According to Buffer, 40% of remote workers prize (before COVID19) flexible schedules as the most significant benefit of the remote working setup. This is because workers enjoy the fact that they can spend quality time with their family, work from the comfort of their home, or work from any location they prefer. Despite the legitimate benefits, ignoring cyber security for work from home setups could be costly for businesses.
Moreover, with COVID-19 shuttering businesses all over the world, remote working became the only way for many companies to remain operational. Experts project that remote working will be the norm, even after COVID-19 is over.
What are the risks?
With remote working, data at rest and in transit concept extends beyond the corporate infrastructure boundaries. This presents the following risks:
- Loss of devices or theft – Mobile devices are vulnerable to being lost or stolen. As the current generation is highly mobile with email, corporate and other portal access, the majority have sensitive information on their devices. Furthermore, stolen devices could provide cached credentials access to attackers that could be used to login into corporate networks, vendor services, or other online accounts.
- Shoulder Surfing – It occurs when someone watches you spying over your shoulder as you use your devices.
- Device Tampering – Leaving devices unattended could be prone to threat actors taking advantage by inserting malicious hardware or software. Implications of this could be stealing information including keystrokes logging and sending it to attacker’s systems.
Is it safe to work remotely?
COVID-19 didn’t give companies much time to plan how they were going to implement the work from home setup based on their specific work requirements. Because of this rushed transition, 46% of global businesses have encountered at least one cybersecurity scare since lockdown, a study by Barracuda said.
The study also noted an overwhelming 51% increase in email phishing attacks, which is particularly alarming, given that 40% of business makers in the survey have made cuts to their cybersecurity budgets as an effort to remain liquid.
This highlights the need for investing in cybersecurity services intended to deal with security risks related to remote working.
- Large Attack Surface – Organisations with increased cloud presence and non-company owned device usage have added to the overall attack surface of an organisation.
- Perimeter-Less Boundaries – Concepts of ‘my network’, ‘your network’ are a thing of the past. Traditional security controls such as firewalls are no more effective where multi-layered complexities (mobile devices, remote staff and personal devices) are all part of an organisation.
- Bring Your Own Device (BYOD) – Lack of strict policies and boundaries between trusted and untrusted networks is a headache. Whether it’s guest network usage by staff with corporate and personal devices or lack of enforcement of policies via security policy and technical controls, all these gaps add to increased risk.
- Error Situations – With businesses worried about their survival, quick situations arise where current setups don’t provide flexibility. Employees tend to go with the best intentions in order to be efficient. Whether its a new collaboration tool, file sharing platform or any chat application, risks are part of the equation. This is a challenge for security teams as the decision may have come from the top leadership.
- Identity and Access Management – Changes at multiple levels are required in order to ensure tracking and auditing of events taking place. This could relate to user access authorisations, new policies, violations and non-compliance.
- Weakened Security Controls – Added pressures of financial stress and digital transformation on the organisations, security controls change is not just limited to email and firewall changes. This encompasses exceptions to current policies, changes to segmentation to ensure continued access and lots of unexpected changes without security thought behind decisions.
Cybersecurity is most effective when it is proactive.
Without further ado, here is the checklist for individuals and organisations to prepare for secure remote working.
Remote working security tips – Individuals
- Regularly review webcam and audio settings.
- Keep separate devices for work and personal use where possible.
- Try to get into the habit of using a password manager; separately for work and personal use.
- Create a passphrase for important accounts, and then add a modifier. Use a separate passphrase for throwaway accounts.
- Ensure that your home Wi-Fi router is updated and the default password changed.
- Ensure WPA-2 or better Wi-Fi encryption mechanism is in use.
- If you use public Wi-Fi, make it a thumb rule to use VPN before doing any online tasks (email, browsing, other access).
- Ensure your devices are set to receive updates and ensure backups are configured.
- Take out time to update other smart devices around your home (thermostat, TV, voice-enabled devices).
- Review and follow Bring Your Own Device (BYOD) and other relevant policies and procedures.
- Keep up with remote work awareness training.
- Remember the rule “trust, but verify”.
- Limit social media use & don’t reveal business itineraries, corporate info, daily routines publically.
How to ensure security when employees work remotely?
The following tips are provided as checklist based advice for business to prepare their business including the remote workforce work long haul.
- Consider producing user guides for recently rolled out software & services such as conferencing, office connectivity, portals, etc).
- Review security features of tools in use especially by remote workers. Where inbuilt features aren’t available, try to add compensatory controls around to minimise the attack surface.
- Review new policies related to remote working. Make your staff aware of changes in an easily understandable format.
- Use secure courier deliveries for shipping devices to users.
- Don’t expose RDP services to the internet. Use centralised authentication and access management solution such as VPN. See more technical tips here for businesses.
- Use the jump box concept to add layered protection where the temporary allocation of users in the restricted environment allows access to need the only basis.
- Continued vulnerability assessments or managed vulnerability scanning, digital attack surface analysis, logging and monitoring activities should be part of security team plans to ensure 24×7 visibility of the attack surface.
- Ensure Data Execution Prevent is enabled to avoid untrusted executions in your environment.
- Securing VPN (Virtual Private Network) – VPNs act as entry points to an organisations’ internal network. Unless your organisation has fully adopted a zero-trust approach to networking, it is highly likely that VPN access is the only way to fully access your internal resources. During these remote working situations, employees require 24×7 access to internal resources that range from the company intranet to various task-dependent services. The following measures may help a business in preparation for VPN use:
- Authentication – Multi-factor authentication should be in use for VPN access.
- Protocols – IPSec and TLS VPNs provide secure remote access for enterprises. For many businesses, both SSL/TLS VPN and IPSec VPN are in use.
- Client Security – Consider client certificates for machine authentication when using VPN services.
- Segregation – Consider segregation at the environment, service, network level to ensure VPN users do not have more than needed access. Audit your segregation measures to validate your controls.
- Use DMARC, SPF and DKIM to identify phishing attacks and add to the email security.
- Review the backup process, and ensure that restores are tested.
- Don’t rush to buy new products. If you can extend the usage of the current setup, you are saving both time and money.
- Ensure that all assets (devices, servers, desktops, laptops) follow technical security baselines. Get these reviewed periodically.
- Logging and monitoring solutions to ensure constant visibility of events across the estate (users, systems, devices, networks).
- Take advantage of Mobile Device Management (MDM) solutions
- Having an MDM in place helps resolve multiple risk factors from an operational and device security point of view. IT and security teams can enrol, manage and handle security cases remotely with a minimal window of uncertainty. With this visibility, support teams can be alerted on any changes or threats that require the security team’s attention. Controlled updates, Bring Your Own Device policy policing and remote device wiping facility in case of theft are some of the top MDM benefits. Review MDM configuration and deployments periodically.
- Gain Visibility Into Your Attack Surface
- You may request your free attack surface report to gain visibility into your assets exposed over the internet. Our comprehensive attack surface assessment considers your people, processes & technology to validate your digital footprint. It’s important to assess digital assets from a discovery and unknown risks perspective, allowing you more time to analyse and monitor your infrastructure. Our attack surface assessment results are summarised by hosting providers, asset criticality, security risks, geography and more areas.
- Cyber Attack Preparedness –
- Cyber security/incident response teams must be on standby in case of estate wide incidents such as ransomware, network outage, data breach where internal systems may be rendered out of use temporarily. Ask questions internally, liaise with internal teams such as BCP, DR, Infrastructure Support, Communications, HR & PR units.
- Review your backup systems including processes needed to let the incident team work in parallel. This includes workstations, connectivity, communications such as email, phone, VoIP.
- Due to the heavy usage of remote access solutions, review your abilities to block spyware, filter malicious domain URLs, block suspicious traffic (C2C, non-standard ports usage, DNS, URLs).
- Without doubt, CIOs and CISOs are flooded with secure remote working product pitches that are 100% secure due to the sprinkling of AI and ML magic. Make sure you check what’s under the hood. Stay updated with expert tips and tricks around security and privacy topic.
- Don’t spend on more products and complicate your environment. Less is more.
- Review your current stack to identify gaps, take help and ensure you are making the best of current setup. For example, AppLocker via group policy, host firewall policies, advanced audit configuration are all part of modern active directory set ups that can save you costs and complexity.
Feel free to discuss your security concerns with our team. Some, not all, of our offerings such as penetration testing are the right fit to identify gaps and analyse the functional requirements before you go shopping.
Despite its numerous merits, remote working does come with challenges of its own. To ensure your company’s continued success with remote working, be proactive in developing protocols to address its known challenges. Remote working is here to stay, it is useful for organisations to realise this early and ensure a longer term defence in-depth approach and security principles are put to use. A good balance of usability and security goes long way.
We have added remote working checklists for individuals and businesses in our FREE basic cyber security awareness kit. Cyber security awareness should be freely available. This is free for businesses to use, print and add to their education and training campaigns as they see fit.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.