Data Leaks in Working From Home

In my college alumni group, a friend asked about protecting end points of his working-from-home employees. Since this is a common issue in these troubled times, I jumped up and offered him some free advice – “Why don’t you use Amazon Workspaces or other such VDI?”, “I can help you deploy any stack that you choose on demand, with no touch, and ensure compliance, you save angst.” Etc. Etc.

Turns out, the advice was entirely misplaced. I had not understood his problem at all.

He runs a BPO employing about 45,000 people across the globe. His company has a fairly sophisticated setup that protected the data travelling on his network from the server right up to the end point. And he was fairly confident and comfortable that there are no breaches in that chain and if there were, his team would catch it.

His description of his problem: “I am more concerned about adding layers of security on who can see a computer screen after an authenticated user has logged in.”

Consider: All his assumptions while designing his cyber security architecture and implementation just went out the window overnight. Most of his methods for preventing data leaks on insiders will not work. (Remember, these are users who are authenticated and authorized on the network, with appropriate privileges)

Let us take a step back and look at the implications of his problem …

-     He cannot prevent the employees copying the information off the screen. They are at their home with access to undetectable 8k recording of their screens if they so choose.

-     Even if the employee herself is trustworthy, there is no way that he can be sure that it is indeed the authenticated employee that is operating the end point.

-     Let us say that nobody in the household is dishonest. Household networks are notoriously easy to breach. (To be honest, this is a problem that has received a lot of press and solutions from cyber security experts.)

-     He cannot mask or obfuscate PII (Personally Identifiable Information) or other sensitive data – after all his employees were in a BPO and need to see the data to provide their service. (This was an approach that was used when support and test engineers were stealing credit card information from bug reports.)

-     His DLP would not work – they are authorized users (and destinations) for the data.

-     His behavioural analyses systems for detecting malicious or negligent insiders will not be effective as everyone’s baseline behaviour has changed with the pandemic. Anyway, the employee’s behaviour does not really change.

-     (I am sure you get the point!)

He was, well and truly, “tightened” (this is a family-oriented blog!).

In this scenario, I think that a prudent cyber security framework should assume that the breach will occur (What do you expect? There are 45,000 employees with 45,000+ devices and 45,000 home networks!) and focus on detecting the breach when it occurs and take steps to minimize the impact of the breach.

I suggested a few quick-to-implement solutions below:

-     Invest in proximity sensors to automatically lock the workstations when the user steps away from the screen.

-     Expire session tokens more frequently; essentially for every transaction

-     Tier employees in terms of trustworthiness and route sensitive data appropriately. (This will require a few changes to application code and routing code.)

-     Train & retrain employees on security and ethics

o  Soft approach

Research shows that people who are reminded of their ethical responsibility are less likely to cheat (See Dan Ariely). So perhaps show a short, crisp visual reminder on the confidential nature of the task and hope that kindles enough of their ethical senses to prevent malicious leakage.

It is impossible to assess the extent of efficacy of this approach.

-     Poison a certain percentage of the transactions with spurious & traceable data and track it for appearance in the dark web. (Dibbs on the name “Ice Cream Truck Trap” for this reverse honeypot!)

I am not satisfied that these solutions will address the problem comprehensively. Or even at all. At best they might reduce the frequency of breaches. I am not sure about limiting the severity when the inevitable breach does occur.

And I am convinced that they do absolutely nothing to address or detect leakage occurring through malicious intent.

I am ashamed to say, I had not thought of this grave implication of working from home in this current COVID-19-induced regimen.

Neither have, I suspect, most other cyber security mavens. 

(I would love to hear your solutions to this  problem. Or, if this is a problem already solved and I am just an ignoramus, I would love to hear that too. Thanks.)