Remote working is here to stay. In fact, when people are offered a chance to work flexibly, almost 90 percent take it (McKinsey). However, there are a great number of security risks involved with remote working. Organizations which move too rapidly to a flexible work policy risk falling victim to cyber criminals – who are seizing on the trend to deploy malware, scam credentials and steal data from unprepared networks.
So, how do you keep your remote workers secure?
What are the security risks of working remotely?
The security risks of working remotely are, unfortunately, quite numerous – data privacy, access controls, vulnerability to social engineering, physical device security … each of these come up time and again as the leading causes of remote worker cyber breaches. That’s not to mention compliance issues, hacking and good old-fashioned human error.
Being able to work remotely is a wonderful thing, but opening up new means for employees to access company IT networks also opens up an array of potential entry points for malicious actors. Cyber insurer Coalition summed up the issue nicely:
“Many companies [fail] to recognize that what makes it easier for their employees to access accounts and sensitive information also makes it easier for hackers to target and access the same information.”
Common remote working vulnerabilities
1. Access controls
Access controls are the various policies in place to prevent unauthorized access to your network. Weak and/or unsecured passwords are two of the most common of these vulnerabilities, which respectively make it easier for cyber attackers to brute force or trick their way into an account. But, there are many more issues than just poor passwords. We talk more about identity and access management below.
2. Remote Desktop Protocol
Remote Desktop Protocol (RDP) is a common remote working tool, enabling employees to access company Windows devices wirelessly from anywhere in the world. But it’s also an attack point – hackers either trick people into giving them their login credentials or crack open weak passwords to gain RDP access, allowing them to get onto the company IT network and install malware.
3. Internet connection security
Not all Wi-Fi networks are secure. In fact, public networks – such as those found in, say, a cafe or library – can be quite open to exploitation. An attacker could be sitting on the same network, watching everyone who uses it, waiting for them to access sensitive data (such as a company network, or bank account) so they can steal it. They might even own the public Wi-Fi network – how do you know that you’re really connecting to a safe line if you’re in public?
4. Personal devices
Personal devices are often not as secure as company devices. People’s device OS may be out of date, or they could be using apps that your company has earmarked as unsafe. Some devices may already contain malware without the employee even knowing it!
5. File sharing
Offering remote work to employees means switching to digital file storage and sharing. Doing so without a policy on data encryption or access restrictions could make it easy to steal and/or exploit your company’s data, which would be (inadvertently) freely available online.
6. Cloud configuration
Cloud misconfiguration was the leading cause of company data breaches in one IDC report. Moving to the cloud enables fast, effective remote work, but cloud servers must be configured correctly like any device or software – changing default passwords, customizing access restrictions, and so on.
7. Physical device security
People lose devices. It happens! But if someone loses a device that has company login access saved to it, anyone who finds or steals that device also gains company access.
8. Human error
The reality is, people make mistakes. Human error is a factor in the vast majority of cyber attack cases, either because someone made a mistake at the network configuration end, fell for a social engineering trick, or just didn’t know what to do to keep their device safe.
Learn more: The scope of human error in cyber attacks
Cyber attack techniques used to target remote workers
1. Social engineering
Social engineering is a broad term that covers any attack vector performed through the manipulation of a person – be it email phishing, fake social media profiles, website spoofing, and so on. The goal is usually to build trust with a victim so that the attacker can steal their credentials or get them to download malware.
2. Business email compromise
Business email compromise (BEC) is a type of social engineering attack that has grown into a major problem of its own. Here, scammers use spoofed emails pretending to be fellow company employees requesting the transfer of money, or the purchase of gift cards.
Attackers may also break into a real business email account (i.e. one of your colleagues) to send scam emails as that person, or jump into an existing conversation you have with them in order to pass completely under the radar. This last type of attack is known as conversation hijacking.
Ransomware is one of the world’s top cyber security issues. It’s a type of malware which, when loaded into a network, locks it up so that it cannot be used or accessed. The attacker then demands a ransom payment in return for the key.
4. DDoS attacks on remote working infrastructure
A DDoS attack (aka distributed denial-of-service) is where attackers flood a server with internet traffic in order to stop others from being able to access it. DDoS attacks hit an all-time record during the COVID-19 pandemic, as attackers sought to disable VPN gateways and other necessary remote working infrastructure.
5. RDP hacking
Cyber criminals are able to target unsecure RDP access in order to compromise business networks. Common RDP exploits targeting remote workers include breaking weak login credentials, credential harvesting through trickery, sneaking in through unsecure public Wi-Fi, and sneaking in through unmonitored servers.
6. Zoom attacks
Video conferencing software Zoom has been the focus of a lot of exploitation since 2020. While many issues have been fixed since then, more continue to be regularly discovered at time of writing. Such attacks range from the less-damaging ‘Zoom bombing’, to phishing scams and genuine software vulnerabilities.
7. Physical device theft
With more company employees accessing potentially sensitive data from home or a public space, physical device theft has gained renewed attention. If employees leave their devices logged in automatically to company accounts, and someone steals that device, then the thief now has the same access as the employee.
8. Simple, unsophisticated trickery
Social engineering doesn’t always require digital channels, malware, exploits or backdoors. The rise of remote working has led to an equal rise in remote IT support. Some hackers have been using this to phone victims pretending to be a company IT person, offering support, gaining remote access, and then exploiting the network from there. This happened to Twitter.
Learn more: The most common cyber attack vectors
Challenges of keeping remote workers secure
Every vulnerability has a root cause. These are the common remote work security issues that can spiral into a major vulnerability and lead to exploitation.
1. Employee knowledge of cyber security
While everyone makes mistakes, a large number of these mistakes could be mitigated through greater cyber security awareness – which remains a problem throughout the business landscape. In fact, 82% of recent cyber breaches could be attributed to a ‘human element’, including misuse of technology, falling for phishing scams and simple error (Verizon).
Why is this such an issue?
A lack of training is one of the core factors leading to deficient cyber awareness in business. Globally, the majority (38%) of companies allocate up to only one hour of training in this area per year for employees. A further 37% allocate one to two hours. In Germany, even less training goes on: 42% of companies allocate up to just one hour per year of IT security training (Proofpoint). In today’s modern world, we often expect people to know what they need to know to operate technology appropriately. However, the reality is that there’s a huge number of people out there who don’t know the protocols for, say, sharing documents safely, accessing company accounts from home, how to determine which Wi-Fi is safe, and so on.
2. Cost of ensuring employees have the technology they require at home
Budgets are, have been, and likely always will be, a problem for most companies. Most of the world moved so rapidly to remote working since 2020 that there just wasn’t enough money going around to ensure that every single employee had a company-issued set of devices that were loaded with appropriate security tools. Personal devices abounded.
Why is this such an issue?
This lack of budget has led to a marked increase in the number of people around Europe and the world using their personal devices for potentially sensitive company tasks. Companies generally aren’t able to fully monitor a person’s personal devices. Aside from the privacy issues there, a lot of employees just don’t like the idea – look at all the backlash happening on the internet around employee ‘spyware’. But without careful and consistent monitoring, there’s no way for an IT team to ensure that someone doesn’t download malware on their personal laptop, or install a fake app on their phone, or fall for a scam email for which there was no filter to stop it. These potentially ‘tainted’ devices are an easy access portal into an otherwise secure IT network.
3. Lack of cloud security expertise
As mentioned earlier, misconfiguration of the cloud is a leading cause of cloud-based cyber breaches across the globe. These days it’s very easy, perhaps too easy, to sign up to a cloud storage provider and get started. Sometimes it takes just minutes, maybe even seconds. But this is a false simplicity, because it can actually take a lot of work at the back end to ensure a company has the policies in place and security configurations set up correctly to run a safe, secure cloud system. There’s a lot more to it than just making an account and hitting ‘Go’. This, of course, means you need someone who knows how to do it all.
Why is this such an issue?
There is, quite simply, a lack of digital skills on the global market, of which cloud expertise is a major concern area.Putting it in numbers, 56% of organizations struggle to access the skills their business needs to deploy and manage security across multi-cloud environments (Check Point). On top of that, 55% of respondents to the same report said a lack of cloud and regulatory expertise was their biggest cloud compliance challenge.
4. Not enough IT budget to develop new security controls
It’s common for companies to have all the best intentions in the world, but simply too little IT budget to actually implement the security controls they’ve identified as necessary for the business.
Why is this such an issue?
If there’s no wiggle room in the IT budget then there’s no wiggle room in the IT budget. Without that extra capital to invest in security tools, write new processes, train staff, hire expertise, then there will always be gaps in the security of the business. Sometimes those gaps will be small, sometimes they will be serious. But a gap is a gap for a determined cyber attacker. You could argue that this issue may not be a root cause, but actually sits on top of ‘lack of cyber awareness’ above. Sometimes budget issues aren’t a bottom line issue, but a leadership buy-in issue. If you’re in charge of remote IT security at your company, it’s up to you to make sure you break down technology and security concepts into terms that non-tech people will understand – focus on the bottom line, impacts to productivity, reputational harm, etc.
5. Tools not fit for the times
Technology can be a big investment. Especially in the old days, IT could be a monumental capital expense – servers, software licenses, maintenance, HVAC, staffing … the zeros stacked up. This has led to quite a number of organizations developing a distaste for reinvesting in what may at first appear to be the same thing. To someone not well versed in technology, what, functionally, is the difference between an on-prem server that’s lasted the business for years, and a new cloud storage account? Or, what is the difference between the current Windows patch and the new one that it wants to install?
Why is this such an issue?
Technology is a cold war of concurrently evolving attack vectors and defense strategies. Anyone who does not move with the times risks being left behind, and the longer you’re left behind, the easier it may be for an attacker to break into your network. Legacy technology, out of date operating systems, unpatched apps … these are all potential weak points in a network’s security because cyber attackers will have had time to develop strategies to get into each of them. Some legacy software may even be so critically flawed as to already be a back door to the network, waiting for someone of even limited expertise to just walk in. Imagine defending against a tank with a crossbow.
The sudden move to remote working made this even more stark
There are many companies who spent good money on protecting their data and infrastructure in the past, but their rush towards remote working has meant that some of those controls are now out of date. For those companies in particular who only recently invested in their security, this could be a huge blow. But, unfortunately, a review of existing tools, systems and processes is necessary because of the drastically altered work environment.
Regulatory compliance issues for remote workers
Companies offering remote working fall under more data-related regulatory issues than they might be used to. Their data landscape will have changed quite drastically – where there used to be just one computer per employee connected to the on-prem server, now there are probably quite a few moving pieces and extra add-ons that all need to process the same data.
Common concerns include:
- Company data no longer stored in just one system.
- New data processing requirements.
- Multiple devices and apps now connected to servers (computer, mobile, cloud, SaaS products, and so on).
IT leaders need to ensure that each of those devices, systems and applications are processing the data in a manner that is considerate of the regulatory requirements behind each data type. For example, in the past you may have protected personal data in one of your on-prem servers with encryption at rest. Now you need to protect the connection to the server, the laptop, the mobile phone, and all the third-party software tools that want the same access.
Another common issue is where a company is processing new data
Above, we talk about companies that are processing the same data in new ways. But if your business has fundamentally changed, you may be processing entirely new types of data. eCommerce is a great example. During the COVID-19 pandemic, many organizations switched from a B2B retail model (such as wholesale) to a direct-to-consumer model (such as online eCommerce). In this new normal, those companies aren’t just dealing with business accounts anymore, but sensitive personal and credit card data from potentially hundreds, if not thousands of customers. This significantly increases compliance requirements.
Many industries are also adopting their own compliance standards
To further increase security, certain business sectors are creating their own set of regulatory standards that, while not enforceable from a legal standpoint, are growing to become the ‘gold standard’ – to the point that some brands won’t work with partners who don’t adhere to the technically voluntary set of rules.
TISAX is an example, found in the European automotive sector. Automotive partners don’t have to get TISAX certified, but it’s considered a very wise idea for anyone who wants to work in that space.
These regulations almost always include conditions for remote workers.
- What is TISAX compliance, and how do you get it?
- What employers need to know about teleworking regulations in the EU (EU-OSHA)
10 best practice security considerations for remote workers
1. Remote work security policies
What is it? A document or series of documents which outlines how and when remote working should be conducted, and what steps must be taken to ensure its security. Additionally, key accountable persons are identified as the go-to individuals for problems, questions and feedback.
How does it work? A remote work security policy will help you establish clear boundaries for employees with regards to their working from home. For example, a bring-your-own-device (BYOD) policy sets rules about what kind of devices users are allowed to use for their job, so you can better control unsecured laptops and phones.
You would also outline the rules regarding company data. How is it accessed remotely, how should it be handled with regards to sharing, and what should someone do with it once they are finished their task?
2. Mobile device management
What is it? Mobile device management (MDM) solutions are used to manage all the devices that employees might use for their role. They can allow companies a bit more flexibility in enabling people to use the device and OS of their choice, while still balancing some semblance of control over device configuration, app updates, and so on.
How does it work? MDM software suites come with a few different functions. Such functions can include:
- Network segregation for better access management control.
- Application management, for app whitelisting and patching.
- Regular data backups.
- Automatic identification of network devices.
- OS configuration management.
- Remote admin actions (such as troubleshooting or device lockout).
Learn more: Mobile device management software, ranked (G2)
3. Identity and access management
What is it? Identity and access management (IAM) is an umbrella term for the policies and tools required to control who can access what, when, and from where with regards to the company IT network.
How does it work? IAM policies cover all aspects of access, and therefore function in a few different ways. For example, password policies fall under IAM, as do JML policies, multi-factor authentication, single sign-on tools, privileged access management for admin accounts, and so on. Basically, it’s a mix of documentation and software tools that allows admins to clearly define which users get to access the network, for how long they have that access, which devices they can use, and so on – but, in theory, without that control being too inconvenient for the user.
What is it? ZeroTrust is a policy framework that sounds a bit harsh, but in reality is quite vital to modern cyber security: trust no one. We always want to believe our employees have the best intentions, but the risk of human error or malicious actors is too high to allow anybody free reign in the network. Implementing ZeroTrust allows you to add an extra layer of security between your people (or apps and vendors) and sensitive company data.
How does it work? ZeroTrust is a process with a few steps. It involves identifying the surfaces that you need to protect and mapping data flows, inventorying users and devices, implementing IAM policies and tools, and actively monitoring the network for anomalies.
A note about ZeroTrust’s rocky history: ZeroTrust has been around for a long time, and a lot of IT leaders really disliked it back in the old days – it was hard to get any budget for it, and the rollout was time consuming, expensive, and clunky. Nowadays, though, corporate appetites for concepts like ZeroTrust have increased, and Agile methodologies have made rollout considerably smoother (not to mention easier to operate on a day-to-day basis).
Learn more: Why you need ZeroTrust, and why now
5. Cyber security awareness training
What is it? This one is a bit simper – allocating time and budget for company IT security training. The goal here is to raise people’s general awareness of broad cyber security threats, as well as any specific threats that might be a greater risk to your unique industry.
How does it work? The big things to remember with security training, and especially remote security training, is to ensure that everyone (top to bottom, leaving nobody out) gets it, that it’s designed to be as engaging as possible so people genuinely retain the information, and that it’s redone on a regular basis. As we’ve said, the technology cold war is always moving forwards, so people need to keep their training up to refresh stale knowledge and add new skills.
6. Secure cloud configuration
What is it? Secure cloud configuration is the act of adjusting relevant settings and policies to ensure the optimal protection of your online storage drive(s). Some of these will be very basic (the things that are so simple and common that you forget they weren’t just done by default) and a bit more complex (requiring greater knowledge of cloud security and IT networks).
How does it work? Your cloud security expert will need to go through your various cloud settings and adjust them in line with your IAM policy, compliance requirements and any other security procedures to make sure your cloud-based data is safe. For example, changing admin passwords from the default to a secure alternative is a simple starting point that is often forgotten. Then there are steps such as:
- Enabling automatic backups (and testing that these can be recovered).
- Identifying open ports and restricting access where necessary.
- Restricting outbound ports.
- Monitoring cloud network traffic and generating logs.
- Implementing IAM best practices.
- Restricting third-party apps from having free, unmonitored access.
- 4 steps for implementing best practice cloud security more broadly
- Common cloud misconfigurations and how to avoid them (UpGuard)
7. Create a secure connection for remote employees
What is it? To avoid some of the issues that come with accessing a restricted network from an unrestricted location, you’ll need to find a way to bring that connection under the control of the business. VPNs are one of the most commonly used tools here.
How does it work? Connecting to the company server via a VPN is like connecting to it via a cable. While employees are technically working remotely, they gain the same security and connectivity benefits that they would have at the office by using this secure, private line. This also helps prevent such attacks as a ‘man in the middle’ attack, where a cyber attacker would secretly intercept messages between two parties.
8. Secure remote meetings
What is it? Remote meetings (i.e. video conferencing) are part of daily life now, and aren’t likely to go away any time soon. But, as we hinted earlier, video conferencing platforms might not be as secure and private as you think, opening a company to trolling and spying.
How does it work? Securing your remote meetings will take a few different actions. For one, you’ll need a video conferencing platform that you can trust – Google around for reviews and write-ups from security experts on known vulnerabilities in common platforms (i.e. Zoom). Some other key tips include:
- Always secure your online meetings with passwords.
- Use virtual waiting rooms so you can admit people into the meeting only when you know them, and they were invited.
- Only allow the recording of meetings on a case by case basis, not by default.
9. App whitelisting
What is it? App blacklisting has been commonplace for a while now, but is being outdated by whitelisting. Where blacklisting is the act of blocking certain apps or websites when you don’t want employees to access them, whitelisting is the act of blocking all apps and websites, then re-enabling the ones that you’re comfortable with.
How does it work? Blacklisting doesn’t work because there are millions of apps and websites out there, and you can’t block them all. Whitelisting is a bit more effective in that regard, although it takes a lot more research to set up. You’ll need to talk to your key stakeholders, find out what people use on a daily basis, make a list of your preferred apps/domains, and then write a policy that will allow employees to quickly request access to apps/domains not found on the list already.
10. Penetration testing
What is it? Penetration testing (or ‘pen testing’ for short) is essentially a fake attack. It’s where a pretend hacker or third-party security firm simulates a real attack on your network to identify its vulnerabilities and get an idea as to how they might be exploited – before someone does it for real.
While pen testing has been important for as long as there’s been security, it’s grown increasingly so as organizations shift to remote working. Companies have a greater attack surface now than ever before, necessitating a broadening of the scope of pen tests (adding in phishing attacks, social engineering, and so on).
How does it work? Optimally, pen tests are run annually, with their objective laid out clearly in a defined assessment scope. This scope covers which attack surfaces the company must test – web application security testing, simulated phishing, VPN vulnerability scanning, etc – and which surfaces are off limits. Simulated attacks on personal devices and home networks are usually considered off-limits due to the ethics involved (but social media used for work purposes is fair game). This makes other BYOD-protection techniques such as MDM and ZeroTrust just as important for remote security as pen testing.
Learn more: What is penetration testing? (CloudFlare)
Your work from home security checklist
Steps for your remote working security policy:
- Assign an accountable person to oversee the remote security policy.
- Implement a joiners, movers, leavers (JML) policy.
- Specify how often company devices and apps are to be updated/patched.
- Define which devices are acceptable for a BYOD policy, and specify what employees need to do before their devices are allowed to be used.
- Implement an MDM solution to better control personal devices.
General remote security steps to take:
- Set up multi-factor authentication for employees.
- Ensure team members use good passwords.
- Schedule monthly cyber training for all employees.
- Identify and whitelist necessary apps for employees; create a procedure to request new apps be added to this list.
- If using RDP, implement account lockouts for anyone outside of the above-defined scope (i.e. accounts lock at a certain time of day).
- Implement an IAM policy outlining who is allowed access to what systems, at what time, and for how long (and who will be accountable for owning this process).
- Regularly backup your system (or, at least, its most sensitive assets) and test to ensure this backup can actually be recovered.
- Ensure employees have the latest anti-virus software installed and running.
- Disable macros on employee devices.
- Disable PowerShell on employee devices.
- Restrict the ability of apps to access Command Prompt on employee devices.
- Restrict the downloading of .exe or .pif files, and other similar file types.
- Ensure employees use a company VPN to connect to internal systems from external locations.
- Set cloud storage system from public to private, change default passwords, remove any default admin accounts.
It’s a lot to take in – but you don’t have to go it alone
If you’re worried about any of the above, or lack the in-house expertise to implement the best practice security controls your business requires, we’re here for you. Contact us today for a free maturity consultation and we’ll talk to you about your unique needs.