A Whole New World: Tackling Security Threats When Everyone Goes Remote

David Levine

Vice President Corporate and Information Security, CSO CISM at RICOH USA, Inc.

Learning Objectives

If we’ve learned anything in the past year, it’s that the term “insider threat” brings on new meaning when employees go remote. And even though the vast majority of these threats are unintentional, and a result of lack of due diligence versus malice, they are threats none the less and must be addressed. How do we address, educate and plan to expect the unexpected in our employees’ home workplace environments? In this session I’ll answer this fundamental question.


Key Takeaways:



  • Considerations for all connected at home devices, from desktop printers to listening devices like Alexa and how to protect against related threats

  • Educating employees on the differences between at home and corporate networks and what they need to do, on a regular basis, to ensure connections are secure

  • Tips for ensuring employees are accountable and following security protocols. I’ll also share tips from rolling out remote work for Ricoh USA, Inc. employees along with considerations for managing hybrid and agile workplaces where some employees remain remote and others are in the office


"It's human nature when working at home you want to make things easy and uncomplicated. And unfortunately that frequently doesn't bode well for security, depending on what controls you may or may not have. "

David Levine

Vice President Corporate and Information Security, CSO CISM at RICOH USA, Inc.

Transcript

Hello, I’m David Levine, Vice President and Chief security officer for Ricoh USA. Welcome to my presentation, a whole new world tackling security threats when everybody goes remote. But before we jump into today’s presentation, how about a little bit about myself. So I’ve been with Ricoh USA now for a little over 26 years. My story is really one of a bottom up story. I actually started with a company as a bench tech in my first job was fixing printers. And it’s been a long but great journey along the way, been through some acquisitions, and really focused most of my career on it. And specifically, for the last nine years, cyber security did some Six Sigma along the way as well, which was a huge benefit to my career, in something that pays dividends today made a lot of great relationships in the business that still come in handy today. And again, focused on cybersecurity about seven years ago, used to be a blended function inside of infrastructure was running all of infrastructure, and end user services at the time, really enjoyed that aspect of the job. And really was about that time when it was becoming pretty clear that we needed to stay in security up and needed to be its own department. And it’s been a fun journey ever since then. so privileged to be here with you today to talk about this great subject. What what inside of this, we’ve got a little bit of time today, so we’re not going to hit everything. And you’ll probably hear me say this a couple of times along the way, I’m not here to tell you, I’ve got everything figured out, rather share my experiences, some of the lessons learned along the way and best practices, and hopefully, hopefully everyone will get something good out of this presentation. Okay, so before we get into the main body of the presentation, just a little bit about Rico, many of folks are well aware of us. And you know, we traditionally think of us as the copier company, the multifunction device company. Well, that’s true, but we do a whole lot more and always have. So we’re really an Information Management digital services company. Around the world, we serve 1.4 million businesses, including 84% of the Fortune 500. And we bring people processes and technology together to solve data challenges. Our mission is to harness the power of information and unlock the potential in every business. Well, let’s talk about rapid shift. So again, I said I use the word unprecedented. And I know we’ve used it a lot. But that’s exactly what it was. I mean, we’ve never experienced something like this. And along with it came a lot of changes that we didn’t bank on. So almost overnight, or literally in some cases, and if not within a few days, we send our workforces home to work remotely. Now, depending on your situation, that may have been a big impact, or it may have been a smaller impact. But nonetheless, it had an impact. And we certainly are talking a lot about this and have ever since it happened and for really good reason. One opportunity to share our experiences and learn from each other and what did it mean, and how did you deal with it? I know that was hugely helpful to me along all along the way. And I think our early conversations really focused on Well, what did you do? How did you get the technology out there sort of initially, you know, what was that impact?


And that makes sense, right? But I certainly have seen a shift more recently, towards the type of discussion that we’re going to have here. And that’s really about, okay, everyone’s been at home now for a while. For the most part, we’ve got an eye to the future as well. But what does it mean and what challenges are there? And so those conversations really have largely turned to be more around the insider threat. And again, we’re going to look at the unintended insider threat. In other words, what are those things that are existing in the home environment? that weren’t a challenge? Before we didn’t focus on it? And granted, a lot of us had people working remote before this just not to the extent and and what should we be thinking about? So let’s take a look at that. Alright, so on this slide, you’ve got a handful of things here. Now, this doesn’t cover everything that can possibly fall and under working at home, but let’s try and hit on some of the major things. Now. Rico, we do a lot. We do a lot traditionally with print. So let’s start there. Where did my print go? Well, we got to think about this. So you know, typically in the office, you know, especially these days, you know, security is been a growing important factor in looking at how people print and you functions like locked printing, ensuring only you can retrieve your print and stuff isn’t sitting on the print tray and all these great control tools and options that you can implement today. But guess what, for the most part, that doesn’t apply at home, you don’t I know I don’t, I don’t have a multi $1,000 MFD sitting here configured with all those same kinds of things. I’m using no more of a personal class device, which which is not uncommon. Now I’m sure some of you are providing printers and but many are in so you really have to think about it. In the context of again, you can hear the SEMA theme a lot. Your home office’s not your corporate network. In fact, it’s a whole nother topic here. But again, your printed job? Well, if you’re working at home in your if you know your families at home, if you have kids, you know that introduces a whole nother factor in where’s that print going? Well, one, did you even send your print job to the right place? I don’t know about you. But I know I still have the option of sending a print job to my company. Well, that’s not going to help now. No, I’m not there. They’re very few people there. So what’s going to happen with that print job? Now my case? You’d have to I’d have to personally unlock it. Because we have tight controls on it. But that may not be the case everywhere. So one or even printing to the right place. And let’s say you do, what if your printer is in another room, your family’s at home, they print something, do they mistakenly pick up the print job of confidential information? Does your significant other take it with them? Again, inadvertently? No, do you have other people in the house and we pick up that job? So again, things to think about that we didn’t necessarily think about so much before. It would be one thing. Here’s another great one. And I know I didn’t think about it initially, either. It was something that was mentioned to me and caught my attention. And that is, you know, devices, personal assistant devices like Alexa and Siri. I mean, they’re great devices, no doubt about it. But what do they do, they sit there and they listen all day long. That reading and recording, by the way, a lot of things. So don’t really think we want those devices in your shot when we’re working at home and having conversations but I can tell you based on the reactions I get when I just mentioned that even if in casual conversation, most people aren’t really thinking about that. And it can be it can actually be problematic. Now I personal story here. During this pandemic time, I had a relative that had to undergo surgery and, and I went out and, you know, help that individual for for about a week, their house was filled to the max with personal assistance, so much. So, you know, I was was definitely concerned, particularly given my role and the things I talked about. And so I had to figure out how to make that work. So it can definitely be a problem. And there was a device in in at least every room if not more than one. And so again, think things to think about that we might not get home office, you know, definitely wouldn’t have won in your home office without a doubt. So, right along with all of this, and this, this really underscores the whole talk here is is work home separation, you know, managing hybrid natural workspaces. So it’s really easy. And it’s human nature, working at home all the time, you want to make things easy


and uncomplicated. And, and unfortunately, that frequently doesn’t bode well for security, depending on what controls you may or may not have. Right. So, you know, using a single device, either using a single device for working at home or doing more home related stuff on your work device is not a good thing. Again, I get it, people do it, people would even know better do it. I can tell you, unfortunately, I’ve seen some results of end results of doing that, that didn’t work out very well for for the people involved and you got to keep that barrier up. You’ve got to, you know, ensure that that you’re not blending those lines and, or if you are to an extent you’re doing it within the confines of what your company allows, but it’s always best to keep those things completely separate. It’s also easy to do things like Well, hey, you know, you know, I can get some work done off my home tablet, you know, sitting on the couch or what have you. And again, you’re not saying these things didn’t ever exist before they did but it’s so magnified today with everyone being at home, and not only that Really what we’re talking about is the body of people that are now working at home and having for, gosh, almost a year now than never did before. I think those of us who always work part time remote, you know, it’s different. We, we, we understand, you know what we’re supposed to be doing. And we’re used to that and working those environments, but not everybody is. And so it brings with it, you know, a lot, a lot of challenges, you know, not letting other people in the house user device again, it gets really easy. Hey, can I jump Dad? Can I jump on your computer? Mom, can I borrow your computer for a minute? Or, Hey, I just got to look something up. I think we’ve seen plenty of real world examples where that happens today. And it’s in its some of its human nature. Look, you know, I’ve always maintained and I’ve always said, you know, some of the toughest pieces of our jobs are our people. Why? Because, you know, people are unpredictable. Honestly, think about fishing, right? I mean, you can get a well reasoned, educated, well educated person on fishing, that will not click on something 990 times nine times out of 1000. Guess what? You catch them on the wrong day at the wrong time in the middle of doing 20 different things with the correctly crafted email and what happens, they click on it. Now hopefully, you’ve got other controls in place. So it mitigates what happens. But that’s my point. You know, people were tough. personalities and things going on in daily lives impact all of this stuff, particularly again, in this in this environment, where you’ve got people working at home, and homeschooling and people are multitasking, and they’re not working normal hours, all of this stuff can be conducive to being, you know, unfortunately, an unintentional insider threat by doing something mistakenly or just not realizing what you’re doing. Alright, so the next big thing, this is probably one of the biggest things. And again, this isn’t a surprise, actually, a lot of this isn’t a surprise, but we got to think about your Corp, your bar, I should say, your home network is not your corporate network. Now, sure, if you’re tunneling everyone through VP in 100%, and you’ve got really tightened lockdown devices back to the corporate network, maybe this isn’t as much of a concern. But let’s face it, that’s not everybody’s situation, it really is, particularly with so many things being available on the web. Now, there are things out there that that you may have in place, either by design or somewhat unintentionally, that you can get to without being on VPN. Now, interesting situation in this environment, because not being on a VPN may mean better performance. But less controls. So for the vast majority of everybody, you know, your employees don’t have, you know, enterprise grade firewalls, and and, you know, IDs is an IPS is and, you know, we all know, we could list 100, you know, different types of technology in place, you know? And even what they do have you have to question, right, so they bought a router, you know, from their local electronics store ordered wine, it may be actually a great device with great, you know, built in features. But did they configure it? Do they even know how to configure it? In a lot of cases? answer’s no. They change the admin password, maybe? Probably not. You know,


are they advertising the network? Do they even know not to advertise the network. So there are so many things about that home network, that just isn’t the same. That really introduces additional risk and may make it easy for somebody to hack into your home environment. Now, again, depending on what other controls you have in place, may or may not be a big concern. My point here today is just to get you to think about it right. not implying it’s a problem for everybody in every situation. But these are things that come to mind. I know in our case, and we’ll talk about it a little more later. Now we need to look more at that VPN web availability and what can I get to, on and off the network. Some of it’s by design for sure, but but we got to talk, but we got to look at that. Yeah, the other thing, too, and I, and I’ve heard people say this Well, alright, I need to get out of the house and go into Starbucks. Okay, we all know the issues with connecting to Starbucks Wi Fi. But guess what, you know, depending on on, you know, your pandemic requirements, you know, that’s a real thing to think about, too, when, again, a lot of the people and I’m going to repeat here, a lot of people that have been working remotely before have a laptop or on the road, they know this stuff, or at least they most certainly shut it again. But we’re talking about a huge body of people that may have never really worked at home and they’ve never really thought about this stuff. So all all things to think about. So let’s move into the next piece come combating the threat. So what do we do? Well, great question. And there’s all kinds of things as there is normally but You know, the first item on here educate, reinforce Well, just like fishing and other things. There’s certainly some controls, and we can talk, we’ll talk about tools, this is really divided into two pieces as well. But education is key, first of all, telling people the kinds of things we’re talking about right here, and you’re getting the Think about it, right? give them tips for working at home, you know, what should they think about? What should they do? What do they do if they don’t know? policy reminders? That’s another one. I don’t know why, but some people just tend to think that well, you know, policies for the office, I’m not in office. Well, farther from the truth. I know, it’s, again, it seems like common sense. But I’m only saying this based on experience you get so it never hurts to remind people of the policies that are pertinent and relevant to the things they’re doing at home. Tell them why things are different. And this is the whole conversation we’re having, why? Why is it different? You know, what, why does it matter, stay on top airport, or even increase your awareness and training for your awareness training. Now, in our case, you know, a while ago, we moved to a security awareness training platform that was quarterly, instead of yearly, that also was premised on, you know, 1010 minutes, roughly 10 minutes segments. And because of that, you know, we’ll assign three at a time, they’re actually animated based on real events, they kind of pull you in there entertaining. And, you know, actually, we’ve had tremendous success with that, when we, we actually went from having people do the usual complaining about their their security training, to actually looking forward to it, which in and of itself, is a huge victory. But my point here, really, is that we were able to tailor some of that content to actually had some specific content around the pandemic and working from home. And so we were able to quickly, you know, just just mix that up and get it out to folks. And again, it’s about that reinforcement. You know, and again, I’m not here to tell you, we’ve got it nailed down. There are things here we can improve on for sure. But you know, that’s a key piece. If you go silent for too long, people just forget. And that’s not, that’s not a good thing. All right, tools, can’t ignore that, right. So hopefully, hopefully, it’s a good combination of educating people making sure they’re thinking about it. They’re aware of what they should be doing and not doing. But you know, there’s the whole technical piece of it too. So you want to make sure you have what you need to monitor the environment, and secure the environment. There’s lots of things that go into this, most of it’s table stakes stuff or base level stuff. But but at the same time, you got to think about it in the context of people working at home. There are certainly some great insider threat solutions or insider threat components to other solutions we happen to utilize. One that I wouldn’t say is a fully built out insider threat solution, but it does monitor for things that that would fall in that category. And again, you know, people aren’t sitting in an office with 1020 100 200 other people there at home. And so you’re just general visibility is substantially different. You’ll also, you know, depending on your environment, you don’t have, you know, video cameras up, you know, either, so something to be concerned of there too. But there are some really great solutions, we actually looked at a really


comprehensive solution, we have made a decision on yet. You know, when you’re when you’re the size of Rico, obviously things like that carry a hefty price tag, but it really adds some great insider threat stuff, which would be substantial in the working at home environment. You know, looking at what kind of rights do you have? I mean, again, it’s one thing, you know, elevated rights may make a little more sense in certain environments, but not in all. And so I’m going you know, going in and looking at and you know, your, your structure and around what kind of rights people have, and is that appropriate for working out is certainly a big thing. And there are plenty of tools out there to help with that visibility. That’s one thing, and we’ll talk about it here in a minute that I think from our standpoint we felt really good about is, you know, we had some great tools in place. And we’ll talk about that but but really having that visibility. So even if they’re remote, if something’s going on there, you have a really good chance of detecting and reacting to that. And really at the end of the day, and we’re back to kind of the shadow IT thing, which I think takes on a whole new meaning in the work at home environment, but make sure your employees have what they need. Right shadow it is a thing, because at the end of the day, what is it about it’s usually because your employees have decided right or wrong, that they need something you’re not providing now Yeah, when you look at cloud environments, that’s, you know, you know, it’s really easy to spin things up and down in the cloud. But you know, you know, think about, you know, all the technology people can use and leverage at home to make their life easier. Well, that’s not what we want. If they need those things, you want to be providing it, controlling it from a corporate perspective. So making sure your employees have what they need really, really is an important factor here, too. So last slide that we’re going to talk about today is a really look at it, Rico, and what did we do? What worked? What lessons did we learn? And what are we going to do going forward? Now touched on a lot of these things already, but we’ll dive in a little bit more here. So what went well? Well, the good news is we had a whole lot of people that were already working remote, if not full time, part time. So what did that mean? That meant they were used to doing it, they understood the rules of the road, not that they shouldn’t be reminded, we already talked about that, but they understood what they needed to do. And more importantly, you know, we had we had the tools in place. So we’d actually recently just, you know, rolled out across the entire user base, some advanced endpoint monitoring and control type tools, which really helped. So that was good. We had licensing that we needed. So there wasn’t any mad dash to purchase licensing, or hardware either. This year, we did make some capacity changes. But there were pretty minor. Again, good tools in place, not saying we had every tool we needed. I wouldn’t I wouldn’t say that. But we had good tools in place. So that again, we felt kind of comfortable going out there had some equipment and reserves which we needed. Yes, you could argue that having a bunch of equipment reserves isn’t a great thing. In this particular case, thank goodness. And we’ll talk about why in a minute for I’ll save the lessons learned box there. And again, I talked about our awareness training, we’d switch to a new platform, it was agile, it’s flexible, it really enabled us to shift some changes with the training, along with the shift to working at home. So that was all the good stuff. But what did we learn? Well, one BCP gap and that ties right into the equipment thing, what and what do I mean? Well, like most of you probably are BCP was really predicated for key environments, like,


we


use call centers, for example, it’s a good one. Well, if call center a is not available, and for whatever reason, technology weather event, you name it, you roll all the calls to another call center. All right, that’s been a pretty typical typical BCP type plan for years. Well, guess what it didn’t contemplate, everybody goes home. So that was a challenge. And it was a challenge for a couple of reasons. One, most of the call center employees use desktops. Well,


we really didn’t


want people taking desktops home, we had to make a few exceptions. So there was a mad scramble to use that equipment. I just talked about reserves that were thankfully, laptops configured and out to those users. So they could do that. So big lesson learned there. Alright, another lesson learned, we have certain customer facing enzyme environments that are you that we’re building used to be very, very secure. They were explicitly intended not to have remote access, accepting in very rare cases, or guess what same thing people are working at home. So we had to make some exceptions and technology changes to to allow that to happen in a manner that protects us and our customers. But we have to contemplate that going forward. Cloud access, I touched on this a few times a few times already, you know, you can get to a lot of things in the cloud without going through the corporate network, either intentionally or unintentionally. So just making sure you’ve got the right control rules in place, and that that’s what you intended, was also something lab space. And what do I mean by lab space? Well, no, from from the perspective of a security team, you know, there are times as we all know, that you actually have to get hands on a piece of equipment that needs to be sent to you. But like, it’s a little problematic when you’re not in the office. So we had to really think about how we wanted to do that now. You know, basically, we worked around that by, you know, only allowing certain people in office at certain times and working within the pandemic restrictions. But But again, that was not something we contemplated. And that point is probably a little more important if we, when we start to contemplate what are we doing going forward? I mean, if this is gonna be the new norm, or even if we decide we don’t need regular office space, those are things you got to think about, particularly from an IT security perspective. How do you accommodate, you know, a lab environment, a forensic investigation environment. So we got to put some more controls in place. There are Going forward, I’ll take everything I just told you and put it in a go forward plan. And what are we going to do to keep improving things? Well, updating the BCP, that seems obvious good news is we actually had a big DCP overhaul project, we were going to spin up anyway, perfect timing. So we’ll make those adjustments as needed. Not massive adjustments, but their adjustments. I mentioned insider threat solutions, whether that’s leveraging more of what we already have, potentially putting some new things in place, you know, maybe warranted, particularly if we’re going to say, Hey, we’re going to keep doing this either partially or fully going forward. So again, some some some good things out there, educate, keep educating will keep getting that message out there, we’ll keep adapting and changing that message as needed. Can’t go wrong with that, and better cloud and access management controls. And there are so many things that fall into that. One I didn’t put on the slide that that kind of, you know, is under this bullet to specifically is looking at VPN alternatives, right? I think, again, if if people are going to continue to be remote having solutions that aren’t tied to traditional VPN, that are built, built for that, that that provide the equivalent, if not better security, is in order. So we’ll continue to do that. And so that really rounds out the discussion. wanted to have everyone today. I really hope you found this information useful, gave you a few few things to think about, again, not here to tell you I have it all solved, just really sharing my experiences and some of our lessons learned and recommendations. Look forward to any future conversations and please ask questions, reach out, happy to talk to you. And again, thank you for your time. Hope you found it useful again. And until next time.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden