The trend of employees working from home is continuing to rise, with an IWG study showing that 70% of people globally work remotely at least once a week. Whether you call them remote workers, telecommuters, teleworkers, off-site employees, eWorkers, digital nomads, or road warriors, this group of employees is here to stay. Organizations that want to take advantage of this growing pool of remote working talent need to adapt to the unique cybersecurity risks that come with them.
Remote workers come in many different forms. Some remote workers work for a dedicated employer that provides them with the tech they need and others make use of their own equipment. For organizations that provide work-specific devices, there is still a risk that their remote employees will use their personal devices for work tasks and the nature of remote work can make it difficult to monitor the personal device usage of remote workers.
Enterprise cybersecurity infrastructure often revolves around the creation of an impenetrable fortress built with enterprise-grade technology, robust threat detection, and monitoring. Unfortunately, these advantages may not be as accessible when a remote worker uses their personal devices. While remote security and monitoring solutions do exist for mobile devices, remote workers using personal devices may have privacy concerns with having their personal use monitored alongside work-related activities.
For companies that provide devices for use by employees, there is still potential for remote employees to inadvertently cause vulnerabilities by participating in the cross-use of personal and professional devices. If their personal devices are not kept to the same cybersecurity standard as their work computers, any work-related activities done on their personal devices can become a vulnerability.
The advantage of the use of personal devices for work use, commonly known as “Bring-Your-Own-Device (BYOD)”, is that remote workers can use the technology they are comfortable and familiar with while reducing equipment costs for their employer. To allow remote workers to use their personal devices safely there are key technologies and best practices that can be implemented to maintain a secure environment.
By using a remote access environment or virtual private networks (VPNs) such as Office 365, or software like Atera, remote workers can access work files and emails from a secured server without needing to sync data to their personal devices. By not having company data synced with their remote devices the risk of data breaches in the event of theft is mitigated and data can be backed up to the organization’s servers, preventing data loss due to hard drive failures.
Remote workers that work outside of a home office typically need a network connection to perform their duties. This need for a connection can cause temptations for remote workers to use potentially insecure public wifi hotspots.
According to the 2018 iPass Mobile Security Report, 81% of CIOs said their company had experienced a Wi-Fi related security incident in the last year, with 62% of Wi-Fi related security incidents occurring in cafés and coffee shops. Insecure public wifi hotspots are attractive to cybercriminals as the lack of encryption allows them to monitor the internet traffic of anyone connected to the network. Another method used by cybercriminals is the creation of an insecure wifi “honeypot” – a spoofed network designed to look like an official wifi hotspot that the cybercriminal owns and can capture the data transmitted through it.
The simplest and most effective method of preventing data breaches from insecure wifi hotspots is to not use them. That said, much like the issue of Shadow IT the convenience of free wifi when traveling is a temptation that many remote workers may still fall for, and the enforcement of policies to not use public wifi may prove difficult.
To mitigate the temptation to use these insecure wifi hotspots, remote workers can be supplied with their own mobile router. A mobile router transforms 4G or 5G wireless connections into a private WiFi signal, negating the need to use unsecured wifi networks.
If a public wifi channel must be used (again, this is not recommended if it can be avoided) remote workers can connect more securely by using a VPN. An enterprise Virtual Private Network (VPN) routes internet traffic through your organization’s private network, allowing remote workers to benefit from the same security as your in-house employees.
Remote workers often require a technology stack that is heavily reliant on cloud computing. The use of cloud computing provides an advantage by saving the costs of implementing a custom solution for key services, however, the use of cloud computing comes with its own unique set of cybersecurity risks.
When an organization uses the applications or services of another company there is an added vector for risk as the cybersecurity practices of third parties are out of their control. If the third party is breached or is intentionally hiding malware in its software it can be a potential vulnerability to connected systems.
A data breach is said to occur when information is accessed by an unauthorized party. If a third party application is granted access to an organization’s network there is an increased potential for sensitive data to be wrongfully accessed.
A software’s Application Program Interface (API) defines the set of tools, protocols, and routines for building the software. Third-party applications with insecure APIs become a potential vulnerability should those insecurities be exploited.
One of the advantages of cloud-based applications is the ability for them to be accessed remotely. This advantage can also prove to be a potential vulnerability as the login credentials of an authorized party can be stolen and used to gain remote access to sensitive information.
Employees, contractors, and associates can intentionally or unknowingly cause damage to internal systems or leak sensitive information through their actions on cloud systems. As with account hijacking, the ability to access resources off-site through cloud applications gives an added opportunity for sensitive information to be accessed.
CASBs such as MVISION Cloud, Bitglass, and Microsoft Cloud App Security are software tools or services that act as a gatekeeper between an organization’s existing internal infrastructure and the infrastructure of a third-party cloud service provider, allowing for greater security and control when using third-party cloud resources. CASBs typically offer network and application firewalls, authentication, and data loss prevention tools that prevent transmission of sensitive data outside of authorized channels.
Let’s face it, nobody is perfect. Unfortunately, the bad habits that we often manage to get away with in our personal lives can have serious cybersecurity implications in the corporate world. If remote workers fail to meet their cybersecurity responsibilities when handling an organization’s data they can inadvertently leak sensitive information to unauthorized sources. Poor cybersecurity hygiene practices include device sharing, reusing passwords, storing passwords in unsecured locations, opening emails that contain malware and using insecure wireless internet connections.
In 2018, a quarter of all data breaches were caused by human error. While not all of these breaches were caused by remote workers specifically, bad habits can be readily formed by an organization’s mobile workforce as they are often outside the influence that comes with being surrounded by coworkers and managers.
Cybersecurity training needs to be a priority for organizations that work with sensitive information. Both in-house and remote employees need regular training and retraining to ensure that they are aware of and compliant with their organization’s cybersecurity requirements. According to Spicework’s 2019 State of IT, 59% of IT professionals believe employee security training tools are the most effective solution to prevent security incidents.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
In addition to knowledge-based security, the standard suite of security tools should be in place to prevent data breaches caused by human error – firewalls, VPNs, endpoint security software, and antimalware software all play a part in protecting an organization’s remote workforce.
One of the benefits of remote working is the flexibility of movement that comes with mobile devices. No longer bound to dedicated office space, remote workers have the opportunity to work in planes, trains, hotels, airports, and more. Unfortunately, location independence also comes with its own unique set of risks.
Cybersecurity is not limited to fighting against the increasing threat of cybercriminals operating with software-based hacking solutions, it also involves protecting servers and endpoint devices with physical security measures. An important benefit of a dedicated office building is its enhanced physical security – locked doors, security guards, and other physical privileged-access security measures that take place inside an office are not always available to remote workers when they travel. Standard passcode-based security can be readily bypassed when physical access to employee laptops and cellphones are granted to cybercriminals.
If working in a public area, remote workers should never leave their devices unattended for any length of time (bathroom breaks, leaving devices in their car, etc) as a nearby cybercriminal can efficiently execute malicious code from a USB flash drive and compromise their device. Endpoint devices should be kept in carry-on baggage instead of checked baggage as even bags with locked zippers can be bypassed if the opportunity is available. In addition to preventing theft of their devices, when working in a public area remote workers should be conscious of the sightlines surrounding their devices and set up their workspace in a way that prevents passersby from viewing the contents of their screen.
In the event that a device is stolen, having an encrypted hard drive will make it more difficult for thieves to access the data stored inside. Modern computers come readily equipped with encryption options – FileVault for MacOS devices, and Bitlocker for Windows devices.
While some remote workers work from a home office, 44% of remote workers travel while working between one week and one month per year. The prevalence of working outside of a home office by using mobile devices opens remote workers to an increased level of risk for theft or loss of their devices. A Mobile Device Management (MDM) system provides a method for locating lost or stolen devices and includes features for separating personal data from sensitive work data, giving mobile workers the option to remotely wipe sensitive data from a lost or stolen device.
Traveling remote workers may need to make use of USB ports to charge their devices. While USB ports can provide power, they also open the opportunity for the connected device to unknowingly transmit data. To prevent data transfers to unknown USB ports, a USB data blocker allows remote workers to connect to the USBs power without exposing the data pins of their device.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |