Your VPN Is a Half-Measure
As most of you reading this know, public or "open access" WiFi is not a safe option for employees working remotely. Cyber criminals have the potential to see all the traffic going through a public network, including FTP login credentials, packets, and passwords.
If you've issued your employees a company VPN for external connections, you likely think you've covered your bases, but the reality couldn't be further from the truth. And it isn't the VPN you should be worried about, but end user behavior and the surrounding environment.
Lack of Patience
When thinking about end-user security, it's paramount to think about situations like an end user. Exceptions to company policy can quickly become the norm, and that in itself presents risk to your organization's security. Almost all end users are impatient and take the path of least resistance, even when the path doesn't align with a security policy.
This can present a problem for end users who regularly connect to a VPN. If, for instance, you hear constant complaints about your company's VPN connection speed, there is a good probability that a number of your employees have given up on the VPN and are connecting directly to public WiFi networks, exposing your organization's data to significant risk.
It is worth talking to your employees about VPN speed to see if there are any complaints, and if there are, investing in your VPN in order to ensure fast connections for your end users so they're more likely to utlize this more secure connection.
Culture of Sharing
We live in a culture of sharing. This is especially true for end users operating outside of the office. You should be well aware that 90% of your end users have signed up for social networks including Facebook, Twitter, Instagram, Pinterest, and others. And even if these websites are blocked from your network, most end users have placed these apps on their mobile devices -- devices that may even access your organization's network or email system.
One of our clients recently noticed "facebookuseragent" as a source for several clicks on a phishing assessment they sent out using our PhishGuru software. We discovered that end users actually shared the suspicious link on Facebook (either on chat or on their wall), likely to ask their peers about the validity of the link. And the worst part: other people clicked the fake phishing link.
While this doesn't necessarily present a threat to users on a company VPN, it is a glance into poor end-user behavior and a person in need of remediation training.
Beyond inappropriate sharing, we've also witnessed incidents where users share locations via photo-sharing apps on public profiles, disclosing sensitive company information when meeting at a location that was meant to stay secret. If this sounds like it could be a concern to your organization, we highly recommend at least investigating training for users who regularly work outside the office.
A Look at Https
As we discuss in our Security Beyond the Office module, https websites are generally safe to visit. Legitimate websites (like Gmail) use https to encrypt the entire session, ensuring a high level of security for the information sent while logged in to their service. But https on initial login doesn't ensure all information you transfer while on a site is secured. For instance, Facebook used to have a login page in https, but then would direct you to an unsecured session.
They've since changed this so Facebook now encrypts all sessions, but the reality remains that other web services don't always have the engineering capacity to ensure this level of security. End users who decide to temporarily forgo company VPNs need to be trained to always check for https, even after they've logged in.
Will the Real Network Please Stand Up
One of the primary issues of public WiFi is the network being the real network. For instance, if you're visiting Mike's Coffee Shop and you see two WiFi networks, one named Mike's Coffee Shop Wifi and the other Mike's Coffee Wifi, it's unclear which one is legitimate. We always urge end users to ask an employee confirm the name of a WiFi network before connecting.
This tactic is especially dangerous, as the options for cyber criminals in this scenario are essentially limitless. They could set up fake SSL certificates, send your data in plain text to a remote server, or serve secure websites in HTTP, which could be detected by your browser (but might not be).
Ensure your users know to double-check with an employee about the validity and name of a WiFi network, so your data isn't vulnerable to a worst-case scenario. This post details exactly what cyber criminals can do when they're in control of the wireless network.
Nurturing End-User Behavior
Physical security and cyber security are becoming more closely tied together at the hip due to the prevalence of mobile devices. Laptops, tablets, and smartphones have become standard issue for many enterprise companies. How do you protect thousands of end users from leaking sensitive information in external environments?
Fortunately there are best practices -- but not 100% coverage. There are situations where the opportunity for physical (or cyber) theft are all too real. Additionally, even when following best physical security practices, a VPN doesn't provide a complete safety net. Here are just a few of the situations we've encountered with clients before training:
- Salespeople on the road left their laptops exposed in their car, resulting in theft that wasn't realized until 12 hours later.
- A cyber criminal gained control over company accounts when a social engineer was looking over an end user's shoulder in a coffee shop (and wrote down their password).