According to Findstack’s 2023 projection, “85% of managers believe that having teams with remote workers will become the norm.” (source).
Companies recognize the benefits and popularity of remote work, but they need to be equally aware of the associated risks. Remote work has increased the attack surface of companies on the internet and deprived IT admins of control and observability.
This article explores five key risks associated with remote work and suggests remedies.
Table of contents
1. Unsecured Wi-Fi
Employees now connect via home or café Wi-Fi that their company does not own and control.
Sensitive information sent over this network is vulnerable to interception, even though the connection is encrypted via HTTPS.
For example, in man-in-the-middle attacks the cybercriminal hijacks your connection to a server and relays the data between you and the server, gaining access to everything, including usernames, passwords, and the content of the communication.
How to secure public Wi-Fi connections
Enforce deep network-level encryption and authentication, e.g. by using a business VPN.
VPNs encapsulate your connection in an encrypted tunnel on the network layer. This tunnel securely connects your employees and business systems, concealing them from the prying eyes of attackers lurking on unsecured networks.
2. Unsecured devices
Remote work brings the luxury of every user connecting with a device of their choice, but company admins can do little to ensure they’re safe.
In such scenarios, the only protective layers securing the data is HTTPS encryption and user login and password. What is more, unknown devices can be infected with malware.
How to secure BYOD devices
Interconnect your internal systems, cloud apps, and user devices with a software-defined perimeter (SDP) or business VPN. You should check if these solutions have an always-on functionality that prevents users from connecting to business resources unless the VPN is on.
To reduce impact, limit access privileges, as per the principles of zero trust. This ensures two things:
- No connection is established until both the user and their device has been authenticated. This bars access to untrusted devices.
- The user only gets access to a limited pool of resources, which they need for their work. This is called access right segmentation and it mitigates the impact of a potential breach if an attacker does steal the access credentials).
ZTNA solutions often perform device posture checks that assess a device’s security fitness, e.g. whether vulnerability patches or an antivirus software are installed.
3. Malware and phishing
Email scams are a perpetual threat to companies today. Cybercriminals like to exploit the decrease in security brought about by telework and steal usernames, passwords, financial data, or plant malware on user devices when they are not protected by company security.
How to protect teleworkers from phishing
Regular awareness training is your first line of defense. Train your employees to spot email scams early by recognizing the signs of fraudulent emails. Any suspicious message should be immediately reported.
As a safety net, use a mail filter or web/DNS filter to catch any attempts to redirect the user to a malicious website. Also, always keep your antivirus up to date and scan all email attachments.
4. Weak authentication
Remote work encourages companies to use cloud apps, which in turn increases the number of logins that users must keep.
Weak passwords represent a vulnerability in any security ecosystem, and cybercriminals are quick to exploit this. They rely on people using easy-to-crack passwords, and reusing the same password in several logins (more on password strength in this article on brute-force attacks).
Similarly threatening is the lack of additional identity verification factors. Passwords are getting cracked and leaked all the time, and it is essential that more robust methods of verifying user identity are in place.
How to strengthen user authentication
Strong and unique passwords are the bottom line. A strong password should meet several criteria:
- Length – Twelve characters or higher
- Complexity – Combine upper and lower case letters, numerals, and special characters
- Uniqueness – The password should be one of a kind, without duplicate
To help cope with the difficulty of maintaining several hard-to-remember passwords, users should be trained in the use of password managers.
In addition, companies must enforce multi-factor authentication (MFA) to strengthen user authentication. This broadly available and inexpensive measure makes it significantly harder for adversaries to gain access to internal systems.
5. Poor data security discipline
Employees move “in the wild” during telework, which causes serious risks when they leave their devices unattended. Someone can steal company data, tamper with it, or simply steal the device.
Employees can also share company data via public repositories or transfer files between their work device and home computer.
How to improve best security practice for remote work
Rigorous training and education is essential, but you have to tailor it to your security policy to make it relevant.
Are you using a VPN to access a cloud server via a trusted location? What do users need to do to authenticate themselves and their devices? When do they need to provide an additional identity factor? How often do they have to change their password? What do they do when they get locked out of their account?
Remember that employees are there to work, so observing the security policy should be as easy as possible.
It’s highly recommended to implement a ZTNA solution to help mitigate the risks of remote work and enforce a uniform level of security throughout your whole IT estate.
Hold regular awareness training in security best practices and spotting phishing emails. Keep up with emergent security threats as well as world events (for example, during the pandemic, many phishing emails disguised themselves messages from public health institutions).
Keep your antivirus up to date, install a web/DNS filter, and enforce multi-factor authentication.
Last but not least, reduce your target silhouette with deep network-layer encryption, and restrict access privileges down to the strictly necessary.
You can’t always be prepared for everything, but you can at least prepare for most of it.