JAKARTA (The Jakarta Post/Asia News Network): Even with most coronavirus pandemic restrictions lifted, employees in workplaces across Indonesia have come to expect some degree of working from home (WFH), and while cybersecurity was often an afterthought, experts say that needs to change, and fast.

Prama Bajaj, vice president of global marketing and strategy at CloudSEK, an India-based IT security firm, said WFH often compromised security due to how people shared devices and accessed collaboration tools like Zoom and Google Meet

“A very important factor is that the IT or the security teams were not ready. [...] Covid-19 happened all of a sudden, and people were not ready for such things to take place and to manage that. So, it had to be done at a fast pace, and maybe it could not be done to the extent that it should have been,” said Bajaj.

Many companies have applied certain security measures to accommodate WFH, but Hillstone Networks engineer Ary Kustirin said the traditional authentication with a username and password was becoming obsolete as it was getting easier to breach.

“Now, there is a solution called zero-trust network access (ZTNA), where we can work from anywhere [safely], because the authentication requires our device to be completely secure,” Ary told The Jakarta Post on Sept 6.

ZTNA requires every device to be compliant with certain parameters, such as having the latest security patches installed in the operating system and using a secure connection, before a worker can gain remote access to company servers, elaborated Ary.

This can save companies the headache of manually auditing workers’ security one by one, because not only does ZTNA automatically analyse every device that requests remote access, it also allows firms to monitor a detailed log to simplify security inspections.

“We can monitor who logged in or what application they accessed; we can read them all and audit can view these. [...] We can do this from anywhere without having to come to the office,” Ary said.

Leonardo Hutabarat, sales engineering manager of LogRhythm, a US-based IT security company, said ZTNA was crucial to security in WFH settings.

“While traditional security is centralised, like firewalls, IP, etc. and everything is in the local data centre, the challenge now is that, with WFH running, attacks may occur on users, and that is a problem if the users don’t have proper protection. [To deal with that problem, a company] must have a security-checking policy,” said Leonardo.

He added that the common practice of just monitoring the security of the data center was no longer enough.

“Now, we have to extend. We should monitor all company assets, like laptops, internet of things and cloud. [...] Every application installed in the laptop must be managed by the company, unauthorised applications must not be installed,” Leonardo said.

Moreover, cybersecurity experts emphasise that security awareness needs to improve side by side with the technology, because any weakness in this area is just as consequential.

“One problem is that security awareness takes a long time to create, especially when you’re at home, a lot of things do not get conveyed, and the practices you were following before WFH are no longer followed, for example IP restriction. With a WFH setup, that restriction had to be completely removed,” said CloudSEK product manager of research and development Nivya Ravi.

Ravi explained that security measures that had to be removed in WFH setups had caused a drastic increase in the number of breaches and security issues over the last two years.

“[What's causing these security issues are] not only physical solutions, but also normal regular practices. Say, you do not commit [security] code with sensitive contents on the internet or code-sharing platform. That still continues to happen,” said Ravi.

“Usually, companies have data leak protection tools to prevent that, but the importance of such tools is not getting conveyed to employees,” she added.

Willy Chen, regional sales director of ThriveDX SE Asia, a United States-based enterprise focused on technology and security education, said employees needed to be trained on cyber threats so they would be more careful in their conduct.

“If users are at home, their alert [level] will be lower [than when they’re] at the office. You’ll think more of security, [for example], because there will be colleagues beside you,” said Chen.