Remote Work Isn’t Going Away: An Interview on How We Keep It Secure.
Does remote working really just mean working in the cloud? Increasingly, yes!
Recently, I had the opportunity to contribute to an article by Kate O'Flaherty on the topic of mobile security and the challenges companies face in managing devices in a remote first world. She asked me several thoughtful questions about the risks I see at Be Co, how we approach mobile device management (MDM), and the cultural challenges around building security into everyday business practices. Only a portion of my answers made it into her final piece, but I wanted to share the full conversation here for anyone interested in a deeper dive. You can read her published article here.
The threat surface: What mobile security risks are you grappling with and how have these changed over the last couple of years?
Just a little context about Be Co: We are a remote forward company. We specialize in clients with work from home employees. While many companies are back to office, many (not all) of our clients are embracing the freedom that remote work, and thus remote devices, brings them. But remote work comes with security and logistical challenges that many MSPs (Manage Service Providers) aren’t equipped to handle.
We’re all for a reduced commute time. That said, we also encourage showers.
Be Co has focused on endpoint security (a device such as a laptop or desktop computer) from day one. It’s always been a value of ours. We’ve seen very few infections on our physical devices because of multiple factors: automatically deployed firewalls and device encryption, properly managed software updates, well configured EDR (Endpoint Detection and Response), DNS (network) filtering, enterprise managed browsers with enforced extension policies, hardened Intune or Mac MDM policies, ZTNA (zero trust network access / modern VPN), etc. I think it’s a lot harder to infect a properly managed endpoint (and we generally only work with managed endpoints) than it used to be, remote or on premises, when you’re following best practices.
What I’ve really seen at Be Co is a rise in simple cyberattacks such as social engineering and AitM (Adversary in the Middle) attacks. This is where an attacker will attempt to steal the credentials for your online accounts, such as email, or cloud data storage. The problem with these methods is they’re dead simple and highly effective for threat actors. The real threat isn’t the device anymore, it’s your cloud accounts. Today, almost no company data lives on an endpoint. Instead, attackers go after Microsoft 365, Google Workspace, and other cloud accounts. That’s where all of your company’s data lives.
How we’ve grappled with it: When I first started seeing the rise in AitM attacks, many of my clients were already using FIDO2 security keys to secure their password managers, and their email accounts, but we started not only recommending them, but enforcing them as much as possible. I think passwords are perhaps one of the biggest threats, not only to remote workers but to cybersecurity in general. Of course, it’s the game of cat and mouse. As soon as everyone is using FIDO2 compliant authentication, what will attackers do to defeat that?
<What have you been doing to evolve mobile security and MDM: Including best practice and frameworks, novel frameworks?>
To preface this answer, Be Co only deals with small companies, which will bias my answer accordingly (because in larger enterprise environments, Windows on premise Active Directory (AD) is critical): In a remote first environment, legacy technology such as Microsoft’s AD really has no place. Mobile devices need to have tightly configured cloud management such as Microsoft’s Intune, or some form of Apple MDM (like Addigy or Jamf Pro). There’s a tremendous amount of functionality that you can leverage with these management tools, and they are abundantly documented. When I take over a new client, that client might have been paying for Microsoft Premium, but the previous IT provider had no idea why, other than perhaps the margins.
In reality, Microsoft Premium includes Intune, Entra ID, Microsoft Defender for Endpoint, and Conditional Access. These tools can provide a solid foundation for a remote first business, or even just remote workers.
Both Addigy and Jamf Pro come with the ability to quickly deploy CIS benchmark (industry best practice security) policies to instantly harden your endpoints. Then you can utilize compliance features that integrate with your company’s identity provider (IdP) to ensure your managed endpoint is fully compliant before the employee is even allowed to log in to company resources.
We haven’t developed the ability to support interplanetary remote work yet, but we’re working on it. We’ve hired a CISO (Chief Information Space Officer for this role.
What cultural and organizational challenges are you facing in this area (MDM and broader mobile security) and how are these being overcome?
I always say that a company’s security is only as strong as its security culture. Being the founder of an MSP, I get to look into the security of multiple different companies all at once. We have a swath of tools that we can throw at any security problem. There’s no end to the amount of security knowledge and SaaS cloud solutions that you can apply to any situation, but if there’s no buy in from the executive leadership, all of these solutions are completely useless. Working in a consulting capacity, if I say something, and it isn’t echoed internally, what I say means practically nothing. It is so critical that leadership gets on board to drive a security message home. It’s also my job to tell leaders that my recommendations are there to protect both your profit and your reputation. This isn’t just about cybersecurity.
Until a client has gone through a breach, they seldom grasp the impact, which is why security often falls low on their list of priorities. As someone who’s remediated multiple breaches, I’ve seen real and lasting PTSD from data and account compromises. We all do the best we can, and I try to help a client mitigate as much risk as practical.
What security threats are on your radar as a company and how do you plan to tackle these?
Misconfigurations. At Be Co, we’re always striving for best practice. In a best practice environment, you know you did your best, and there wasn’t much more you could do other than act swiftly to remediate a bad situation. That said, we are human, and we make mistakes. Overlooking a single checkbox in an admin console can easily make or break security. Sometimes we go back and look through a panel to find that something isn’t set correctly.
It's much easier to remediate these items during an audit of your environment than it is during a breach. Developing standards and practices, checklists, and reinforcing those items culturally go a long way in helping you and your team tackle security.
There are infinite factors. Control the one you have agency over: yourself.
Anything to add?
I saw that the premise of your (Kate O'Flaherty’s) article is about “considering banning personal devices.” Personal devices are a liability. If you’re serious about security, you can’t afford to let unmanaged laptops or phones touch company data. A managed device means encryption, firewall enforcement, managed and monitored antivirus, all of which make life easier for employees and safer for the business. How do you enforce encryption, or firewall policies on a personal device? You can also assume that the employee has admin access to the device and can unintentionally install a piece of malware, or malicious browser extension. With a fully managed company device, you can enforce sophisticated endpoint security that makes your employees’ lives simpler, allowing them to get more work done. I see no benefit, financial or otherwise, to allowing unmanaged personal devices to touch your company’s data.
When it comes to mobile phones, you can actually independently manage work apps, such as Microsoft Outlook, on a personal phone. Microsoft has something called “App Protection Policies” that enable you to manage on device data, independently encrypt that data, prevent it from being backed up to the employee’s personal backup, and require the use of a PIN or biometrics for access. You can then limit the kind of access an employee has on a mobile phone. For example, you can set Conditional Access policies that only allow an employee to access Outlook and Zoom (through SSO) on an iOS or Android device, but not OneDrive, Excel. You can even disable the clipboard from copying data from a managed app to a non-managed app.
Effectively leveraging Identity is a massive part of managing a remote workforce, and it enables you to control who has access to what, and on which platforms.
That said, I’ve seen large and old enterprises with remote endpoints that aren’t really leveraging SSO, ZTNA, and other modern security technology for employees on the go. Instead, they’re stuck using SSLVPNs that regularly see vulnerabilities with CVE scores of 9.8 out of 10 severity, and simple “8 character minimum passwords that must be rotated every 90 days,” which is something NIST (National Institute of Standards and Technology) no longer recommends.
