalize on the remote workforce," says Adam Kujawa, director at Malwarebytes Labs. The cybersecurity firm released a report in August 2020 called "Enduring from Home: COVID-19's Impact on Business Security" examining the impact of the novel coronavirus in the security world.
Company telemetry and a survey conducted with 200 IT and cybersecurity professionals suggest that since the start of the pandemic, remote workers have caused a security breach in 20% of organizations.
The challenge cited most by respondents was training employees on how to be security compliant at home (55.4%), while 36.6% expressed the concern that their employees may not have adequate cybersecurity protections for their personal networks and devices.
Going a step further, 45% said: "devices may be more exposed at home, where employees feel safe, but others may have access to their devices and may inadvertently compromise them."
Furthermore, 18% of those surveyed said that, for their employees, cybersecurity was not a priority, while 5 percent admitted their employees were a “security risk” and “oblivious” to security best practices.
The examples of massive data breaches and information leaks caused not by criminal intruders but rather by sloppy end users have been increasing in magnitude. For instance, the Nintendo data breach in April and July 2020, dubbed the Nintendo Gigaleak, that exposed data, and passwords for 300 000 accounts, and later source code and development repositories dating back to the 1990s were all presumably caused by weak or reused account passwords. Stolen employee credentials were the key to the massive Marriott breach, reported in March 2020, resulting in exposing the private data of 5.2 million guests.
Lessons learned as an IT Manager at Campus X
When thinking about those threat vectors and how we at Campus X can help our members address them, I like to visualize them in layers, similar to how networks work in IT.
Physical connectivity
Starting from the ground up, it’s vital to secure physical connectivity.
Not many people care about router firmware versions in their daily lives, but unpatched known security holes in router software are one of the primary ways an attacker could easily gain access to your home network and start scanning for further weak spots or simply eavesdrop on your communications. The first step towards better network security would be to ensure your network is run by a relatively recent router with an up-to-date patch/firmware level.
How we address the problem?
Back in 2018 when we launched Campus X, we had already made the strategic decision to build an enterprise-grade, highly secure, and redundant network infrastructure from the get-go. Our award-winning Cisco Meraki implementation is a testament to the long-term IT strategy and commitment to protecting our members’ critical data and devices.
But there’s more. At the IT team at Campus X, we try our best to keep up to speed with the latest security patchers and constantly monitor and apply new firmware releases.
And to step it up even further, technologies such as Intrusion Detection & Prevention Systems, Advanced Malware Protection, and Content Filtering, available as part of our Advanced Security license, go the extra mile of making the Campus X network a safer place to be.
Authentication
Another important aspect of network security is authentication – how do you prove that you are authorized to access a specific network and the resources it hosts. Most home/small office/public Wi-Fi networks rely on pre-shared keys – very often an easily pronounceable word or phrase, so it can quickly be shared with family and guests.
This approach, however, bears the risk of malicious actors guessing the word/phrase, or simply copying it from the sign on the wall, if you’re in a public space, and thus making their way into the network, where they can use their wide toolset to further exploit your devices and data.
How we address the problem?
At Campus X we address this threat in several ways – guest Wi-Fi passwords are changed regularly; communication between devices inside shared networks is blocked; our members can benefit from our Private SSID service, where they get their own Wi-Fi network, available across Campus X premises (a.k.a. Wi-Fi roaming), and can log in with their own unique per-employee credentials (or even corporate Google Workspace accounts).
This achieves a higher level of granularity because when an employee leaves the company, only their specific access can be stopped without causing access issues for the others.
Communication and data in transit
Going up the layers, having secured the physical network connectivity, we now need to take care of the communication and data in transit.
Most modern corporate productivity tools do provide a level of encryption using HTTPS and TLS, but you can’t always rely solely on the vendor for securing the public service you need to access, let alone when the business requires you to access private resources and data behind firewalls and in protected networks.
Many client VPN tools do a good job of encrypting all your traffic and masking your IP for your various devices. When it comes to securely connecting whole sites though, most publicly available services struggle to provide the flexibility and scalability needed.
How we address the problem?
Client and Site-to-site VPN are two of the most beloved services by CEOs and founders of Campus X member companies.
The ability to securely connect to the Campus X network from anywhere in the world, either to remote into your PC on-site, or simply to mask your source IP and access services that have the Campus X IP whitelisted, whilst encrypting all your traffic, is more than just convenient – it’s a game-changer for remote workers needing to stay secure and productive while working from home, a mobile hotspot or a public network at a hotel.
When it comes to negotiating business partnerships and establishing workflows with large enterprises, they often stop at nothing when ensuring that all risk of unauthorized access to their HQ systems is properly mitigated.
Several member companies are already making use of a Campus X-provided Site-to-site VPN tunnel for accessing highly protected remote infrastructures through the Campus X network and are therefore now eligible to participate in large projects for worldwide corporations.
Security certification and more
When talking about business with large enterprises it’s also very common for them to require aspiring partner companies to get certified by international security standards. This is a rocky but rewarding road that we’ve already successfully completed for several of our member companies.
How we help our members?
With the help of Campus X’s bulletproof physical and network security, our partners reap the benefits of having achieved certifications such as ISO27001 and even TISAX, even in these distributed workforce times.
Another part of the certification requirements, and of any adequate higher-layer IT strategy as a whole, is implementing internal security policies for:
Client device security – managed authentication, disk encryption, remote wipe
Centralized password management and unique passwords (vs. the secret spreadsheet holding all the corporate logins in plain text)
Least Privilege principle in terms of company resources access
Encryption and password protection of data in the cloud
Multi-factor authentication
Regular phishing awareness campaigns and employee training
Centrally managed antivirus and antimalware protection with reporting
A robust and tested backup solution
…and the list goes on.
One can never be overprepared or too protected when it comes to secure workflows.
Our experienced IT team at Campus X is proud to assist member companies with advice, implementation, and support on a daily basis on their journey in implementing best practices and achieving better security compliance, to measure up to the high standards, required by partner corporations and industry certifications.
In conclusion
All in all, you might get lucky and get away without any massive data breach, stolen credentials, or malware outbreak due to the lowered IT security standards that the distributed workforce model is imposing.
But, as Campus X founders love to reiterate: “luck is not a reliable long-term strategy.”
Ask a trusted partner, do your homework, and be ready to face this brave new world of possibilities with a confident smile. Our IT team will be happy to assist and consult you.
Want to join Campus X and benefit from our enterprise-level award-winning IT infrastructure and services? Take a look at our offices.
