Employers need to pay extra attention to securing the technology their remote workforce is using.
The growing COVID-19 coronavirus pandemic is providing plenty of new opportunities for cybercriminals to exploit unsecured technology systems, overworked information technology (IT) staff and panicked employees who are new to working from home.
Remote-access technologies are exposed to more external threats. Organizations "should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network," said the National Institute of Standards and Technology.
"The impulse to send employees home to work is understandable, but companies and agencies without business continuity plans with a strong IT asset management component are going to be sitting ducks for breaches, hacking and data that is out there in the wild, beyond the control of the company," said Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers.
Onkar Birk, senior vice president of product strategy and engineering for Houston-based network security firm Alert Logic, said there has been a significant spike in the number of users connecting to company networks and accessing sensitive data from home computers. "As the number of people logging in remotely or connecting to cloud-based SAAS [software-as-a-service] applications rises, the attack surface expands," he said. "Organizations suddenly have an exponential increase in the number of endpoints and … cyber adversaries are looking to capitalize on the chaos. An expanded attack surface combined with an influx of workers who are new to working remotely increases the opportunities and odds of success for cyberattacks."
These are the areas organizations should focus on to shore up remote-work cybersecurity:
Dust Off Those Remote-Work Security Plans
Christopher Buontempo, an attorney in the Boston office of law firm Mintz, said that organizations first need to review information security policies to determine if there are any established security guidelines for remote work. "If no relevant plans or policies are in place, this is a good time to establish at least some basic guidelines to address remote access to company information systems and use by employees of personal devices for company business."
Managers should ensure that applicable security guidelines, plans and policies flow down to their teams. "Many employees do not work in security day to day, and some may have never worked remotely before," he said. "Companies should review plans to ensure that organizations are prepared for responding to a data breach or security incident."
If remote work is a new practice for a company, set standards, expectations and processes for your staff, said Trina Glass, an attorney with Stark & Stark in Lawrenceville, N.J. The most basic areas to address are whether employees will be using company-provided or personal devices and a VPN or a remote desktop, and whether work-from-home systems can be tested.
Some workers may want to use unsecured public Wi-Fi. That's always inadvisable for work devices, and employers should discourage it. Many workers will be logging in to their personal Wi-Fi network and should make sure it is set up securely with a strong password.
Experts recommend that organizations require employees who are working remotely to use VPNs to help maintain end-to-end data encryption.
"Always use a VPN to connect remote workers to the organization's internal network," said Tony Anscombe, chief security evangelist at ESET, an IT security company based in Bratislava, Slovakia. "This prevents man-in-the-middle attacks from remote locations. Remember that since people are now working from home, the traffic is flowing over public networks."
Anscombe advised employers to first determine who on the staff needs access to the organization's entire internal network, and who may just need access to cloud-based services and e-mail.
Guy Bruneau, a senior security consultant with IT security firm IPSS Inc., in Ottawa, Ontario, Canada, said employers should frequently patch their VPNs with the latest security fixes and use multifactor authentication as another layer of protection against an expected increase in VPN phishing attacks.
Anscombe explained, "Multifactor authentication ensures that access, whether to cloud-based services or full network access, is by authorized users only."
Rembiesa recommended organizations also secure the cloud and SAAS applications that remote workers will be using in the coming months by ensuring identity and access control and encryption of data.
Many workers will have no choice but to use personal devices and home networks to get their job done. "One of the biggest cybersecurity risks is the personal device," Glass, of law firm Stark & Stark, said. "Whether smartphone or laptop, there are serious problems posed by using personal technology in a work setting involving sensitive information. Employees might save documents to their desktops or send document drafts to their personal e-mail. They may not have up-to-date antivirus software, or they may use outdated personal password protection."
Bring-your-own-device (BYOD) practices will need to be critically tightened, Rembiesa said. "The reality is that the longer someone is out of the office, the more likely it is that they will do company business on their personal smartphone, computer, tablet or other BYOD asset. This creates a huge risk if the personal device is handed down, sold to a third party or improperly disposed of. In these scenarios, the exposure of sensitive company data may be entirely unintentional and end up becoming public."
Anscombe said that ideally, access to the organization's internal network would be allowed only on employer-provided devices because the devices would be under the management of the IT team. He also advised employers to ask their remote workforce to audit their home environment for vulnerabilities.
"There are continual disclosures regarding vulnerable Internet of things devices, and this is an excellent time for employees to take action on securing them with strong passwords and updating their software to the latest versions," Anscombe said. Employers can also consider installing a monitoring app to scan home networks for vulnerabilities, outdated software or default passwords that need to be changed.
For companies that allow access to e-mail and cloud services from an employee's personal device, Anscombe recommended enforcing the same endpoint security rules for antivirus software and customized firewalls as with employer-managed devices.
"If necessary, furnish the employee with a license for the same solutions used on the organization-owned devices," he said. "If you need extra licenses, then contact the provider. They may have solutions to cover you through this unprecedented event."
Limiting the ability to store, download or copy data on personal devices and setting controls on the use of external devices such as USB drives are additional options. "Company information should never be downloaded or saved to employees' personal devices or cloud services, including employee computers, thumb drives, or cloud services such as their personal Google Drive or Dropbox accounts," Buontempo said.
Authentication and Authorization
The rapid work-from-home mobilization has created an increased need for using multifactor authentication, monitoring access controls and creating strong passwords.
"Make sure solid firewall and passcode protections are in place for accessing company systems," Rembiesa said.
For remote workers, having the right access to the right applications is critical for success, said Joseph Carson, chief security scientist at Thycotic, a cybersecurity firm in Washington, D.C. "A strong identity and access management solution will help automate the ability to switch or provision remote workers to the appropriate access methods and technologies," he said. "Implementing 'least privilege' means granting only the minimum permissions required by an end user, application, service task or system to perform the jobs they have been assigned … to help reduce the risk of exploitation without impacting productivity or involving IT."
Securing Collaboration Apps
Collaboration and messaging apps such as Microsoft Teams, Slack and WhatsApp have exploded in popularity in business settings over the last five years, representing an opportunity for hackers to use the platforms to infiltrate enterprise networks and gain access to sensitive company data.
"Consumers—who are also employees—have gotten used to and like this method of communication," said Anurag Lal, president and CEO of NetSfere, an enterprise messaging platform based in Chicago. "The challenge is that these platforms were never built to be secure at the enterprise level, where not only do you have to be sure that communications are secure when in transit, but also that the data is kept secure on users' devices and when at rest within the network."
Full control of these platforms by the enterprise is also important. "Anybody can build a group and start sending messages on WhatsApp, for example, and inadvertently include someone or forget to remove someone who should not be in the group," Lal said.
Just last week, he was mistakenly invited into a Fortune 500 company's confidential business continuity planning group via WhatsApp. He explained that to ensure data security, IT must control the distribution and use of the service and make sure the product is fully encrypted.
David Creelman, HR thought leader and the CEO of Creelman Research in Toronto, said that employers can try to ban the use of popular but not approved communication methods, "but we need to accept that humans will inevitably circumvent the policy. That means we need a second layer of defense: education. HR professionals need to be educated and reminded which data is so sensitive that they must never take a risk with it. If employees' compensation data or medical data or psychometric assessment data is revealed, that's very serious."
Additional Work-from-Home Cybersecurity Tips
- Monitor employees' remote-work practices. "Any potential for mischief or data abuse may be heightened in a work-from-home environment," Rembiesa said. "Remember that most data breaches are caused by insiders, not outside hackers."
- Be alert against phishing tactics in phony e-mails. "Remind users to be suspicious of e-mails from unknown sources and to not open file attachments or click on links," Alert Logic's Birk said. "Stress the fact that cybercriminals will seek to capitalize on the current chaos, and make sure people know to exercise extreme caution with any e-mail that asks for credentials or other sensitive information."
- Encrypt sensitive information, such as personnel, medical or financial records that are stored on, sent to or sent from remote devices. "Full-disk encryption of the computer's hard drive ensures that even if the device falls into the wrong hands, the company's data is not accessible," Anscombe said.
- Provide cybersecurity awareness training, and keep IT resources well-staffed. Remote employees should have ready access to contact information for critical IT personnel to whom security incidents can be reported and who can assist with technical issues. "Remote workers need to have clear communication protocols for IT support and for crisis management if they encounter unusual or suspect issues that could be the result of a breach," Anscombe said.