How this Impacts Security
By Metin Kortak, Chief Information Security Officer, Rhymetec
As the post-pandemic business recovery continues, executives are trying hard to persuade workers to return to the office. Employees aren’t buying it, and research by McKinsey shows that 58% of people surveyed prefer to work remotely. This trend impacts companies’ network security and can negatively affect their ability to achieve and maintain regulatory compliance. Instead of struggling to get employees to conform, organizations should focus on implementing robust cybersecurity measures designed for the remote workforce. It is important to understand the main threats to your business, the steps you can take to safeguard your systems, and how to ensure remote workers don’t put your company—or customers—at risk.
Potential Security Risks of a Remote Workforce
Remote-access technologies are exposed to more external threats. According to the National Institute of Standards and Technology, organizations should assume that malicious parties will attempt to gain control of telework devices to steal sensitive data or gain access to the network. Common threats faced by companies with remote workforces include:
The Human Factor
Humans are always an organization’s primary cybersecurity risk. Human error, employee negligence, social engineering, deliberate or unintentional sabotage, accidental leaking of credentials, and falling victim to phishing or malware are some ways staff can facilitate an attack regardless of where they work. When workers operate from outside the office, these risks increase for several reasons, including:
- Using personal computers and mobile devices to access company systems
- Connecting via unsecured internet connections, such as public Wi-Fi
- Unintentional exposure of confidential information to strangers in their environment
- Physical security of endpoints as they can be more easily lost or stolen when working remotely
An organization can have the tightest cybersecurity available to protect its networks and data from malicious attacks, but that can’t prevent employees from making mistakes that result in security incidents. Implementing proper employee security awareness training and remote endpoint security controls can help prevent employees from making these mistakes.
PII Exposure
Unauthorized exposure of Personally identifiable information (PII) is one of the issues that can arise from the human factor. PII is any material that can directly or indirectly identify a customer or other stakeholder. Most individual PII facts aren’t usable on their own, but combined with one or more additional credentials, they can identify people. Sensitive PII can include:
- First and last names
- Date or place of birth
- Residential or business address
- Telephone numbers
- Photos or fingerprints
- Social security numbers
- Financial information
- Digital credentials
- IP addresses
- Ownership records, e.g., VIN or title deed
- Biometric data.
Any type of PII should be shielded from unauthorized users and protected during transfers and data analysis.
Inadequate Passwords
It’s hard to believe, but research shows more than 23 million people still use the password “123456” for online logins. Since compromised credentials are the number one cause of breaches and account for 61% of all cyberattacks, it stands to reason that fixing this problem can make a big difference to a company’s information security. Requiring strong passwords and secure login credentials are critical to protecting an organization’s systems.
Insecure Collaboration
As the remote working trend continues, companies are increasingly reliant on collaboration, document sharing, and messaging apps such as Microsoft Teams, Slack and WhatsApp. It is true that these apps were used prior to remote work, but the dependency has increased dramatically with the removal of human-to-human interaction you’d experience in a traditional office setting. Employees have now become accustomed to using these communication platforms freely, but they weren’t built to be secure at an enterprise level. For that reason, the apps provide an ideal opportunity for hackers to infiltrate enterprise networks and gain access to sensitive company data.
Best Practices to Support Robust Cybersecurity
Just like most company premises have onsite security to prevent physical intruders, organizations can take various steps to ensure their cyber safety regardless of whether employees work on-premises or remotely. Some of the most fundamental measures to put in place are:
- Utilize Endpoint Management Tools
All remote workers should use computers with basic security controls, such as reliable anti-virus software, enabled encryption, and strong passwords. Organizations often require employees working remotely to use VPNs to help maintain end-to-end data encryption. An endpoint management software is a crucial first step in enforcing these security controls remotely.
- Use a Password Manager
Companies should require every employee, remote and on-premise, to use a password manager program such as 1Password or Dashlane. These applications generate unique passwords, store, and manage multiple user login credentials. When workers need to share credentials or keys with other authorized users, password managers can share them safely using encryption protocols.
The programs also prompt individuals to change their passwords regularly and some have tools that monitor and provide alerts when a user’s credentials are involved in a dark web sale or data breach.
- Provide Employee Cybersecurity Training
Train all workers, remote and otherwise, in basic information security and the nuances of social engineering. Impress on all employees the importance of keeping their devices locked at all times, and not sharing their devices (or passwords) with others.
- Protect PII with Protocols
Implement security protocols to protect company PII. These could include access control, time-outs, and other user restrictions. Ensure all employees understand the risks and consequences of sharing PII, even unintentionally.
- Require Multi-Factor Authentication
Multi-factor authentication (MFA) is good protection for any company to employ. MFA should be enabled on every device with access to company systems and data. This makes intrusions more challenging, even for the most talented hacker.
- Pay Attention to Security Alerts
Teach employees to pay attention to security alerts, pop-ups, and password change notifications, and monitor their account activity. They should verify every device that logs into their profile and remove any they don’t recognize. Encourage workers to raise the alarm any time they notice something that appears out of place. Bad actors regularly discover new ways to target unsuspecting users.
- Keep Devices Up to Date
Develop a system for keeping all employee devices up to date. Many software updates include critical security requirements, and these updates should not be ignored.
- Avoid Opening Spam Emails
Educate workers to avoid opening spam emails, clicking links, opening attachments, or downloading files from unrecognized senders. They should only interact with emails directly related to their work to avoid opening gateways for viruses, malware, and hackers.
What Remote Workers Should Do if They’re Compromised
One of the drawbacks of employing a remote workforce is that they don’t have immediate, in-person access to their IT department or anyone who can help them determine whether they have been compromised. If any worker notices suspicious activity on their devices or account, they should:
- Immediately disconnect from their current network (WIFI/LAN)
- Turn off bluetooth
- Avoid using their device
- Report any missing or stolen devices without delay
- Reach out to their IT security team
A SaaS company aiming to serve customers must ensure they comply with the security requirements of their industry. Whether these include SOC 2, ISO 27001, HIPAA, PCI, GDPR, or any other protocols, implementing these information security standards will help protect them against the risks posed by a remote workforce.
About the Author
Metin Kortak has been working as the Chief Information Security Officer at Rhymetec since 2017. He started out his career working in IT Security and gained extensive knowledge on compliance and data privacy frameworks such as: SOC; ISO 27001; PCI; FEDRAMP; NIST 800-53; GDPR; CCPA; HITRUST and HIPAA.
Metin joined Rhymetec to build the Data Privacy and Compliance as a service offerings and under his leadership, the service offerings have grown to more than 200 customers and is now a leading SaaS security service provider in the industry. Metin splits his time between his homes in California and New York City and in his free time, he enjoys traveling, exercising, and spending quality time with his friends.
Metin can be reached online at https://www.linkedin.com/in/mkortak/ and at his company website https://rhymetec.com/
Source: www.cyberdefensemagazine.com