Remote working was already gaining steady ground in terms of popularity before the COVID-19 struck. According to Buffer, 40% of remote workers prize flexible schedules as the most significant benefit of the work-from-home setup. This is because workers enjoy the fact that they can spend quality time with their family, work from the comfort of their home, or work from any location they prefer.
Moreover, with COVID-19 shuttering businesses all over the world, remote working became the only way for many companies to remain operational. Experts project that remote working will be the norm, even after COVID-19 is over.
However, despite the touted benefits of remote working, there are also legitimate concerns that companies should take an in-depth look into before fully embracing.
What is the risk?
With remote working, data at rest and in transit concept extends beyond the corporate infrastructure boundaries. This presents the following risks:
- Loss of devices, or theft – Mobile devices are vulnerable to being lost or stolen. As the current generation is highly mobile with email, corporate and other portal access, majority have sensitive information on their devices. Furthermore, stolen devices could provide cached credentials access to attackers that could be used to login into corporate networks, vendor services, or other online accounts.
- Shoulder Surfing – It occurs when someone watches you spying over your shoulder as you use your devices.
- Device Tampering – Leaving devices unattended could be prone to threat actors taking advantage by inserting malicious hardware or software. Implications of this could be stealing information including keystrokes logging and sending it to attacker’s systems.
What are the security risks of remote working?
COVID-19 didn’t give companies much time to plan how they were going to implement the work from home setup based on their specific work requirements. Because of this rushed transition, 46% of global businesses have encountered at least one cybersecurity scare since lockdown, a study by Barracuda said.
The study also noted an overwhelming 51% increase in email phishing attacks, which is particularly alarming, given that 40% of business makers in the survey have made cuts to their cybersecurity budgets as an effort to remain liquid.
This highlights the need for investing in cybersecurity services intended to deal with security risks related to remote working. These are highlighted in the enclosed diagram, with short introductions provided below:
- Large Attack Surface – Organisations with increased cloud presence and non-company owned device usage have added to the overall attack surface of an organisation.
- Perimeter-Less Boundaries – Concepts of ‘my network’ , ‘your network’ are a thing of past. Traditional security controls such as firewalls are no more effective where multi-layered complexities (mobile devices, remote staff and personal devices) are all part of an organisation.
- Bring Your Own Device (BYOD) – Lack of strict policies and boundaries between trusted and untrusted networks are a headache. Whether it’s guest network usage by staff with corporate and personal devices, or lack of enforcement of policies via security policy and technical controls, all these gaps add to increased risk.
- Error Situations – With businesses worried about their survival, quick situations arise where current setups don’t provide the flexibility. Employees tend to go with best intentions in order to be efficient. Whether its a new collaboration tool, file sharing platform or any chat application, risks are part of the equation. This is a challenge for security teams as the decision may have come from the top leadership.
- Identity and Access Management – Changes at multiple levels are required in order to ensure tracking and auditing of events taking place. This could relate to user access authorisations, new policies, violations and non-compliance.
- Weakened Security Controls – Added pressures of financial stress and digital transformation on the organisations, security controls change is not just limited to email and firewall changes. This encompasses exceptions to current policies, changes to segmentation to ensure continued access and lots of unexpected changes without a security thought behind decisions.
Without further ado, here is the checklist for individuals and organisations to prepare for secure remote working.
Remote Working – Checklist for Individuals
- Regularly review webcam and audio settings.
- Keep separate devices for work and personal use where possible.
- Try to get into habit of using a password manager; separately for work and personal use.
- Create a passphrase for important accounts, and then add modifier. Use a separate passphrase for throwaway accounts.
- Ensure that your home Wi-Fi router is updated and default password changed.
- Ensure WPA-2 or better Wi-Fi encryption mechanism is in use.
- If you use public Wi-Fi , make it a thumb rule to use VPN before doing any online tasks (email, browsing, other access).
- Ensure your devices are set to receive updates and ensure backups are configured.
- Take out time to update other smart devices around your home (thermostat, TV, voice enabled devices).
- Review and follow Bring Your Own Device (BYOD) and other relevant policies and procedures.
- Keep up with remote work awareness training.
- Remember the rule “trust, but verify”.
- Limit social media use & don’t reveal business itineraries, corporate info, daily routines publically.
Remote Working – Preparing Your Business
- Consider producing user guides for recently rolled out software & services such as conferencing, office connectivity, portals, etc).
- Review security features of tools in use especially by remote workers. Where inbuilt features aren’t available, try to add compensatory controls around to minimise the attack surface.
- Review new policies related to remote working. Make your staff aware of changes in easily understandable format.
- Use secure courier deliveries for shipping devices to users.
- Don’t expose RDP services to the internet. Use centralised authentication and access management solution such as VPN. See more technical tips here for businesses.
- Use jump box concept to add layered protection where temporary allocation of users in restricted environment allows access on need only basis.
- Continued vulnerability assessments, digital attack surface assessments, logging and monitoring activities should be part of security team plans to ensure 24×7 visibility of attack surface.
- Securing VPN (Virtual Private Network) – VPNs act as entry points to an organisations’ internal network. Unless your organisation has fully adopted a zero-trust approach to networking, it is highly likely that VPN access is the only way to fully access your internal resources. During these remote working situations, employees require 24×7 access to internal resources that range from company intranet to various task dependent services. The following measures may help a business in preparation for VPN use:
- Authentication – Multi-factor authentication should be in use for VPN access.
- Protocols – IPSec and TLS VPNs provide secure remote access for enterprises. For many businesses both SSL/TLS VPN and IPSec VPN are in use.
- Client Security – Consider client certificates for machine authentication when using VPN services.
- Segregation – Consider segregation at environment, service, network level to ensure VPN users do not have more than needed access. Audit your segregation measures to validate your controls.
- Use DMARC , SPF and DKIM to identify phishing attacks.
- Review backup process, and ensure that restores are tested.
- Don’t rush to buy new products. If you can extend usage of current setup, you are saving both time and money.
- Ensure that all assets (devices, servers, desktops, laptops) follow technical security baselines. Get these reviewed periodically.
- Logging and monitoring solutions to ensure constant visibility of events across the estate (users, systems, devices, networks).
- Take advantage of Mobile Device Management (MDM) solutions
- Having an MDM in place helps resolve multiple risk factors from operational and device security point of view. IT and security teams can enroll, manage and handle security cases remotely with minimal window of uncertainty. With this visibility, support teams can be alerted on any changes or threats that require security team’s attention. Controlled updates, Bring Your Own Device policy policing and remote device wiping facility in case of theft are some of the top MDM benefits. Review MDM configuration and deployments periodically.
- Gain Visibility Into Your Attack Surface
- You may request your free attack surface report to gain visibility into your assets exposed over the internet. Our comprehensive attack surface assessment takes into account your people, processes & technology to validate your digital footprint. It’s important to assess digital assets from discovery and unknown risks perspective, to allow you more time for analysis and monitoring of your infrastructure. Our attack surface assessment results are summarised by hosting providers, asset criticality, security risks, geography and more areas.
- Cyber Attack Preparedness –
- Cyber security/incident response teams must be on standby in case of estate wide incidents such as ransomware, network outage, data breach where internal systems may be rendered out of use temporarily. Ask questions internally, liaise with internal teams such as BCP, DR, Infrastructure Support, Communications, HR & PR units.
- Review your backup systems including processes needed to let incident team work in parallel. This includes workstations, connectivity, communications such as email, phone, VoIP.
- Due to heavy usage of remote access solutions, review your abilities to block spyware, filter malicious domain URLs, block suspicious traffic (C2C, non-standard ports usage, DNS, URLs).
Don’t spend on more products and complicate your environment. Less is more. Review your current stack to identify gaps, take help and ensure you are making the best of current setup. For example, AppLocker via group policy, host firewall policies, advanced audit configuration are all part of modern active directory set ups that can save you costs and complexity.
Feel free to discuss your security concerns with our team. Some, not all, of our offerings such as penetration testing are the right fit to identify gaps and analyse the functional requirements before you go shopping.
Despite its numerous merits, remote working does come with challenges of its own. To ensure your company’s continued success with remote working, be proactive in developing protocols to address its known challenges. Remote working is here to stay, it is useful for organisations to realise this early and ensure longer term defense in depth approach and security principles are put to use. A good balance of usability and security goes long way.
We have added remote working checklists for individuals and businesses in our FREE cyber security awareness kit. Cyber security awareness should be freely available. This is free for businesses to use, print and add to their education and training campaigns as they see fit.