If your company operates out of a co-working space, you may have more to worry about than just formaldehyde-infused phone booths. Shared WiFi available in co-working spaces makes life easier for companies working there, but weak security practices can leave your critical business data, product infrastructure and intellectual property vulnerable to Peeping Toms not only in your physical environment but in the network too.
In a recent case to prove this point, Teemu Airamo, the CEO of a company working out of a WeWork in Manhattan scanned the office and accessed the financial records and bank account credentials from more than 200 companies sharing the same office as his team. Airamo’s exercise, while harmless in intent, surfaces important questions we should be asking ourselves: Are we implicitly trusting workers of co-located companies by agreeing to use the same provided network? Should malicious activity by co-located company workers be considered insider threat?
What‘s the big deal about co-working spaces, you may ask. How are they different from using the WiFi at an airport or coffee shop? The thing is, when you work in a coffee shop you are not assuming that the WiFi is secure. In fact, most public WiFi services have a disclaimer that explains in no uncertain terms that they are not responsible for any data loss when you use their network. On the other hand, companies that sign an agreement with a co-working space trust that the provider is making a reasonable attempt at providing a secure environment and network. Unfortunately, this trust is misplaced.
What Can You Do About It?
Even if you buy into your provider’s “space as a service” positioning, the shared responsibility model should still apply. Similar to working in the cloud, the co-working space is responsible for protecting the infrastructure, but you’re responsible for your organization’s security.
Thankfully, there are measures you can take to secure your assets even when your company is using an insecure pipe. Because you share your physical and virtual environments, it’s important to consider security in both realms:
Physical Security
- If you’re in a private office, prevent tailgating by installing fobs to ensure only authorized personnel can get in.
- Vents and glass are tell-tale signs your office isn’t soundproof. If your conversations are sensitive and are at the risk of traveling, you will want to soundproof your office space. Depending on your flexibility, you could ask the co-working company to hire contractors to soundproof your space professionally, or go for a DIY option and buy absorbers on the cheap.
- Get a shredder to discard sensitive documents. Cleaning crews that come into private offices may not discard your trash in a secure way.
- Be aware of your surroundings. Prevent shoulder surfing by using a privacy filter for your computer and phone screens. You never know who your lunch mates are.
Network Security
- The principle of zero trust applies in this scenario more than ever. In designing your security processes, start from a position of not trusting anyone. One of the best defenses is requiring everyone in your organization to use VPN to access corporate resources. Encryption afforded by VPN protects your organization from peeping Toms hiding in your shared network.
- For good measure, ensure that all data at rest and in flight is encrypted.
- Enforce single sign-on for accessing all company assets and services.
- Make it mandatory to turn off public sharing and airdrop.
- Apply the principle of least privilege when assigning entitlements to users. Think about who needs access to which services, and for how long. Assign time limits to entitlements so that they automatically expire.
- Maintain visibility of accounts and privileges across all services. Continuously monitor access and user activity so that you can quickly detect and investigate anomalous activity.
- Make network security SLAs and explicit part of your conversation with the service provider. Work in assurances about security measures to be taken into the contract. Reserve the right to periodically review their security systems and processes.
This post is just scratching the surface of what you can do to remain secure in a co-working space. You are ultimately responsible for the security of your organization’s assets. By educating your employees on vigilance and investing in security solutions that can protect access to your assets, you can create a secure bubble even within an open network.