I recently ran into a situation where a client’s internal IT staff was utilizing TeamViewer (TV) Business licensing versus Corporate licensing. I spent some time explaining the very key differences between the two options, but had I not had that opportunity to do this, they would have continued with the Business licensing model and would have opened themselves up to a security attack. I have a feeling that this is happening more often than not in business technology environments. As the security risks associated with using the Business licensing are high, it is worth going into further detail about the decisions that were made, why they were made, and how we were able to provide the information they needed to make the right decision for their TV licensing moving forward. This is also a good opportunity to spotlight why a company should consider vISO services to best protect their organization.

The question of who?

One key differentiator between a Business and Corporate license is the ability to restrict who has access to what resources based upon the security policies put into place on the endpoints. A Business license simply requires a username and password for access. Even more troubling with this model is that the same passwords are typically used across multiple endpoints. This prevents any form of password strength management enforcement. Cybersecurity best practices preclude the reuse of password also. A secure strategy must be used when using any system.

The question also must be asked, what happens when an authorized person leaves an organization? If the list of IDs and passwords is known, and you do not have other controls in place to eliminate that person’s ability to connect, then you have no ability to lock them out of that system when they leave the organization.

What happens if that list of credentials is compromised in a data breach or other cyber incident? The list of endpoints and their connection strings and passwords is leaked. With that information, and without the security policy enforcement in TV, any cybercriminal throughout the world could connect to those systems.

Cyber insurance policy requirements

While cyber insurance is still relatively new, and unregulated, more and more businesses are required to have this type of coverage. There are some aspects of the cybersecurity insurance industry you need to be aware of as they could absolutely determine if your claim is accepted or denied. More information on that topic can be found in the QPC Security podcast https://qpcsecurity.podbean.com/e/avoid-cybersecurity-insurance-fraud/

As it relates to TV Business licensing, there is no mechanism to produce the forensic connection reports for compliance. This means that you do not have the detail to perform incident response investigation which is required by a cybersecurity insurance policy’s forensic investigation incident response team. Without this, your claim runs the real risk of being denied. Can you demonstrate that your organization used due care in preventing unauthorized parties access to the tool?

You get what you pay for

Like many business decisions, internal IT and business owners usually let cost be the determining factor when making IT-related decisions. Specific to TV, the bottom line is that the cost difference between Business licensing and Corporate licensing is microscopic compared to the business risk reduction. The use of the Corporate license allows security policies to be properly configured, completely eliminates this risk of the unauthorized use of IDs and passwords and provides all of the compliance and forensic incident response investigation data in the event of a cyberattack. This particular client’s concept of "saving money" was leading to insecurity, no compliance, no security policy, and actually the introduction of a massive uncontrollable risk profile for the overall business.

The QPC Security difference

Many IT people think of TV as merely a tool in their toolkit that allows them to provide remote access to corporate resources. Indeed, it is primarily used for this purpose. The challenge is that if it can provide remote access to company users, what considerations are being made to ensure that authorized personnel only have access to the resources they need (versus all corporate resources) or even more important, that cybercriminals do not gain access?

We consider TV to be convenient security hole when it is implemented without the ability to apply policy to TeamViewer Host installations that will keep the product fully updated automatically plus restrict the connections to the endpoints based upon Multi-Factor Authentication (MFA) being enforced and restriction to specific corporate entities. When implemented properly, it is an excellent tool. At a minimum, we configure at least 19 security policies for endpoints through TV policies that control how TV functions and who can access it. We also have an immediate way to absolutely revoke access to anyone who is not authorized to make a connection using the tool.

The importance of having a vISO

I dedicated a whole article on the importance of having a vISO and some key things to be aware of when looking into vISO service providers which you can view here (insert link to BuyerBeware-vISOServices article once draft is approved and published). In my daily interactions with clients, I am reminded why having a vISO is so important and the same hold true for this client.

This is a clear-cut example of a comanaged IT client whose internal IT thinks they know how to do things on their own. As a result, they repeatedly deny themselves the opportunity to do things correctly because they do not ask for help. It also reinforces the paradigm shift business owners must have as it relates to their IT. They cannot delegate and abdicate. They must be involved. They must afford themselves of the opportunity to be advised at a level above what their internal IT can provide.

For this client, if they had been using our vISO services, there would have been a procurement policy in place which means QPC Security must either need to sign off of all technology related purchases over a certain dollar amount, all purchases that are recurring, or all purchases that could have a cybersecurity posture impact, and be reviewing quarterly all IT purchases in order to protect the organization. Quite a bit of rework, which means time and additional costs, went into moving them from a TV Business license to Corporate simply because they did not vet this with QPC Security prior to purchasing and implementing. After the client converted to TV Corporate subscription, we provided training to their internal IT on how to properly enroll assets, configure policies, enforce policies on endpoints, add business partners, add IT Support staff user accounts properly with enforced MFA, and more.

The client IT staff also registered the software in their individual email address. Had they worked with QPC, they would have also been made aware that tying their one Business license master account to an individual’s email address is a huge mistake. I encourage you to read our “Stop Having Vendor Emails Sent to Individual Email Addresses” for more information on why this approach is such an issue.

The bottom line is that an organization that lacks proper controls is opening themselves up to unknown security risks and vulnerabilities by relying too much on internal IT. Adding a vISO like QPC Security will give your senior management an assessment, strategic plan, engineering plan, budget planning assistance, and implementation services in an effort to meet the requirements of your organization and your customers as well as state and federal requirements. We have spent the last 25 years innovating within the cybersecurity sector continuously enhancing our vISO-related services to the changing needs of the dynamic cybersecurity compliance landscape. To learn more and discuss QPC Security’s vISO services, contact us today at 262-553-6510 or by visiting qpcsecurity.com.