Security and remote work: from odd couple to perfect pair
The coronavirus pandemic has shown how effective remote work can be. But also that the wins in productivity come at a major risk.
With the rise of work-from-home arrangements, the potential for cyberattacks has soared. In a 2020 survey, 20% of respondents said they had faced a security breach as a result of a remote worker since the beginning of the pandemic. Twenty-four percent also had to foot unexpected expenses to address such incidents in the wake of shelter-in-place orders. And whenever WFH was a culprit in a data breach, according to IBM’s 2021 Cost of a Data Breach report, the bill came with a bump of $1 million on average.
But the remote work revolution is here to stay. CNBC reports that almost 10% of last September’s online job searches mentioned “remote work,” marking a nearly sixfold increase compared to September 2019, before the Covid-19 pandemic, according to a joint report by Indeed and Glassdoor. Employers seem to be rushing to fill the demand. Almost 9% of online job listings now advertise remote working opportunities, up threefold over the same period based on the same study.
So how can businesses give their employees the freedom of working anywhere without being exposed to a catalog of cybersecurity risks? In this article, we’re taking a closer look at some of the biggest threats to secure remote working and tried-and tested best practices to mitigate them.
Remote working cybersecurity: definition and key considerations
First things first, what is remote working security? In cybersecurity, working from home security refers to a set of strategies and solutions to identify and manage the risks and challenges faced by remote workers as well as to safeguard corporate data assets when people do their jobs outside the office. In other words, to extend the security perimeter of a company’s local network to employees’ homes – and beyond.
Challenges, however, abound.
Not only do teleworkers move businesses’ threat perimeter to wherever they choose to work from, they’re also met with a whole new breed of security risks. “We need employees to be far more aware of things that they wouldn't need to be aware of when they’re working in the office,” Nadya Bartol, managing director at BCG, told Forbes. “For instance, who is standing behind us? Am I leaving my device unattended? How is the network I’m using protected? Do I let family members use my device?” This means an entirely new cybersecurity mindset is required from both businesses and staff.
This, coupled with reckless employee behavior, can dramatically increase companies’ potential attack surface and turn remote workers into unwitting, but all the more effective, participants in security breaches. A 2020 study by the University of Central Florida found that the number one reason for employees’ carelessness was frustration over wanting to access something to complete their tasks and security protocols making it a hassle to do so. Meaning that cyber security practices should ensure maximum protection against threats but little to no disruption to user experience or satisfaction.
From phishing to file sharing: top remote working security risks
1. Phishing attempts
We’ve discussed phishing tons of times on this blog, from the dangers of clone phishing and spear phishing attacks to what to do if you click on a phishing link. Here’s a quick recap: phishing, according to the US National Institute of Standards and Technology, “is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person.”
Phishing attacks often start with an email that appears to be a business-as-usual blast from a company asking the recipient to update or verify their personal information in a reply or on their website, FBI experts explain. At first glance, the web address might look familiar and the message genuine enough to convince them to oblige. But once they’ve clicked the link, they’ll land on a spoofed website whose sole purpose is to steal sensitive information or spread malicious software.
2. Unencrypted file sharing
The pandemic-spurred use of cloud-based collaboration tools has played a major role in ensuring the productivity of suddenly remote teams. According to Gartner’s Digital Worker Experience Survey, nearly 80% of workers were using collaboration tools in 2021 – a 44% jump compared to pre-pandemic rates. But solutions without proper encryption protocols to protect data when it’s transmitted to and from cloud-based applications and storage can lead to breaches, theft or ransomware attacks and, as a result, loss of business, revenue, and customer trust.
3. Unsecured Wi-Fi networks
Ideally, your corporate Wi-Fi network is a safe haven for users looking to access the organization’s critical systems and resources. The corner coffee shop’s? Not so much. This can spell disaster for employees who leave their Wi-Fi enabled when leaving the house, allowing malicious actors to identify and fake their trusted networks. Not to mention those who automatically connect to nearby networks without thinking twice, pointed out NuData VP Robert Capps to CPO Magazine. That is, a whopping two-thirds of people.
4. Poor cybersecurity hygiene
Sending confidential work files over unsecured communication channels, using weak, easy-to-guess, or recycled passwords, downloading sensitive information on an unsecured home device: these are just some of the ways inadequate security habits and culture can turn an employee into an insider threat in a heartbeat. It’s also worth noting that “123456” is still the most used password in 43 of the 50 countries analyzed in NordPass’ annual Top 200 Most Common Passwords report.
Secure remote workers: best practices to boost working from home security
1. Encrypt, encrypt and encrypt some more
As we explored in a previous post, encrypting information at rest or in transit, is a pillar of enterprise cybersecurity. It ensures confidentiality by encoding the contents of a message, authentication by verifying its origin, integrity by proving that it has remained unchanged since it was sent, plus nonrepudiation by preventing senders from denying having sent it, TechTarget explains. But you can do even better.
The gold standard for securing communication, end-to-end encryption encodes messages before they’re sent and decodes them only after arriving at a recipient’s device using randomly generated encryption keys. This means that no one in the middle can read or modify them. In industries where only the safest is safe enough, like health care or legal services, this methodology is hard to beat.
2. “More than a password”: switch to MFA
Multifactor authentication (MFA), 2-step verification, two-factor authentication, or 2FA all refer to the same thing: that is, a layered approach to securing data, personal or corporate, when users are accessing online accounts, applications or VPNs.
MFA-enabled online services ask for a combination of two or more authenticators for identity verification, including something you know (e.g. a PIN number or a password), have (e.g. a confirmation text sent to your phone) or are (e.g. fingerprint or facial structure).
Multifactor authentication can dramatically reduce the risk of compromised passwords, data identity thefts and account takeovers because if one factor is cracked, another one steps up to thwart the attack. By up to 99.9%, to be exact, according to Microsoft.
3. Update your data loss prevention strategy
Also called data leak or extrusion prevention, data loss prevention helps companies safeguard their critical data assets against loss, theft, misuse, or unauthorized access with the help of automated policy enforcement. Interest in DLP tools soared during the pandemic, with 90% of organizations implementing at least one form of integrated DLP in 2021, up from 50% in 2017, based on Gartner’s estimate. No wonder: endpoint, network, and cloud data loss prevention solutions can provide IT teams with much-needed visibility into all activity around critical data assets and strengthen compliance with even the most stringent data privacy laws.
4. Turn staff into your strongest line of defense
In the 2020 Malwarebytes Labs report mentioned above, 44% of respondents said they hadn’t provided cybersecurity training for their workers on the potential threats of working from home and on remote work security best practices such as ensuring home networks with a strong password or keeping devices out of the reach of non-authorized users. An oversight like this can easily turn a workplace into a garden of low-hanging fruit for malicious actors.
Make sure to educate and keep your remote employees up to date on the challenges, responsibilities and risks that come with location independence. It’s also a good idea to send out regular emails with cyber security tips for employees, including reminders to change their passwords, secure their home Wi-Fi, look out for suspicious messages, use a VPN, install available software updates, keep work files on encrypted drives, and so on.
Making things official: remote working security policy essentials
A strong remote work policy is as crucial for helping users stay vigilant and steer clear from the inherent risks of remote working as it is for enabling security teams to effectively support them in doing so. Here are some ground rules that no home office security playbook should be without.
- Acceptable use: lays out the dos and don’ts of using IT equipment and resources, including the consequences of non-compliance, to limit exposure to cyber attacks.
- Data breach response: contains tools and protocols for recognizing and handling data breach incidents, on-site or off-site, in a timely, coordinated and efficient manner.
- Remote access: provides guidance on how to connect to a company’s internal network from unsecured locations such as public spaces or home networks.
- User identification, authentication, and authorization: defines the process of verifying the identity of users attempting to access enterprise resources or applications.
How Tresorit can help maintain security when employees work remotely
An end-to-end encrypted content collaboration platform, Tresorit empowers you to:
- Make the cloud a safer place with E2E encryption
Every file and relevant metadata on our users’ devices are encrypted with randomly generated encryption keys. Accessing files is only possible with a user’s unique decryption key that no one else, not even Tresorit, has knowledge of. Meaning that even if our servers were breached, no one would be able to read their contents.
- Keep access secure and limited
Monitor and decide which devices are allowed to access which files and from where users are allowed to log in to their company account to safeguard business-critical documents. Manage files and tresors at a granular level to ensure they’re only accessible to those who need them and limit downloads or revoke access at any time.
- Stay in control of what happens to your data
Implement data protection measures, including controlling who has access to what data, logging file activities, and creating internal security policies for data management. No file content can be modified without you knowing about it, thanks to cryptographic authentication applied to all encrypted data in the form of HMAC or AEAD.
- Set up and enforce enterprise security policies in one place
Make sure that everyone on your team is on the same page when it comes to using crucial data security tools and processes. Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, create different policies for each template and modify them at any moment through a single interface.
- Encrypt attachments automatically in Gmail and Outlook
Empower your teams to work efficiently and send encrypted emails by integrating Tresorit with Google Workspace or Azure Active Directory and Office 365. The add-ins offer a fast and easy way for users to replace risky email attachments with encrypted share links and password-protected files using their existing email addresses.