The Risks and Rewards of Working from Home
Recent findings by the Ponemon Institute indicate that at least 60 percent of organizations report remote work has reduced their overall business costs, much to the chagrin of corporate leasing managers the world over. Fifty-six percent of organizations polled also indicated that they expect teleworking to become the new norm, even after the economy recovers from pandemic restrictions.
However, despite the apparent savings in overhead costs, businesses leaning into the remote work model may have other expenditures to worry about—namely data loss and theft. As instances of cyberattacks on businesses have increased commensurately with stay-at-home orders, companies remain slow to react. Forty-five percent of organizations surveyed say they have not assessed the risks associated with a remote workforce, according to the global risk report sponsored by Keeper.io.
These figures aren’t exactly surprising, considering how rapidly companies have been forced to adapt to new ways of doing business. Still, reports like these highlight a need for organizations of every size to evaluate their security posture in an era when remote work is slated to be the gold standard. In the next section, we’ll cover several reasons for the reported slump in digital hygiene.
Factors Contributing to Rise in WFH Cyberattacks
Prior to the COVID-19 outbreak and subsequent global lockdown, 71 percent of organizations reported that they felt their security posture was sufficient in warding off the most damaging attacks. By contrast, only 44 percent now report being adequately prepared to mitigate potential cybersecurity threats. This reported lack of confidence is likely due to what Shimon Oren describes as an increased attack surface. Oren, Vice President of Research at security firm Deep Instinct, puts it this way:
You have a much bigger attack surface—not necessarily because you have more employees, but because they're all in different locations, operating from different networks, working [outside] the organization’s perimeter network on multiple types of devices. [In a remote work model], the complexity of the attack surface grows dramatically.
Essentially, remote work has increased the number of back doors to secure networks and has even expanded the relative “size” of the doors themselves. With more employees accessing business-critical applications from unsecured personal networks and devices, opportunities for cybercriminals to infiltrate corporate information systems are at an all-time high. Employers considering expanding their remote workforce should consider the following telework vulnerabilities.
- Lack of physical security at employees’ homes
- Remote workers are more vulnerable to security exploits
- A remote workforce is slower to react to cyberattacks
- Remote workers require greater access to business-critical applications
- Multifactor authentication is not widely adopted
- BYOD increases the number of endpoints vulnerable to exploitation
- Antivirus and intrusion detection systems can’t keep up with evolving threats
- Credential theft has increased dramatically in the remote work era
While some of these hurdles are inherently technological, much of the data loss reported in the wake of the coronavirus pandemic can be attributed to good old-fashioned human error. The upside is that, with increased investments in security awareness training and IT security infrastructure, most businesses can reliably navigate their way out of the red zone. In the following sections, we’ll cover several human-centric problems and propose actionable solutions to help businesses get back on track.
BYOD: Good for Bottom Line, Bad for Business
Sixty-seven percent of respondents to the above-mentioned global risk report admitted that remote workers within their organization regularly used personal laptops, mobile devices, and tablets to access mission-critical programs and data. This figure alone should raise eyebrows for business leaders looking to protect their bottom line since unsecured devices are especially vulnerable to cybercriminals looking to infiltrate corporate networks and enterprise systems.
While the potential savings on hardware can make the bring-your-own-device model appear attractive to businesses looking to reduce costs, the potential for personal internet-connected devices to serve as attack vectors for data-hungry cybercriminals makes this a roundly foolish business move. In order to shore up vulnerabilities in your business’ security perimeter, every machine and every user accessing secure business data must be subject to the same network security protocols.
Unfortunately, slouching on your business’ network and information security posture can make for one hell of a financial mess down the road. Just take it from the 58 percent of surveyed businesses whose IT infrastructures were damaged last year. Each enjoyed an average recovery bill of $2.7 million, plus another $2.4 million in business disruption costs.
Remote Workers ‘Soft Targets’ for Cybercriminals
A major reason so many businesses are targeted by cybercriminals has to do with the workers themselves, not vulnerabilities in network security infrastructures. Social engineers and other cybercriminals find it much easier to coerce employees into divulging network credentials or sensitive company data than to poke holes in security perimeters. That’s because humans are far easier to exploit, trick, and dupe into divulging sensitive information like network credentials.
With remote workers now having little to no face-to-face interaction with coworkers and managers, it becomes more difficult for people working from home to discern whether a strange request made over email is legitimate or not. In our recent article on social engineering tactics, we explained how cybercriminals love to impersonate business leaders to junior staffers who are less inclined to ask questions when directed to perform a task by a supervisor.
In the wake of the coronavirus pandemic, this tactic has only proven more effective for social engineers who can bank on most correspondence taking place via email. These days, remote workers don’t have the luxury of turning to their cubemates to ask if the email they just received from the VP seems fishy—or knocking on his or her office door to confirm the request.
Entry-level and recently onboarded employees are especially vulnerable to such coercion, since they have the least experience with internal communication styles, and because they are unlikely to push back against suspicious requests from management. When successful, social engineering attacks can have lasting consequences for businesses.
If a cybercriminal makes his way onto a secure network by stealing network credentials, he has a better chance of going unnoticed by intrusion monitoring systems since the login information has already been “verified” internally. In other words, the software sees valid credentials and assumes the user of those credentials isn’t a threat. This explains why over half of organizations reported exploits that evaded both intrusion monitoring and antivirus systems since the beginning of the coronavirus pandemic.
Protecting a Remote Workforce from Cyberattacks
Rather than barring remote workers from accessing certain business-critical data and programs, business leaders are encouraged to proactively arm their workers in the fight against cybercriminal activity. Through continued learning investments and security awareness training, organizations can empower their workers to call out suspicious activity when and where they see it. Teams work best allowed to collaborate, as opposed to working in virtual silos.
If you’re not sure where to start, we recommend first securing every device with robust, enterprise-grade security monitoring and antivirus software, requiring all employees to utilize multifactor authentication when accessing mission-critical data, and instituting mandatory security awareness training for both existing staff and new hires. Our article on cybersecurity best practices has some helpful tips for beginning the conversation with your team. These security measures are also something a managed IT services company can help implement and monitor.
On the technological front, remote access VPNs can help bridge the gap for companies married to the idea of employees furnishing their own devices. While we strongly advise against the BYOD model, a quality VPN can help encrypt transmissions to and from devices operating outside corporate security perimeters. We also recommend requiring employees to routinely change their passwords. Many secure password managers like LastPass have integrated password generators to help keep endpoints secure at all times. Consider mandating credential changes every three months.
Businesses Must Increase IT Security Investments
When asked about obstacles to maintaining effective IT security posture with a remote workforce, 44 percent of responding organizations said that an insufficient budget was their biggest hurdle.