According to Buffer, 40% of remote workers prize flexible schedules (before COVID-19) as the most significant benefit of the remote working setup. Workers enjoy spending quality time with their families, working from the comfort of their homes, or working from any location they prefer. Ignoring cyber security for work-from-home setups could be costly for businesses despite the legitimate benefits.
Moreover, with COVID-19 shuttering businesses worldwide, remote working became the only way for many companies to remain operational. Experts project that remote working will be the norm, even after COVID-19.
What are the risks?
With remote working, the data at rest and in transit concept extends beyond the corporate infrastructure boundaries. This presents the following risks:
- Loss of devices or theft – Mobile devices are vulnerable to loss or theft. As the current generation is highly mobile with email, corporate and other portal access, most have sensitive information on their devices. Furthermore, stolen devices could provide cached credentials access to attackers that could be used to log into corporate networks, vendor services, or other online accounts.
- Shoulder Surfing – It occurs when someone watches you spying over your shoulder as you use your devices.
- Device Tampering – Leaving devices unattended could be prone to threat actors taking advantage by inserting malicious hardware or software. This could include stealing information, including keystrokes, logging, and sending it to attacker’s systems.
Is it safe to work remotely?
COVID-19 didn’t give companies much time to plan to implement the work from home setup based on their specific work requirements. Because of this rushed transition, 46% of global businesses have encountered at least one cybersecurity scare since lockdown, a study by Barracuda said.
The study also noted an overwhelming 51% increase in email phishing attacks, which is particularly alarming, given that 40% of business makers in the survey have made cuts to their cybersecurity budgets to remain liquid.
This highlights the need to invest in cybersecurity services to deal with security risks related to remote working.
- Large Attack Surface – Organisations with increased cloud presence and non-company owned device usage have added to the overall attack surface of an organisation.
- Perimeter-Less Boundaries – Concepts of ‘my network’ and ‘your network’ are a thing of the past. Traditional security controls such as firewalls are no longer effective where multi-layered complexities (mobile devices, remote staff and personal devices) are all part of an organisation.
- Bring Your Own Device (BYOD) – The lack of strict policies and boundaries between trusted and untrusted networks is a headache. Whether it’s guest network usage by staff with corporate and personal devices or lack of enforcement of policies via security policy and technical controls, all these gaps add to increased risk.
- Error Situations – With businesses worried about survival, quick situations arise where current setups don’t provide flexibility. Employees tend to go with the best intentions to be efficient. Risks are part of the equation, whether it’s a new collaboration tool, file-sharing platform or chat application. This is a challenge for security teams as the decision may have come from the top leadership.
- Identity and Access Management – Changes at multiple levels are required to ensure tracking and auditing of events taking place. This could relate to user access authorisations, new policies, violations and non-compliance.
- Weakened Security Controls – Added pressures of financial stress and digital transformation on the organisations; security controls change is not limited to email and firewall changes. This encompasses exceptions to current policies, changes to segmentation to ensure continued access and lots of unexpected changes without security thought behind decisions.
Cybersecurity is most effective when it is proactive.
Remote working security tips – Individuals
- Regularly review webcam and audio settings.
- Keep separate devices for work and personal use where possible.
- Try to get into the habit of using a password manager separately for work and personal use.
- Create a passphrase for important accounts, and then add a modifier. Use a separate passphrase for throwaway accounts.
- Ensure your home Wi-Fi router is updated and the default password is changed.
- Ensure WPA-2 or a better Wi-Fi encryption mechanism is in use.
- If you use public Wi-Fi, make it a rule to use a VPN before doing any online tasks (email, browsing, other access).
- Ensure your devices are set to receive updates and ensure backups are configured.
- Take time to update other smart devices around your home (thermostat, TV, voice-enabled devices).
- Review and follow Bring Your Own Device (BYOD) and other relevant policies and procedures.
- Keep up with remote work awareness training.
- Remember the rule “trust, but verify”.
- Limit social media use & don’t reveal business itineraries, corporate info, or daily routines publically.
How to ensure security when employees work remotely?
The following tips are checklist-based advice for business to prepare their business, including the long haul remote workforce work.
- Consider producing user guides for recently rolled out software & services such as conferencing, office connectivity, portals, etc).
- Review security features of tools in use, especially by remote workers. Where inbuilt features aren’t available, try to add compensatory controls around to minimise the attack surface.
- Review new policies related to remote working. Make your staff aware of changes in an easily understandable format.
- Use secure courier deliveries for shipping devices to users.
- Don’t expose RDP services to the internet. Use centralised authentication and access management solutions such as VPN. See more technical tips here for businesses.
- Use the jump box concept to add layered protection where the temporary allocation of users in the restricted environment allows access to the only basis needed.
- Continued vulnerability assessments or managed vulnerability scanning, digital attack surface analysis, logging and monitoring activities should be part of security team plans to ensure 24×7 visibility of the attack surface.
- Ensure Data Execution Prevent is enabled to avoid untrusted executions in your environment.
- Securing VPN (Virtual Private Network) – VPNs act as entry points to an organisation’s internal network. Unless your organisation has fully adopted a zero-trust approach to networking, VPN access is likely the only way to access your internal resources fully. During these remote working situations, employees require 24×7 access to internal resources that range from the company intranet to various task-dependent services. The following measures may help a business in preparation for VPN use:
- Authentication – Multi-factor authentication should be used for VPN access.
- Protocols – IPSec and TLS VPNs provide secure remote access for enterprises. For many businesses, SSL/TLS VPN and IPSec VPN are used.
- Client Security – Consider client certificates for machine authentication when using VPN services.
- Segregation – Consider segregation at the environment, service, and network level to ensure VPN users do not have more than needed access. Audit your segregation measures to validate your controls.
- Use DMARC, SPF and DKIM to identify phishing attacks and add to the email security.
- Review the backup process and ensure that restores are tested.
- Don’t rush to buy new products. If you can extend the usage of the current setup, you are saving both time and money.
- Ensure all assets (devices, servers, desktops, laptops) follow technical security baselines. Get these reviewed periodically.
- Logging and monitoring solutions to ensure constant visibility of events across the estate (users, systems, devices, networks).
- Take advantage of Mobile Device Management (MDM) solutions.
- Having an MDM in place helps resolve multiple risk factors from an operational and device security point of view. IT and security teams can enrol, manage and handle security cases remotely with a minimal window of uncertainty. With this visibility, support teams can be alerted to any changes or threats that require the security team’s attention. Controlled updates, Bring Your Own Device policy policing, and remote device wiping facilities in case of theft are some of the top MDM benefits. Review MDM configuration and deployments periodically.
- Gain Visibility Into Your Attack Surface
- You may request your free attack surface report to gain visibility into your assets exposed over the internet. Our comprehensive attack surface assessment considers your people, processes & technology to validate your digital footprint. Assessing digital assets from a discovery and unknown risks perspective is essential, allowing you more time to analyse and monitor your infrastructure. Our attack surface assessment results are summarised by hosting providers, asset criticality, security risks, geography and more areas.
- Cyber Attack Preparedness –
- Cyber security/incident response teams must be on standby in case of estate-wide incidents such as ransomware, network outages, or data breaches where internal systems may be rendered out of use temporarily. Ask questions internally and liaise with internal teams such as BCP, DR, Infrastructure Support, Communications, HR & PR units.
- Review your backup systems, including processes needed to let the incident team work in parallel. This includes workstations, connectivity, and communications such as email, phone, and VoIP.
- Due to the heavy usage of remote access solutions, review your abilities to block spyware, filter malicious domain URLs, and block suspicious traffic (C2C, non-standard ports usage, DNS, URLs).
- Without a doubt, CIOs and CISOs are flooded with secure remote working product pitches that are 100% secure due to the sprinkling of AI and ML magic. Make sure you check what’s under the hood. Stay updated with expert tips and tricks around security and privacy topics.
- Don’t spend on more products and complicate your environment. Less is more.
- Review your current stack to identify gaps, take help and ensure you are making the best of the current setup. For example, AppLocker via group policy, host firewall policies, and advanced audit configuration are all part of modern active directory setups that can save you costs and complexity.
Feel free to discuss your security concerns with our team. Some, not all, of our offerings, such as penetration testing, are the right fit to identify gaps and analyse the functional requirements before you go shopping.
Despite its numerous merits, remote working does come with its challenges. To ensure your company’s continued success with remote working, be proactive in developing protocols to address its known challenges. Remote working is here to stay; it is helpful for organisations to realise this early and ensure a more extended-term defence-in-depth approach and security principles are put to use. A good balance of usability and security goes a long way.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.