How secure is remote working?

June 5 2020
The Coronavirus pandemic has resulted in a significant and rapid shift to remote-working for millions worldwide. It is not an exaggeration to say that remote-working has been able to save many organisations/businesses from going under.

How is remote working made possible?

Remote working is only possible because of technological advances such as improved internet speed and connectivity, cloud computing, and mobile apps.

What are the potential security risks?

Whilst remote-working is enabling many organisations to keep functioning, it brings with it a number of challenges, notably from an IT security perspective. When all employees are concentrated in one physical location, IT support and protecting the IT infrastructure is made simpler as the scale of the attack surface is reduced.
However, when a large workforce is dispersed geographically and users are all logging into systems from a variety of devices, keeping the company network secure becomes far more challenging.
The fact that most organisations will be using online and cloud-based systems means that nearly all employees will have to access the Internet to gain access to the relevant company systems. This increases the number of potential access points to the central systems and gives cybercriminals more opportunities to exploit any vulnerabilities. Cyberattacks can result in severe damage to an organisation’s finances and/or reputation.
The most common cyberattacks are:
DDoS attacks – Distributed Denial-of-Service (DDoS) attacks attempt to take websites offline by flooding their systems, networks, or servers with a high-volume of requests that they cannot handle – causing them to crash.
Formjacking – This involves inserting malicious code (usually JavaScript) into online payment forms in order to capture customers’ card details.
Malware – Malware is a generic term for any file or program that aims to harm/disrupt a computer or network. The most common types of malware are ransomware, spyware, Trojans, and viruses/worms.
Phishing – Phishing is a method of tricking people into divulging confidential or sensitive information, often by sending an email that is made to look as though it is from a known contact or official/trusted organisation. Many of these fake emails are extremely well-crafted and it is not always obvious they are not genuine.

How can these risks be mitigated?

Whilst the risks outlined above are clear, there are a number of ways in which they can be tackled/mitigated.
Training – Your employees can be your first-line of defence, but only if they are well-trained and fully aware as to how to work more securely. Human errors are responsible for a significant percentage of cybersecurity breaches, so staff who are knowledgeable and aware can really help.
Device Management – This is software installed to protect the hardware and software installed so it can be managed remotely by IT. This applies to both company owned devices and BYOD (Bring Your Own Devices) to ensure they are and remain compliant with security polices. In addition, if a device is lost or stolen, company data can quickly be erased or the device disabled.
Endpoint protection – Multiple endpoint devices (laptops, dongles, USBs) will be used by employees. Because these are not in a central location, they are harder to protect. It is therefore vital that they have the latest security software installed on them. Ideally, this should be installed before the devices are given to employees, but this is not always possible if they are using their own devices.
VPN – A Virtual Private Network (VPN) can enhance security by enabling each user to have their own encrypted connection when accessing company data on internal systems.
Restricted access – The more people who have access, the greater the risk, so it makes absolute sense to only give users access to the software/programs that they actually need. Even when doing this, you should look at multi-factor authentication to make sure the correct people have the correct access.
Good password protocols – Practising good password hygiene can make systems much harder to break into. So make sure that users are prompted to change passwords regularly and that they can’t use the same ones across multiple programs. It may be worth teaching them how to use password managers as these always generate complex passwords that hackers cannot guess.
The UK has witnessed a seismic change in the way people work throughout early 2020, the biggest change being undoubtedly the huge leap in the numbers of people working from home. According to the Office of National Statistics, in 2019 only 30% of employees worked from home, yet as a direct result of the Covid-19 pandemic, this is predicted to rise to at least 50% of the UK workforce throughout 2020.
One of the biggest changes for workplaces is the need for online conference and video conferencing calls and software. There is no doubt that being able to connect remotely to our work colleagues is essential if we are to maintain the momentum and energy that come with working in physical offices and buildings.

The boom in conference calling

Businesses are already familiar with conference calls for occasional meetings, client briefings and training. The Covid-19 crisis, however, will take the reliance upon conferencing software to another level. No longer will it simply be the odd meeting that will be conducted in this way; now the majority of business will take place over video calls and emails. The role of IT security just took on a whole new dimension and it is essential that businesses are not only prepared to provide safe and secure systems in the office, they must also implement ways to ensure the whole workforce complies and follows suit.
The pandemic has catapulted once small conferencing software suites into multi-national business channels. Zoom and Facebook live are in direct competition and Zoom has seen an increase in active daily usage to 300 million users.

Data is knowledge and power

The huge popularity of Zoom, Facebook and other video-conferencing software packages has revealed a vulnerability in the system. According to the Fox news channel in the US, ‘hacked zoom accounts are being sold on the dark web in the thousands’. The huge spike in demand recently revealed vulnerabilities in the software which were not apparent before. Business meetings have been interrupted as hackers join calls and listen in to business meetings and potentially sensitive information.
Data ownership and dissemination is now big business. As companies become ever more stringent as to what data they keep and what they share due to stricter GDPR rules, this has effectively given data a whole new value. Anyone with an unscrupulous desire to access and distribute data can earn a lot of money. The data can be used by businesses and individuals to sell their products and heavily market themselves.

Businesses need to put IT security at the top of the agenda

As the world acclimatises to the ‘new normal’, business leaders must look forward. They need to plan for a workplace where only half or even fewer of their employees will be on site. Giving employees access to the company network and video conferencing facilities will need to be heavily risk assessed. Companies must implement rules and provide guidance to their employees as to how they should and shouldn’t connect, which email systems they should use, and more importantly, which video-conferencing software they advocate.
Investment in technology for home workers should be the job of the employer, but more importantly, investment in clear guidance, processes and disciplinary procedures should also be clearly laid out. The sooner employers create a new working infrastructure with stringent rules and regulations regarding what should and should not be done from home, the sooner businesses can start to function again and the wheels of industry can once again begin to turn.

Most employees do not consider security issues when working from home

According to a new survey from VPNOverview.com, almost 70% of UK workers have given no thought to the cybersecurity implications of working from home. The survey quizzed 2043 employees across the UK and concluded that most were lacking in awareness of both the threats and their potential solutions. That means they could be putting their organisational networks and data at risk. The survey was conducted in the wake of the mass shift to homeworking caused by the Covid-19 pandemic and consequent office closures.

Shifting operations to remote workers brings some new challenges from the tech-security perspective. Many employees are connected to their work’s central networks for long periods, which means there is potential access to sensitive data for much longer periods of time. They also tend to have significant amounts of company equipment such as laptops and phones at home.

Despite this lax attitude, almost half of people surveyed said that they believed they could lose their job if one of their company devices was compromised. A third of those questioned admitted not having password-protected their main working device, whilst a similar proportion said that they had no qualms about leaving devices in plain view of windows. One in four said they didn’t use password-protected Wi-Fi.

The study identified utilities, manufacturing, construction, engineering, and recruitment as the industries with the highest levels of cybersecurity failings. As a business owner, there are a number of things you should be doing to protect your company from cybercriminals seeking to take advantage of remote-working.

Invest in antivirus software

The cost of cybercrime can be catastrophic for businesses and one of the simplest yet most effective things you can do is to invest in an antivirus solution for yourself and all your employees – wherever they may be.

These solutions offer automatic security against a wide range of threats, including; malware, viruses, spyware, Trojans, worms, phishing scams and zero-day attacks. Cybercriminals are busy looking for new vulnerabilities they can exploit and ways to gain access to your network: antivirus solutions can detect almost all attempts and stop them in their tracks. These solutions also update automatically to stay ahead of the game.

Ensure you have a strong and secure company VPN

With everyone working remotely, it is likely that more devices than ever are connecting to your main Virtual Private Network (VPN). Unfortunately, this creates more potential ‘ways in’ for hackers to exploit.

Some of the main ways you can boost VPN security include; using more stringent authentication methods such as MFA devices; upgrading to a Layer Two Tunnelling Protocol; ensuring employees are following password protocols; and ensuring employees logon via secure networks (using wireless routers and firewalls). Also, make sure your antivirus solution also covers VPN issues.

Have clear policies

Many organisations had to move to remote-working at very short notice, so it could well be that many haven’t had time to fully update and rewrite the relevant policy documents to reflect the new situation. It is crucial for these policies to be updated, well-publicised, understandable to non-tech personnel, and that there are open communication channels for employees to raise questions about them.

Policies exist to protect both the employees and the organisation. Adherence to them should always be understood as part of a mutual agreement. Adherence also needs to be closely monitored so that common and frequent issues can be flagged and discussed in a non-accusatory way.

Be aware of email hazards

Remote selling and working entail a lot more email exchanges to replace face-to-face meetings. The dangers from fraudulent emails has therefore increased too, and it is a common way for cybercriminals to gain access to systems.

To combat this, you should ensure your employees are educated in how to spot and deal with suspicious emails. Ensure that emails are only accessed through your VPN and that every employee device encrypts stored data.

Previous Post Next Post