The trend of employees working from home is continuing to rise, with an IWG study showing that 70% of people globally work remotely at least once a week. Whether you call them remote workers, telecommuters, teleworkers, off-site employees, eWorkers, digital nomads, or road warriors, this group of employees is here to stay. Organizations that want to take advantage of this growing pool of remote working talent need to adapt to the unique cybersecurity risks that come with them.
Remote workers come in many different forms. Some remote workers work for a dedicated employer that provides them with the tech they need and others make use of their own equipment. For organizations that provide work-specific devices, there is still a risk that their remote employees will use their personal devices for work tasks and the nature of remote work can make it difficult to monitor the personal device usage of remote workers.
Enterprise cybersecurity infrastructure often revolves around the creation of an impenetrable fortress built with enterprise-grade technology, robust threat detection, and monitoring. Unfortunately, these advantages may not be as accessible when a remote worker uses their personal devices. While remote security and monitoring solutions do exist for mobile devices, remote workers using personal devices may have privacy concerns with having their personal use monitored alongside work-related activities.
For companies that provide devices for use by employees, there is still potential for remote employees to inadvertently cause vulnerabilities by participating in the cross-use of personal and professional devices. If their personal devices are not kept to the same cybersecurity standard as their work computers, any work-related activities done on their personal devices can become a vulnerability.
The advantage of the use of personal devices for work use, commonly known as “Bring-Your-Own-Device (BYOD)”, is that remote workers can use the technology they are comfortable and familiar with while reducing equipment costs for their employer. To allow remote workers to use their personal devices safely there are key technologies and best practices that can be implemented to maintain a secure environment.
While some remote workers work from a home office, 44% of remote workers travel while working between one week and one month per year. The prevalence of working outside of a home office by using mobile devices opens remote workers to an increased level of risk for theft or loss of their devices. A Mobile Device Management (MDM) system provides a method for locating lost or stolen devices and includes features for separating personal data from sensitive work data, giving mobile workers the option to remotely wipe sensitive data from a lost or stolen device.
By using a remote access environment such as Office 365, or software like Atera, remote workers can access work files and emails from a secured server without needing to sync data to their personal devices. By not having company data synced with their remote devices the risk of data breaches in the event of theft is mitigated and data can be backed up to the organization’s servers, preventing data loss due to hard drive failures.
Remote workers that work outside of a home office typically need a network connection to perform their duties. This need for a connection can cause temptations for remote workers to use potentially insecure public wifi hotspots.
According to the 2018 iPass Mobile Security Report, 81% of CIOs said their company had experienced a Wi-Fi related security incident in the last year, with 62% of Wi-Fi related security incidents occurring in cafés and coffee shops. Insecure public wifi hotspots are attractive to cybercriminals as the lack of encryption allows them to monitor the internet traffic of anyone connected to the network. Another method used by cybercriminals is the creation of an insecure wifi “honeypot” – a spoofed network designed to look like an official wifi hotspot that the cybercriminal owns and can capture the data transmitted through it.
The simplest and most effective method of preventing data breaches from insecure wifi hotspots is to not use them. That said, much like the issue of Shadow IT the convenience of free wifi when traveling is a temptation that many remote workers may still fall for, and the enforcement of policies to not use public wifi may prove difficult.
To mitigate the temptation to use these insecure wifi hotspots, remote workers can be supplied with their own mobile router. A mobile router transforms 4G or 5G wireless connections into a private WiFi signal, negating the need to use unsecured wifi networks.
If a public wifi channel must be used (again, this is not recommended if it can be avoided) remote workers can connect more securely by using a VPN. An enterprise Virtual Private Network (VPN) routes internet traffic through your organization’s private network, allowing remote workers to benefit from the same security as your in-house employees.
Remote workers often require a technology stack that is heavily reliant on cloud computing. The use of cloud computing provides an advantage by saving the costs of implementing a custom solution for key services, however, the use of cloud computing comes with its own unique set of cybersecurity risks.
When an organization uses the applications or services of another company there is an added vector for risk as the cybersecurity practices of third parties are out of their control. If the third party is breached or is intentionally hiding malware in its software it can be a potential vulnerability to connected systems.
A data breach is said to occur when information is accessed by an unauthorized party. If a third party application is granted access to an organization’s network there is an increased potential for sensitive data to be wrongfully accessed.
A software’s Application Program Interface (API) defines the set of tools, protocols, and routines for building the software. Third-party applications with insecure APIs become a potential vulnerability should those insecurities be exploited.
One of the advantages of cloud-based applications is the ability for them to be accessed remotely. This advantage can also prove to be a potential vulnerability as the login credentials of an authorized party can be stolen and used to gain remote access to sensitive information.
Employees, contractors, and associates can intentionally or unknowingly cause damage to internal systems or leak sensitive information through their actions on cloud systems. As with account hijacking, the ability to access resources off-site through cloud applications gives an added opportunity for sensitive information to be accessed.
CASBs such as MVISION Cloud, Bitglass, and Microsoft Cloud App Security are software tools or services that act as a gatekeeper between an organization’s existing internal infrastructure and the infrastructure of a third-party cloud service provider, allowing for greater security and control when using third-party cloud resources. CASBs typically offer network and application firewalls, authentication, and data loss prevention tools that prevent transmission of sensitive data outside of authorized channels.
Let’s face it, nobody is perfect. Unfortunately, the bad habits that we often manage to get away with in our personal lives can have serious cybersecurity implications in the corporate world. If remote workers fail to meet their cybersecurity responsibilities when handling an organization’s data they can inadvertently leak sensitive information to unauthorized sources. Poor cybersecurity hygiene practices include device sharing, reusing passwords, storing passwords in unsecured locations, opening emails that contain malware and using insecure wireless internet connections.
In 2018, a quarter of all data breaches were caused by human error. While not all of these breaches were caused by remote workers specifically, bad habits can be readily formed by an organization’s mobile workforce as they are often outside the influence that comes with being surrounded by coworkers and managers.
Cybersecurity training needs to be a priority for organizations that work with sensitive information. Both in-house and remote employees need regular training and retraining to ensure that they are aware of and compliant with their organization’s cybersecurity requirements. According to Spicework’s 2019 State of IT, 59% of IT professionals believe employee security training tools are the most effective solution to prevent security incidents.
In addition to knowledge-based security, the standard suite of security tools should be in place to prevent data breaches caused by human error – firewalls, VPNs, endpoint security software, and antimalware software all play a part in protecting an organization’s remote workforce.
One of the benefits of remote working is the flexibility of movement that comes with mobile devices. No longer bound to dedicated office space, remote workers have the opportunity to work in planes, trains, hotels, airports, and more. Unfortunately, location independence also comes with its own unique set of risks.
Cybersecurity is not limited to fighting against the increasing threat of cybercriminals operating with software-based hacking solutions, it also involves protecting servers and endpoint devices with physical security measures. An important benefit of a dedicated office building is its enhanced physical security – locked doors, security guards, and other physical privileged-access security measures that take place inside an office are not always available to remote workers when they travel. Standard passcode-based security can be readily bypassed when physical access to employee laptops and cellphones are granted to cybercriminals.
If working in a public area, remote workers should never leave their devices unattended for any length of time (bathroom breaks, leaving devices in their car, etc) as a nearby cybercriminal can efficiently execute malicious code from a USB flash drive and compromise their device. Endpoint devices should be kept in carry-on baggage instead of checked baggage as even bags with locked zippers can be bypassed if the opportunity is available. In addition to preventing theft of their devices, when working in a public area remote workers should be conscious of the sightlines surrounding their devices and set up their workspace in a way that prevents passersby from viewing the contents of their screen.
In the event that a device is stolen, having an encrypted hard drive will make it more difficult for thieves to access the data stored inside. Modern computers come readily equipped with encryption options – FileVault for MacOS devices, and Bitlocker for Windows devices.
We mentioned MDM for tackling general BYOD cybersecurity issues and it warrants repeating here. If remote workers have access to a Mobile Device Management (MDM) system they have the option to remotely locate their lost or stolen devices or they can wipe the data from the device to prevent it from being accessed by unauthorized sources.
Traveling remote workers may need to make use of USB ports to charge their devices. While USB ports can provide power, they also open the opportunity for the connected device to unknowingly transmit data. To prevent data transfers to unknown USB ports, a USB data blocker allows remote workers to connect to the USBs power without exposing the data pins of their device.