The View from the Remote Workplace
Working from home increases the risk to system security and data privacy.
With this guide, remote workers and independent professionals can:
- Recognize and avoid basic security threats.
- Set up effective cybersecurity practices.
- Establish effective security habits.
It’s spring 2020, a rather busy time from a cybersecurity point of view:
As spring 2020 progressed, more and more people got sick from a new pathogen. And, the total number of data breaches, IP theft, and cyber-scams exploded. Midway through March, many office workers were sent home to work indefinitely. Before we could catch our breath, we were doing everyday work in an unfamiliar workplace.
A recent Crowdstrike study of its customers showed more cyberattacks in the first six months of 2020 than in all of 2019. (That’s 41,000 in January through June 2020 compared to about 35,000 for 2019.)
Why? Because remote workers were—and are—easy targets.
The security risk of remote workplaces is nothing new. But the pandemic accelerated this trend. Modest at-home security operations are exposed to increasingly skilled and brazen cybercrooks without layers of corporate security protection.
We’ve designed this guide to provide an up-to-date picture of remote workspace security and what remote workers must do to reduce cybercrime’s business and technology risk. We’ve chosen the details to help you decide whether and how to invest time, tools, and effort in your small office security tasks.
In a 2020 Skybox report of 295 enterprise organizations, 73 percent of security and IT executives surveyed mentioned their concerns of threats created by their distributed remote workforce. That’s why work at home in 2021 is the #1 focus of endpoint cyberattacks.
Remote work operations will continue to present unique and appealing opportunities for cyberattackers. (Think of ransomware and spear-phishing.) So, securing remote workers will become a significant focus for surveyed organizations.
What’s causing the changes in threat and risk profiles?
The juicy opportunities to attack remote workplaces come from several sources:
More recently, 36 percent of security managers said they experienced an increased volume of security vulnerabilities due to remote work.
In the future, expect…
- An uptick in insider threats
- A major increase in spear phishing attacks in 2021 due to automation.
- Continued migration of business processes to the public, private, or hybrid cloud.
We wrote this guide to help remote corporate workers, consultants, and other independent professionals to:
We’ll guide you through these tasks in the following sections.
Sometimes, it seems that if we had a dollar for every time, we hear “Don’t share your passwords,” we’d all be millionaires. When it’s time to battle cyberattacks, hardware and software are the tools that we usually remember.
It’s easy to roll our eyes at “good security hygiene.” But there’s a reason why security awareness is critical at remote workplaces. Cybercrooks depend on our more casual attitude about working from home. After all, the bad guys concentrate on corporate networks, where the pickings are numerous and juicy, right?
Lately, this trend has been changing. Your remote operations have a direct connection to your organization’s data resources. It takes only an instant of inattention to let unauthorized users get into your home-based system. After that, it’s off to the races and your organization’s data riches.
If we have a new cybersecurity “normal,” it would be a distributed hybrid workforce. In organizations with a DHW, one or more employees work in different physical locations. This could be in the office, home, or public workspaces.
Unfortunately, this workplace structure expands the overall threat landscape. After all, the threat landscape expands wherever we work. So, protecting data and IT infrastructure becomes more complex and challenging.
When you set up your remote work operations, don’t be surprised at the number and variety of items you must be aware of daily.
Suppose this sounds like a bit too much to handle, no worries! Most of these “management” tasks require awareness and the development of good habits. But understanding involves recognizing potential threats and vulnerabilities. Here’s the lineup of the most worrisome threats to remote workers.
For most companies, malicious intruders are not always the proverbial cyber attackers. Many remote security problems will have the exact cause as in pre-pandemic days—other employees. If there is any good news here, these threats are easier to find and manage than those created by strangers.
IBM estimates that human error causes nearly a quarter of all data breaches. Employees often accidentally compromise company data through poor security practices and technology.
Employees sometimes take advantage of the higher security risk in remote work environments by acting maliciously, stealing company data for profit, retribution, or fun. Unfortunately, insiders-as-a-service attacks have already made their appearance on the dark web.
Realistically, working from “home” can mean working from anywhere other than the office. To cyberattackers, “open” means open season on any unwary remote worker with an unprotected data pipeline to their system’s computer and their organization’s network. We don’t think twice about hopping onto open systems, but we should.
These attacks usually go undetected because they occur at a network infrastructure layer that security software solutions can’t detect. That’s why these attacks are so dangerous.
Connecting to a manipulated Wi-Fi source just once can provide bad actors with access to your organization’s network.
Think of all the peripherals you use in a day’s work: keyboards, wireless and connected mice, USB drives, chargers, etc. Cyberattackers are making peripherals their attack tools of choice. Their ultimate targets are almost always humans, unsuspecting users like you.
More remote workplaces mean more remote peripherals and a higher risk of an attack. Compromised peripherals become rogue devices. They perform their regular duties and harmful behavior directed by malicious intruders.
Your system is unlikely to notice rogue devices, which can cause damage to your operations. Your peripherals look and act as you expect them to. They provide the standard identifiers, which your computer will recognize as legitimate. Don’t expect security alarms or notifications when rogue device attacks occur.
Man-in-the-middle (MitM) attacks—and the damage they do—have been the topic of headlines for years. But hackers, especially those who target mobile devices, are becoming more versatile and using more sophisticated methods.
In these attacks, intruders search for and secretly enter the private communications of a message sender and receiver. Neither party of the communication knows that an intruder has entered the data flow and has perhaps changed the transmission.
Malware—the name says it all. We’re talking about bad software, which can deliver harm in many ways. The outcome depends on its code.
Ransomware. This type of malicious program blocks access to your device until you pay a fee to its creator. This exploit is expensive and difficult to remove. In April 2020, Coveware reported a jump in average ransomware payments to more than $111,000, a 33-percent increase over the previous quarter.
Since the start of the pandemic, ransomware has been more than malicious. Now, it’s deadly. In a September 2020 incident, ransomware played a part in the death of a patient in Germany.
Data breaches. Do you want to steal customer, patient, or employee data? Or maybe some juicy intellectual property? Just inject malware into a computer or device at a specific layer of an organization’s network infrastructure. Then, cruise your way through their network.
Loss of network function. If data breaches aren’t to your taste, how about bringing a web site’s operations to a halt? In a distributed denial of service (DDoS) attack, malware will infect overload servers with junk data until the servers can’t function.
These and other types of malware attacks are high-cost, high-impact events. They can affect customer loyalty and company revenue, costs, and reputation. As any victim of malware attack will tell you, these long-term effects are expensive and damaging enough to warrant protective and defensive security measures.
Some versatile hardware devices can act as a mouse or a keyboard. Essentially, these devices can behave like a human and click links that cause the installation of malware, for example. If malicious actors penetrate a system that uses these devices, they can trigger commands remotely and cause a wide range of damage.
For years, companies have spent significant sums to secure their onsite IT infrastructure. Now that remote work is a long-term workplace trend; organizations should make comparable offsite investments, too.
Every organization and remote worker can significantly reduce the risk of cyberattacks by developing good security habits and embracing defensive best practices.
Here are proven best practices that can form the foundation of solid cybersecurity protection.
Often, remote workers forget this first-things-first recommendation. Yes, there is time and effort involved. But talk to anyone who has experienced a ransomware or phishing attack, and you’ll understand that the preparation is worth it.
It does no harm to review your organization’s security dos and don’ts before you start remote work. Even if you’re familiar with the specifics, check them anyway. Something new might have been added.
Here are some items to check off your list. Your IT team or independent IT support specialist can check for these security-related gear, settings, and support tasks.
Here’s a list of the items that appear on lists of remote worker must-have tools:
Here are some questions that will help you reduce the security risk of your remote office:
Before the pandemic, many organizations and solo professionals moved their data and apps to hosted third-party services in the cloud. Constantly vigilant, cybercrooks have noticed the opportunity for high-volume mayhem.
Now, they are paying more attention to workers who use cloud-based platforms and services. Ask the cloud operator who pays for data breaches or other security exploits if you run a solo operation.
After you set up and plan your security system, it’s time to secure your tools.
There have been significant changes in cybersecurity design in the past several years. The emphasis has changed from addressing vulnerabilities (adding and monitoring network components such as firewalls) to reducing the odds of damage to your system.
Here is the latest how-to information, designed to help you keep your equipment safe and your data private.
Using company-issued technology to access data and networks in offsite work environments is a safer, less risky way to keep remote data safe and private. In fact, following standard security rules and practices is your best bet for building an effective, remote security system.
More than a third of your colleagues never update their account data. Billions of login credentials have been compromised in the past several years, so this is an apparent vulnerability that can be protected relatively quickly.
Protecting files and data. There are several ways to thwart ransomware specialists and keep other malicious parties out of your information and data. You can summarize the method as, “Don’t make it easy for the bad guys.”
Updating account passwords. Computer and mobile device users are probably sick of hearing about passwords. But there’s a good reason why the subject is repeated repeatedly. Ensuring that all accounts are protected with strong passwords is more important than ever.
Prompting employees to update account passwords regularly can keep bad actors out of remote files and email. Many organizations use helpful software that uses simple, on-screen prompts to reduce the risk of intruders, IP theft, or data breaches.
Using advanced authentication methods. New technology contributes to the cybersecurity effort. Familiar security features such as two-factor authentication make it harder for bad actors to access networks and data stores.
Biometric measures—facial recognition, retina scans, and fingerprints—have been available for several years now but slowly increasing in usage.
Most people want to be a part of the data security solution. Learning to manage data carefully, identify phishing scams and other exploits, and often protect your accounts will ensure that you become a defensive asset.
This is the biggie, the most important item on your system security to-do list. You might have a remote office. But you still must keep your home office system and organization network free of cyberattack entry points. That means:
From best practices to hardware: Here’s how to keep your system tools and appliances safe.
Individuals and organizations typically think of software as the cause of spectacular data breaches and theft of sensitive employee or business data. This might be true in many cases. However, cyberattacks on hardware have also put their destructive fingerprint on exploits.
In 2018, Intel chips infected with Spectre and Meltdown malware threatened computers, servers, smartphones, and Internet of Things (IoT) appliances such as routers, TVs, and other intelligent devices.
The most significant potential damage came from its source. The vulnerability existed at the hardware level of the IT infrastructure. IT teams from user companies could not deploy patches without severely reducing chip processing speed.
Your home router is possibly the most vulnerable path into your home and, therefore, your company’s network as an IoT device. Why? Many people don’t change the password on their home router when it is first installed. Avoiding router-based attacks is easy:
There’s one more thing you must do to secure your router. Set up the latest type of encryption. Until you do, all communications between your home office and work office are easy pickings for internet eavesdroppers. Here’s how to do it:
1. Make sure that your wireless network router supports the WPA2 security protocol. (WPA is an acceptable but weaker protocol.)
2. Apply compatible WPA2 settings on each WiFi device. Choose the WPA2 encryption option and its related authentication information for each device.
Providing laptops for all employees can be costly, so many organizations rely on staff members using their own devices when they work from home. This practice creates one of the biggest risks of remote work. Why? Employee computers and devices often lack:
These deficiencies raise the risk of malware finding its way onto devices and removing personal data and work-related information.
If you must use your smartphone for work purposes, consider mobile device management (MDM) and mobile application management (MAM) software. These solutions can help you secure mobile devices and applications by using these security measures remotely:
Also, consider a mobile security solution, which can provide antivirus and endpoint detection and response capabilities for all your mobile devices.
Dedicated firewalls create a barrier between employee devices and the Internet. They protect networks by closing communications ports on servers. This method helps prevent the entry of malicious programs and stops data loss from employee devices.
However, hardware firewalls require advanced IT knowledge to install, configure and set up. Also, they usually need a dedicated IT employee or department to monitor and manage after the installation.
If your organization sent you home to work remotely, your IT staff would probably have contacted you. If not, ask them what must be done to set up your firewall correctly.
Software is becoming increasingly important because it takes over many formerly hardware functions. Here are the major software packages that enable your home office to stay secure.
Wireless connections between your home office and your company’s network are a potential security weak spot. Malicious parties love to use and prowl around restaurants and other digital public places to spy on internet traffic and collect confidential information. (Confess, don’t you have a favorite coffee shop or public place that gets you out of the house?)
So, avoid working in places that don’t encrypt WiFi.
But even at home, you must protect your communications. You can operate a virtual private network (VPN). If that’s not available, follow these steps to avoid giving cyber-intruders access to your system.
Whenever you begin remote work—or want to upgrade system security—follow these steps:
VPNs are software programs made to keep online data private and safe from breaches, IP theft, and malicious intrusion. VPNs are encryption-protected communications tunnels that whisk your data and communications from your computer to a secure server on the Internet.
You can use VPNs whenever you work outside your office: at home, cafes, hotels, or airports. VPNs encrypt all your internet traffic, making it unreadable to anyone who intercepts it.
NOTE: VPNs are specialized security tools. They can prevent anyone from grabbing information in your communications. They can’t prevent data breaches or another cyber mischief in your organization’s network.
Software firewalls are installed on and protect individual computers or mobile devices. If your remote workplace includes several computers or peripherals, firewall software must be installed on each protected machine.
This needn’t be a problem, though. Software firewalls are already built into many OSs and peripherals. Just check with your IT team to see if they are already installed, protecting vulnerable system components. Then, ensure that they are enabled wherever they exist in your system.
Once touted as magic bullet protection, AVS is now regarded as one part of a secure home system. You must support AVS with well-configured installations and regular security software updates to keep your home office safe.
Advanced antivirus software can act as a second line of defense by detecting and blocking known malware. Even if malware does manage to find its way into your system, antivirus software is designed to identify and stop it before damage can be done.
Ensure that your equipment uses up-to-date encryption tools on your devices whenever you communicate sensitive information with colleagues and organization partners, suppliers, and customers. It pays to have someone check that you have support for basic and more advanced security functions.
Basic security support. These tools check whether a legitimate certificate authority issued a security certificate or if it is a fake. Most systems use quite a few certificates, so it’s best to have an IT team member or hired specialist.
More sophisticated detection and protection. It’s also good to check if your computer and devices have protection against more advanced mayhem caused by cyberattackers.
Just ask your organization’s IT team to check out your soon-to-be-remote gear. (They will probably do this automatically as part of your moving to a home office.)
If you run an independent operation, consider hiring an IT services specialist to give your system a thorough security check before you proceed.
Whoever you choose, your IT security specialist will look for and neutralize potential software vulnerabilities, such as:
A new development, employee monitoring software uses advanced, high-speed data analysis methods to provide critical insights into employee behavior within an organization’s network. If your organization is concerned about inside jobs or intruders, they might install this tool, which:
These checks are part of a more extensive process, including installing, configuring, and testing your security-related equipment.
Usually, your organization’s IT staff will help you confirm that your system works, ideally before going remote. Independent professionals should also engage a specialist to complete these critical steps.
So, that’s it. You are now fully grounded in the basics of remote office security.
There are many details to keep track of, but you can master the role of a remote office security manager. Here are some recommendations to help you get started and keep going:
Cyberattackers will take advantage of your relatively exposed position with pandemic-themed phishing attacks and scam campaigns.
Before you start work, brush up on your security awareness. You’ll need it to recognize the latest threats and respond quickly if they occur.