The COVID-19 pandemic has brought many changes to our lives: social distancing, face masks, molecular tests, and WFH (work from home). Based on health scientists’ advice to protect the society and driven by the need to maintain business continuity, many private and public sector organizations have directed their employees to work from home where possible.
Remote working is here to stay
The change in work habits is enormous worldwide: according to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. In Greece, where the percentage of remote working was below the EU average of 5%, 80% of the Hellenic Telecommunications Organization had been working from home during the pandemic lockdown period of March to May.
Remote working is here to stay. According to a recent Gartner survey, 74% of enterprises intend to maintain at least 5% of staff in permanent remote work employment, while 17% of the respondents said that at least 20% of employees from their workforce would converted to permanent remote employment. Working form home should be a business continuity strategy option for all businesses when possible. It is not only to cope with public health crises, but to be able to sustain operations in any emergency, like natural disasters or terrorist attacks.
Risks of remote working
The human element
However, remote working introduces various risks and challenges for businesses and employers as well. As working from home was a sudden and sharp change of working habits, “those who are accustomed to working within an office might feel isolated and disoriented,” says David Bisson. Therefore, communication is a key factor to make those “isolated” employees feel like they are at work. “It is crucial for organizations to maintain an ongoing dialogue with their employees and to let them know they’re not alone. As part of this process, organizations should provide employees with steps detailing how they can securely and smoothly get up-to-speed with their remote status,” adds Bisson.
David Bisson points out another risk that is inherent in remote working environments. Security. How to secure access to business data and assets while working from home. While digital transformation efforts have blurred the corporate perimeter and identity has become the new perimeter, working from home introduces new challenges.
Many employees are using their personally owned equipment, which might not be compatible with the corporate applications. Even if they do have a business laptop, they are using their home Wi-Fi to connect. Home Wi-Fis are not secured like corporate networks and might even have outdated security protocols (i.e. WEP instead of WPA-2). As a result, criminals may easily launch man-in-the-middle attacks, intercepting network traffic and stealing sensitive corporate data.
Further, the COVID-19 pandemic has seen a surge of phishing scams. Criminals are always eager to exploit a crisis to achieve their own nefarious goals and this public health is not an exception to this rule. In fact, email phishing attacks have spiked over 600% since the end of February 2020. Cyber criminals are taking advantage of the pandemic to trick users into revealing their personal information or clicking on malicious links or attachments, unwittingly downloading malware to their computers. They may even impersonate government organizations, ministries of health, centers for public health or important figures in a relevant country to disguise themselves as reliable sources. Phishing campaigns are the criminals’ preferred attack method and are the main cause of data breaches.
Weak user authentication
Unfortunately, many companies are still relying on questionable password policies, even though passwords are full of security risks. Password fatigue, weak passwords and using passwords for more than one service is like peanut butter for criminals, who can very easily compromise them and gain access to corporate assets. In addition, criminals are exploiting stolen credentials to gain unauthorized access to multiple accounts in a very short period of time.
Checklist for securing remote workforce
During the past few months, many organizations, like NIST, ENISA, and the Center for Internet Security (CIS) have published advice on how to secure remote working. If we were to consolidate their valuable advice, we would group the security checklist into recommendations for businesses and employers.
Recommendations for businesses
- Make remote working part of your business strategy. Remote working is here to stay. Therefore, any business should have policies and procedures in place detailing when and how working from home is implemented by workforce.
- Train your staff. Any policy is not enough if it is not adhered to by business employers. Train your staff to be aware of the security procedures to implement when working from home and how to use the various online collaboration tools to boost productivity.
- Create a safe and effective foundation for remote digital access. First and foremost, this means providing secure access to IT resources within the business as well as to the internet itself, typically through an internet provider and virtual private network. This requires attention to every part of the connected tech stack, from internet access itself to providing work devices and secure means to reach and interact with corporate networks, data, communication channels, and applications. This is the cornerstone of managing and supporting the whole remote working process.
- Secure remote access to business assets and services. Typically, this is provided by a virtual private network (VPN) solution, which creates an encrypted network connection making it safe for the worker to access corporate IT resources. Usability and reliability are key factors when selecting VPN solutions. Be sure to test all the service providers, devices, and locations to be used at the very least, and ensure performance is sufficient. In addition, strongly consider two-factor authentication (2FA), instead of just user IDs and passwords, to significantly boost security. 2FA hardware authenticators are quite inexpensive now, while employers can also use their mobile devices as a 2FA authenticator.
Recommendations for employees
- Comply with business policies on remote working. It is important to read, understand and comply with these policies. In remote working environments, security is everyone’s job. Failure to comply with these policies and practices may result in a data breach and a regulatory violation entailing huge fines for your company.
- Protect your computer communications from eavesdropping. Make sure your Wi-Fi home network is set up securely. Specifically, look to see if it is using WPA-2 or WPA-3 security protocol, and make sure your password is hard to guess. If you are unsure how to do this, you might be able to find a how-to video or checklist online by doing a search for your Wi-Fi router brand and model.
- Use a VPN to access corporate assets. If your organization has a VPN, use that on your work device for stronger protection. If not (hopefully not), consider using your own VPN. You can find numerous providers online.
- Enable basic security features on your work device. If you are using your own computer or mobile device for remote work, make sure you have enabled basic security features. Simply enabling the PIN, fingerprint, or facial ID feature will prevent people from getting on your device should you walk away from it. Any PIN or password you use should, of course, be hard to guess.
- Keep your computers and mobile devices patched and updated. Most devices provide an option to check and install updates automatically. Enabling that option can be a good idea if you don’t want to check for updates periodically.
- Be on the lookout for social engineering attempts such as phishing emails or phone scams related to remote work. In the current situation, one should be suspicious of any emails asking to check or renew your credentials even if it seems to come from a trusted source. Verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments.
One of the key preventive measures for the spread of Covid-19 is social distancing. Luckily, in this increasingly connected world we can continue our professional and private lives virtually. However, with huge increases in the number of people working remotely, it is of vital importance that we also take care of our cyber hygiene.
Attackers are always looking for opportunities to take advantage of weak security practices. If you overlook your security obligations when remote working, you could put yourself and your organization at increased risk. But it’s more than your organization at risk — if your telework device is compromised, anything else connected to your home network could be at risk, too.