Remote Work & Cybersecurity Risks
By Ayesha Yousuf
Imagine your manager calls for an online meeting and asks you to assemble the pitch deck of the company and present that to a potential client. At the same moment you are notified with an email that a malicious actor has logged into your company’s main server. What will you do now when you know that the main server is the hub of confidential information?
In this piece you can scroll through some of the major cybersecurity risks when working remotely and how you can secure your network and system from being exploited.
What is Cyber Security?
An application of technologies, processes and controls that helps official security professionals to create a shield of protection against the bad actors over any data, web application, mobile application, networks, technologies, systems etc. Although fully fleshed hack-free systems or technologies are not yet discovered, through cybersecurity it is aimed to reduce the probability of data being leaked or hacked.
To keep the ecosystem safe and secure, ethical hackers perform penetration tests using different cybersecurity tools. Their main objective is to find vulnerabilities in web/mobile applications, networks, systems, protocols and even technologies itself. In this way, a potential vulnerability could be fixed before going live, where it is at risk of being found by an unauthorised entity to exploit.
Remote working can be understood as a model where employees are given the opportunity to play their roles from their home rather than being present at work. To enable remote work, employees must be specialised with related technologies, stopping the urge to commute to the office to communicate with colleagues & clients.
When it comes to remote working, it has also been foreseen that the company goes for a hybrid model. A hybrid model basically consists of employees that are allowed to work remotely as well as in the office. The structure could be on a weekly basis where the employee works a week in the office and another remotely. To get most of the benefit from it companies design various kinds of hybrid models for the employees.
Remote Working From The Lens of Security Enthusiasts:
Cybersecurity is one of many professions which can be done remotely. Ethical security professionals carry out their tasks at the ease of their home.
Due to this ease, however, implementing security controls or policies in the name of security can be a bit hard. If a remotely working cybersecurity engineer is not careful, the situation may even become risky and exploitable.
Before Covid-19, the world was enjoying a pre-pandemic situation where most of the organisation doesn’t prefer employees to work remotely, in some kind of worst case scenarios remoting working was allowed. But then the pandemic started and it brought everything to a halt, where remote working was in fashion and almost 70% of the employees of every field were working remotely.
According to a survey before the pandemic hit the world, about 16.7% of the US population worked remotely 5 days a week. During the pandemic, however, this percentage reached a whopping 43.9%. The outbreak of Covid-19 accelerated the remote working trend that demonstrated that hybrid work models are not necessarily an impediment to productivity.
Even many employers see this flexible arrangement better, as general consensus shows that it has contributed to employees wellness and has reduced OPEX as well.
2020 would be remembered for more than just the pandemic, as it caused many organisations to go backwards in the form of capacity and structure. This caused a lot of layoffs throughout the world.
However, some people, especially security specialists, are not in favour of this model being adopted. A report from OpenVPN reported that 89.5% of the people associated with the IT department think that working remotely is not safe. Moreover, more than 69.7% think that remote employees are at a greater risk than on-site employees. A society of human resource management study also stated that 35% of employees feel more tired while working from home.
Remote Working Cybersecurity Risks For Employees:
Employees working remotely have to be careful as they are exposed to an unwanted list of bad actors. Those bad actors can easily penetrate their systems via many means such as their unsecured home network. It may even be possible to gather highly confidential information through their zoom meeting if they trace the meeting link through social engineering.
Here are some bad habits that could endanger the employee’s services that he/she is rendering to the company which could become a reason for cyberattack.
- Use of Public Wi-Fi to Access Sensitive Data:
Using an unsecured public wi-fi or connecting to your home wireless network is a source that could be accessed by cybercriminals where your data is at high risk of being intercepted by any malicious actor. This way the unauthorised personnel could easily harvest sensitive information from your company or your credentials.
- Personal Device Usage:
A very common practice that has arisen in many fast growing industries is that employees are allowed to use their personal technological devices for work regardless of whether they are being present remotely or in the office.
Employees using their device carry out all the relative functions through it like transferring files, storing company’s data etc. 43.8% of the employees admitted that they use their personal device when working remotely to transfer files or doing any other activities.
This may be worrisome, as it creates a loophole for the company. If an employee switches his/her job, all the confidential data of the firm is present on his/her device which he/she could easily access anytime. This is even riskier if the device’s security software is not updated, as it leaves the data vulnerable for cybercriminals and other bad actors.
- Physical Security Not To Be Neglected:
Apart from cybersecurity, employees should also focus on their data security in a physical manner. For instance it would never be appropriate for any employee to be loud in a public place if in a heated conversation on an office matter.
In the same way, remotely-working employees should keep track of their surroundings when working in an outdoor space. It is highly likely that your firm’s information may be leaked through your exposed laptop’s screen.
Cybersecurity Risks As A Remote Company:
Remote working employees can easily become a threat and liability to any company. They can without any effort become a host to many unwanted cybersecurity risks that lead to potential and rapid downfall of the company they are working for.
Here are some common practises that should be taken into account while working remotely.
- Spam Email Attacks:
To exploit any high official’s account or funnel companies through a loop of cyberattacks, many hacktivists use scam email strategies. Through this pathway, a hacker sends scam emails (commonly known as phishing) and gets access to the network or private information of the organisation.
Phishing leads to fooling a victim into providing login credentials or privileged information, or opening a malicious link or downloading a file along with the virus which could be used in identity fraud, installing malware and much more. This has become so common that with the advent of roadblocks it is nearly impossible to stop them.
- Blacksheeps in an Organisation:
It is not unheard of for employees to steal their own company’s data- providing it to competitors or personally using it against the firm. Remote working has made this undoubtedly simple, as now the blacksheeps are on the loose with little oversight..
Through this the company could literally come to a halt and could also face bankruptcy.
- Weak Security Controls:
After the depletion of NAC, IDS, NGFW, and proxy servers it is more likely that the client device is exposed to a possible unsecured network, without the protective shield, which is a potential threat to the company.
The weak security controls now go far beyond a non-existing email policy or firewall. Layered security should be the approach to protect companies and employees devices to protect them from any kind of cyberattack.
Precautions for Remote Workers:
To deal with such kinds of issues and mishaps, there are some countermeasures which a company should follow in order to save themselves against any kind of cyberattack. Also they should add into account that with safety precautions they could easily reduce the risk of being exploited or hacked.
1. A Work From Home Security Policy:
How to protect your firm or employees from cybersecurity attacks? Through which resources could you identify that your work from home force is secured?
Well, in order to carry out these researches a healthy way to opt is drafting work from home security policies. This policy draft would contain several measures to carry out the tasks.
- Secure positions in your company by which you list several posts within your organisation who are eligible to work from home. This could reduce the risk of cyberthreats and attacks as authorised work from home forces would be using secure networks as well as the devices. Also each and every person who is working remotely should take training sessions so that it is taught to the employee how to be safe, what activities would keep him safe all along the way.
- In order to keep the remote working employees and the on-site employees on the same page, the company should use specific tools and processes that help create a security shield all around the tasks performed by the individuals.
2. Use of Antivirus:
The estimated global damage every year to businesses due to cyberattacks is approximately $1.5 million. This figure is expected to increase each year as the hackers with each exploit become stronger and more motivated to take part in such criminal activities. This exposes your company and your employee towards ransomware, security threats, DDOS attacks and much more.
To avoid such things to happen, you can use antivirus solutions for security which fight any threats and automatically updates itself to stay away from upcoming counterfeit actions.
3. VPN Utilisation:
For the purpose of securing your IP address, employees working from home are advised to use a Virtual Private Network. Through VPN, any user can create a security doom over his/her work, so that in this fast-paced world it could be impossible to pass those barriers.
VPN can be upgraded by using a possible authentication method and enchanting it to an encryption method such as Point to Point Tunnelling Protocol to a Layer Two Tunnelling Protocol.
But a strong VPN is of no use when the password is compromised. It is essential that the password of different portals and also employee’s devices are frequently changed with strong and non repetitive passwords. This helps to increase security. The use of VPN should also be restricted for employees when using the device on a weekend or for their personal use. All company’s accounts should be logged out so that security is elevated. Moreover the selection of a strong and trusted VPN should be used, as an easily compromised one would play the role of an information provider to the bad actors.
4. Home Wi-Fi Should Be Secure:
Securing a remote employee’s home network should be the first priority for any firm. Neglecting this aspect could create serious effects as an unsecured network could be a gateway for any cybercriminal to penetrate through and steal whatever they like.
Home wifi can be secured through several steps and ways. The most common method is opting for a strong password which should be changed. Also make sure that the password is not easy to guess. Another strong security measure can be restricting the devices which are connected to your home network. You can add a specific MAC address to your router’s configuration . Through this only those devices could access the network and enjoy the service.
5. Safer Online Banking:
It is important to make sure that all your banking transactions are being done safely and in a very secure manner. Any person’s worst nightmare is for their bank details to be leaked to any bad actor who can smoothly do anything with funds.
To overcome such issues, it is suggested that the assigned person should use licensed and ascribed platforms and softwares to handle all their transactions. Employees should also use credible and authentic platforms only from which they are familiar and also a long term client with.
A practice could be opted that if a person is using mobile banking, they can set up access through 2 factor authentication which is a safer option. Another way of making sure that you are using a safe website of the bank is to look for a URL which starts from https:// rather than http://.
Phishers, scammers and hacktivists use every opportunity to send scam emails, links and other ways to bring out a company’s bank details. The best way possible to be safe from such attacks is to never open or entertain such emails or requests which require your bank details or any kind of username or password.
6. A Common Portal for Storage:
A healthy practice that should be added into the company’s profile is for each and every member of the firm to use the same portal or cloud space to store data. Using a common platform for clustering all the data is essential as it allows the company to create a safe backup in case of any emergency. The emergencies could be loss of data from any employee’s device due to any kind of breach, or even a human error where all files are deleted due to a mistake.
This practice could also help to secure that central platform through firewall and strong passwords so that your documents are safe and backed up. The access to this cloud space should be limited to trusted individuals to edit or modify the information.
In a Nutshell:
Fred Voccola, CEO of IT software management company Kaseya states that, “Comprehensive and frequent cybersecurity training can no longer be nice to have, in this ever-evolving array of cybersecurity it is a must to have.”
The training session should also include making the employees aware of the cyberattacks. They should also be trained to tackle such situations and report to the officials the moment they feel or witness they have become a victim of such an unfortunate event.
To wrap up, it is crucial to come up with innovative solutions against cyberattacks, especially when your workforce is remotely working. Since we know that remote work comes with a bunch of security risks, it is essential to cater to them. This can be done by creating policies and implementing such controls, which go hand in hand with every employee working remotely and the safety of the company.
Enjoyed reading this piece? Subscribe to our newsletter to get instantly notified of new stories directly in your inbox at https://blockapex.medium.com/subscribe.