As a category of cybersecurity challenges, few are more diverse or more formidable than remote work. The sheer number of different remote work IT scenarios makes it almost impossible to say: "This is how every organization should implement security when its information systems are used remotely." However, this article will help identify and address key elements of cybersecurity that are applicable across multiple remote work scenarios, particularly in the now crucial subcategory: working from home.
How remote working impacts cybersecurity
Of course, remote work is not a new phenomenon. Even before the COVID-19 pandemic instigated what Censornet CEO Ed Macnair dubbed "the world's first-ever mass migration of office-based employees to remote working," more than half of the world's employees were already working outside of their main office headquarters for at least 2.5 days a week, according to a 2019 survey from office space provider International Workplace Group.
But the imposition of home working due to COVID-19 represented an extraordinary challenge for organizations and employees unaccustomed to using IT systems in this way. The sudden and widespread shift to remote work had to be handled at speed, at scale and in the middle of a far-reaching, global crisis that drastically increased the level of opportunistic cybercriminal activity.
Common remote work cybersecurity challenges amplified by COVID-19
Remote work cybersecurity risks exacerbated by the pandemic include a potent mix of both technical and human challenges:
- an expanded attack surface of additional devices and connections, many not optimized for security (personal devices such as home computers, tablets and phones or consumer-grade networking equipment);
- a massive increase in targets and target locations (company data in employee homes or company staff deputized as de facto frontline information system defenders);
- an array of large but uneven impacts on business, potentially reducing or diverting cybersecurity budget and resources, even as the need for those resources escalated; and
- a deeply criminogenic climate of fear, uncertainty, doubt and urgency (household incomes threatened, reduced or lost; elevated risks to family health; fractious political and social climate; rapidly changing circumstances, rules, regulations and advice).
An unprecedented number of people are now susceptible to the kinds of errors and misjudgments that enable many forms of cybercrime. At the same time, cybercrime is likely to be more appealing to a wider group of people, a group that may include some of an organization's current or recently released employees. How should organizations address the new threat landscape?
Ways to address remote working cybersecurity concerns
The responses needed to address these security risks are also a mix of technical and human. A good place to start is where the end user meets the endpoints of an IT infrastructure.
- If you are lucky, your organization has a history of enabling secure remote work for a significant percentage of employees. So, you have already implemented a "no work on noncompany computers" policy by issuing employees with company-configured, remotely managed, multifactor authentication (MFA)-defended laptops, tablets and phones -- all endpoint-protected and securely bound to the corporation network via technologies such as VPNs and software-defined perimeter (SDP). If your organization is particularly fortunate and/or well managed, employees will have been trained to use, accept and support this regimen.
- What about employees who, before 2020, only ever did company work on company desktop computers anchored to company desks? Again, some organizations had already virtualized those systems with some form of virtual desktop infrastructure. If office-bound employees are already using VMs, moving those to a home environment from which they can use a dedicated and encrypted remote connection to the company network is a viable option.
- So, what about the less lucky organizations, those who entered 2020 with little working knowledge of remote access and concepts such as desktop virtualization, MFA, zero trust, VPN and SDP? Clearly, they have faced a steep learning curve and a heavy demand on IT resources. If there is good news here, it's the wealth of well-established options that can be implemented, whether that is VMs on the corporate servers, accessed via a VPN protected by MFA, or a cloud-based solution combining SaaS and IaaS.
Some less technical but vitally important responses to the 2020 shift to work from home are applicable to a wide spectrum of organizations, not just remote access newbies; these include training, incident response and security audits.
Lack of security awareness training exacts steep cost
Organizations neglect security awareness training for work-at-home employees at their peril. For example, in 2019, IBM found that the number of insider incidents involving credential theft -- which training can combat -- had tripled in frequency since 2016 and doubled in cost. A 2020 U.K. survey found 39% of employee-related breaches were caused by malware downloaded accidentally via fraudulent links, followed by phishing attacks, responsible for 35% of infections.
Security awareness training tailored to home remote work
For organizations introducing new technologies, procedures and policies to handle working from home securely, the need for employee security training would appear to be obvious. However, surveys by ESET and CompTIA a few years ago found that over 30% of employees had received no cybersecurity training at their organization and only half of companies were performing training on an ongoing basis. In the U.K., software company Specops recently found that, across 11 different business sectors, 42% of employees had not been provided with any extra training since working from home.
Assuming you have the backing and resources to provide employees with work-from-home security awareness training, make sure the content addresses issues unique to working in the home, which is quite different from working in a hotel room, customer facility or coffee shop. For example, while advice on avoiding public Wi-Fi still applies, security protocols should be reinforced for other risks, including the following:
- configuration of home Wi-Fi;
- rules on locking unattended devices;
- not sharing devices with other family members; and
- protecting devices from burglary.
There are several good reasons for making sure people working from home are still managed and monitored, not least being the real possibility that a less structured environment may tempt some employees to adopt a more relaxed approach to security policies. Pay attention to morale, and try to be as supportive and positive as you can, bearing in mind that these are deeply stressful times for families and communities, even if your particular organization is doing OK.
Update your incident response plan, cyber-risk insurance, security audit
Sadly, even if your organization does a good job on both the technical and human sides of the remote working cybersecurity challenge, the possibility of a security incident remains. This means you must make sure your incident response plan and playbook have been updated to cope with changes imposed by the pandemic -- e.g., "assemble crisis response team in the third-floor conference room" may not be physically feasible right now).
While many organization have become accustomed to remote meeting tools, like Zoom and Microsoft Teams, now might still be a good time to tabletop some scenarios from your incident response playbook under the "new normal" conditions to make sure all critical processes are feasible. Now would also be a good time to review your cyber-risk insurance to make sure work-from-home risks are not excluded.
And what about a security audit to make sure that the changes wrought by the need to work from home have been made securely? Avoid putting off this and other actions because "we'll be back to normal soon." It is quite likely that, as Rich Mogull said in his recent SearchSecurity article on cybersecurity for remote workers: "We have to accept that our current plans are not stopgap measures, but our new core operating model for the foreseeable future."