The COVID-19 pandemic caught most of the world, including many information technology (IT) shops by surprise, to put it mildly. While many organizations had business continuity plans (BCPs) in place, few had taken the extreme measures required for ensuring telework security for pandemic response.
Why? Because many of even the most rigorous BCPs didn’t cover the possibility that most or all of an organization’s employees would be forced to work from home for an extended period of time. As a result, businesses hastily transitioned their workforce to telework, often without adequate preparation.
While many organizations have now achieved a base level of productivity and security for their remote workforce, ensuring that employees use a virtual private network (VPN) alone when working from home is not enough to counter the many threat actors seeking to exploit this new opportunity to compromise their targets.
As “shelter in place” orders persist - and many companies consider shifting to broad remote work strategies even after the crisis has passed - it is important to consider the security risks posed by a remote workforce.
Organizations with employees working from untrusted networks and devices face a much wider range of cyber threats versus people working within the confines of an on-premises environment.
Before COVID-19, only 41% of organizations had a telecommuting program. As a result, when the COVID-19 pandemic forced a rapid switch to telework, these organizations lacked sufficient company-owned devices configured and secured for working remotely.
Additionally, if a security event occurs within the remote workforce, response time is likely to suffer from incident responders working from home. Complicating the incident response process increases the potential cost and damage incurred by the organization.
Even before the pandemic, one in five data breaches were caused by employee negligence, where the employee accidentally contributed to the breach. Keep in mind, this was during a time when employees were generally working from the office, and cybercriminals were not taking advantage of a global crisis.
Employees accustomed to working from the office may not be aware of the dangers. For instance, when working from home, employees are more vulnerable to phishing emails, whether on personal or business accounts. In fact, Google reports the number of active phishing websites has increased from 149,195 in January to 522,495 in March. That’s an increase of 350 percent in the first quarter of the year!
Additionally, if the organization was unprepared with a robust network architecture capable of shouldering the load of remote work en masse, network performance will be impacted. And as we’ve seen in other scenarios, when the network is slow, an employee is more likely to bypass security protections to continue working. If the organization lacks an adequate monitoring architecture supporting the remote environment, an employee can achieve this under the radar.
Telework security requires infrastructure capable of supporting a remote workforce and the ability to block “shadow IT” solutions that bypass security protections.
Webinar on-demand: Listen to Securing Remote Workers; Fact & Fiction
Many employees assume software-as-a-service (SaaS) applications, such as Salesforce and Office 365, are inherently safe to use from home. After all, many organizations have adopted these applications for core business practices.
The safety of these applications relies in large part on being configured correctly and specifically for the organization using them. Unfortunately, this is a common point of failure. According to Gartner, 99% of data breaches in the cloud through 2025 will be caused by the customer’s failure to properly configure and secure their cloud-based resources.
If an organization has misconfigured SaaS assets for telework security and lacks visibility into how its remote workforce is using the technology, the business could be leaving its employees and cloud-based assets open to attack.
Many organizations are required to be compliant with a range of data protection regulations, such as GDPR, CCPA, HIPAA, PCI, and NIST. These laws require that the company properly secure the protected data, regardless of its location.
Many organizations' compliance strategies are based on the assumption that processing sensitive data will largely or exclusively occur on-site. A remote workforce, which could include employees working from foreign countries, violates this assumption and could introduce a number of new threats to data security and an organization’s “compliant” status under applicable regulations.
Webinar on-demand: Listen to Securing Remote Workers; Fact & Fiction
Employees working from a home office and personal devices may have a different mentality than when working from their desk at work. For instance, if an employee shares work devices with family members or insecurely stores them, someone may gain unauthorized access to company data or resources, or a family member’s actions may inadvertently introduce a threat to the environment.
Common attacks like phishing and browser exploits are all the more dangerous in today’s environment. To prevent this, an organization should require a secure and robust solution for user authentication.
When a user’s password may be written on a sticky note on the machine or more easily leaked in a data breach, additional protections, such as multi-factor authentication and corporate resources protected by a zero-trust security model, are essential for secure telework, especially over key resources such as cloud-based email or collaboration tools.
Supporting telework security means that an organization must address considerations that do not exist for on-site workers. However, remote work can be a good option for an organization if implemented in a secure fashion.
Next, we explore "The Importance of Identity Management and Governance for Telework Security" to explain how to secure remote employees' access to sensitive data.
Check out our webinar-on-demand, “Securing Remote Workers; Fact & Fiction”, for practical tips to inoculate your remote workforce against malware, phishing, and other attacks so you can Show No Weakness.
If you'd like help ensuring your telework security, know that we're here for you. Reach out to start the conversation.