Working from home, which used to be relatively rare, is now the default mode for many businesses due to the COVID-19 pandemic. While this allows businesses to continue functioning while reducing employees’ chances of getting infected by the coronavirus, it also opens up the company to several new and amplified cyber risks.
According to James Holtzclaw (pictured), senior vice president, cybersecurity consulting and advisory services at Marsh Advisory, remote work presents an increased attack surface for potential cybercriminals.
“Remote workers often use Wi-Fi that is available at their work location, such as at home, coffee shops, or hotel lobbies,” Holtzclaw told Corporate Risk and Insurance.
“Many of these Wi-Fi networks are unsecured to allow use by customers with many types of hardware/mobile devices. In the case of home networks, they are very often set up in default mode that allows devices to connect without passwords and share data, including Wi-Fi enabled appliances, baby monitors, door security cameras, and all sorts of Wi-Fi enabled devices. Your corporate mobile device may be using this Wi-Fi network also. Most companies leverage and use virtual private networking (VPN) to establish and secure the corporate endpoint (corporate mobile device), but that does not mean that that the corporate endpoint is not exposed to additional cyber threats.”
Another risk is the increased complexity for cyber incident response by the expanded remote workforce. According to Holtzclaw, companies need to think through in advance how they would isolate the operating environment of a remote employee whose computing device is involved in a cyber incident – how they would collect data, how they would perform the necessary forensic analysis to determine the exact cause, and how they would remedy the situation. This, he said, must be accomplished in a timely, efficient, and effective manner.
Furthermore, there is also a major lack of employee understanding of the security implications of connecting to an unknown or untested network.
“Before employees connect to any available internet connection, they should consider the security, or lack of security, of the network they are connecting to,” Holtzclaw said. “If there is any doubt as to the security of the network, it may be better to work offline or locate a more secure network. Potential alternatives include enabling the local Wi-Fi hotspot feature of many company-provided mobile phones, a corporate wireless access point (WAP), or even a personal hotspot instead of using the coffee shop or hotel network for their work. Employees who use corporate mobile devices should also have a basic understanding of how to securely connect their mobile device to the company network and ensure protection of corporate data, infrastructure, and systems.”
How can these risks be addressed?
Fortunately, businesses can do something to mitigate the above mentioned risks. With regard to the increased attack surface, Holtzclaw advised businesses to augment the use of VPNs for all remote workforce devices, and scanning these devices before allowing them to connect with access by unauthorized software or hardware.
“Companies should lock down remote devices where possible to help reduce the possibility of cyber incidents without negatively impacting the user experience,” he said. “In addition, companies should disable split tunnelling for VPN profiles to ensure that remote employees cannot access the internet directly without going through the corporate network. This will ensure that corporate content filtering and access to unauthorized internet sites are not bypassed.”
To address the increased complexity for cyber incident response, companies should update their cyber incident breach response plans for the expanded remote workforce and practice these plans through tabletop exercises with IT and security staff, and with senior management.
“Such exercises can improve the participants’ awareness of the decisions and actions that need to be taken in response to a cyber incident,” Holtzclaw said. “Additionally, companies should increase logging on remote devices where possible – and to regularly analyse the log data to improve detection of cyber incidents.”
As for the lack of employee understanding, nothing beats good old knowledge. By holding trainings, companies can increase the remote worker’s understanding of the possible risks of connecting to untested or poorly secured networks, and the security advantages of working offline where possible.
What’s in store for remote working?
“I believe that the COVID-19 pandemic has changed the corporate workforce forever,” said Holtzclaw. “Many companies have already made changes to their IT architectures and networks for the permanent increase of bandwidth and secure solutions such as VPNs, while at the same time reducing their corporate real estate footprint. These companies are continuing to adapt and change the way we work to provide for a more remote workforce while increasing the security of remote connections to corporate devices by leveraging available networks, and, at the same time, they are updating their cyber incident response plans to adapt to the changes in their networks.”
He also said that, according to many published articles, many employees have welcomed the change to the way they work.
“The changes allow both employees and companies to leverage flexible work hours while also meeting personal obligations,” he added. “Many companies are calling the remote workforce ‘the new normal’ and are adopting and changing previous rigid and inflexible workspaces, conditions, and requirements while also improving business resilience. This can be seen across many companies and various industries, and also includes local, state, and federal government organizations.”