Securing the New Normal: A Perspective on Managing the Risks of Remote Work
Over the past few weeks, companies around the world have adopted a work-from-home model wherever possible for the health and safety of their employees and communities. While this shift is critical right now, the challenge is that not every company was ready for such a sudden move, especially as you consider the potential security risks of a remote workforce. Now that many of us have begun supporting remote work, it’s important to look at asset management through a cybersecurity lens and uphold the best practices that will continue to safeguard our businesses.
While many office workers have laptops, smartphones and other mobile devices, a significant number of them are rarely used outside the organization’s network. Even when workers traveled with devices or conducted remote work prior to this shift, it was at a much smaller scale and less likely to stretch infrastructure and support capabilities. For those who did rely on a desktop, some will take their setup home while many will be switched to an unfamiliar laptop or asked to use their personal equipment to access work systems. In all these instances, the security policies in place for remote work may be somewhat unfamiliar.
Working from home increases risk
The risks involved in working from home are different from those involved in working in an office. At the very least, home workers will be using domestic broadband and could be sharing that space with others. If not managed properly, your remote workforce can unintentionally introduce significant risk to your organization as a result of:
- Connected devices, including personal laptops, tablets, smartphones and IoT devices, that are notorious for their poor security
- Increased usage of cloud services resulting in a reduced reliance on VPNs, which have traditionally provided a secure connection to corporate IT systems
- Unauthorized access to corporate devices due to working in close quarters with family, significant others or roommates, as generally people are more relaxed about locking screens than when they are at home
- Generally being out of their normal routine – the psychological impact of this cannot be underestimated, especially at a time when employees could be understandably distracted.
Consider 3 questions about the state of your remote workforce
According to research from IDC, 70% of data breaches occur at the endpoint. Securing those devices is critical to keeping both your organization’s information and your customers’ data, safe. To that end, here are a few questions to consider as you work to improve the security of your remote workforce.
1. Is a laptop or desktop more secure inside the organization’s office?
In the office, your users’ devices are secured behind a firewall so, even if there are vulnerabilities, they’re harder for an attacker to access. It’s also much easier to track down the people who haven’t rebooted their machines recently and ask them to do it so security updates can be made. Or, it’s possible to do it for them, even if they’re in the middle of something. This is also somewhat dependent upon what processes and best practices you may already have established – especially if your organization is not already supporting a distributed workforce.
2. How is your VPN set up?
Some organizations push all traffic through the VPN which is usually great for security purposes. However, do you have enough bandwidth to handle the increased volumes of external traffic coming across your gateway? And what about the bandwidth available to your users from their homes?
At the moment, even areas with good bandwidth are seeing the impact of increased work from home and school closures that have forced workers and students to use domestic internet access at the same time.
If you do mandate the use of VPN, then you probably have enough licenses and capacity for all those who regularly work from home. However, it would be reasonable to assume that less than 100% of them would ever be using it at any one time. This assumption will likely cause problems today. What many organizations fail to understand is that the solution isn’t simply buying more licenses but that the physical infrastructure has capacity limits as well.
Some organizations make VPN optional, particularly if the majority of users only work from home occasionally and primarily use SaaS applications that don’t require them to connect to their own IT infrastructure. This may solve the capacity issue but if people are connected to their home WiFi – which likely is much less secure than corporate networks – then endpoint vulnerabilities must be a concern and need to be addressed proactively.
3. What does a cyberattack look like?
Cyberattacks can take many forms. Particularly when a large number of your workforce is deployed remotely, how would they spot a cyberattack or notify the appropriate teams of suspicious activity? While the majority of cyberattacks right now are done via phishing emails to users, if successful, a cybercriminal may be able to connect to the rest of your organization or even deploy malware or ransomware – and create significant problems. This is even more likely if a victim’s device contains existing vulnerabilities like outdated or unpatched software.
Key steps for securing home working
There are simple steps you can implement today to immediately improve your remote security posture. They won’t fix everything, but at a time when we’re having to respond quickly to constantly changing circumstances, they can minimize the risk while you focus on broader enablement. More robust solutions can be put in place later.
- Educate. It’s important to share best practices on how devices should be used, how to properly identify potential cyber schemes and how to report suspicious activity. At Snow, we have regular cybersecurity training where users are sent what looks like a phishing email – and if a link is clicked, it takes them to a training module. This ensures that you’re not only sharing appropriate instructions but also creating interactive simulations to test users’ understanding and retention of these practices. Even employees that typically follow protocol could be tripped up during this time, as most of us are being forced out of a normal routine. We’re also seeing a rise in phishing campaigns and scams which are increasingly targeted to prey on our anxieties or are seemingly providing helpful information on the current changing situation.
- Lock screens. Remind your users to lock their machine when they walk away from the device, just as they would while on a client site, in a public space or in the office. It may seem like an odd habit to get into at home – but it’s an easy way to prevent any accidental issues.
- Consider how to support your remote workers effectively – and securely. As more of the workforce is remote, it’s important to create easy to access resources, best practices and procedures that also keep your organization secure. These should include: how to securely access your network (whether via VPN or zero-trust models), handle sensitive data, use personal devices (if allowed), access or request software or applications, install or operate security tools like anti-virus or anti-malware, and regularly patch or system update protocols.
Do the best that you can but don’t let one emergency create another one within your organization. Recognize the risks and implement these simple measures to improve your odds in the always evolving cybersecurity landscape.
If you’re interested in learning more about managing new ways of working, licensing oversight, cloud strategies and more, be sure to check out our newly launched resource center.