Location, location, location
The comfy clothes are on, the dog is sleeping peacefully and productivity is peaking… ahh, working from home!
What started as a necessity for most in 2020 has become not only a lifestyle choice for many workers, but also a deliberate and well-considered business model for some company owners. But what about the implications for your cyber risk?
We have recently been made aware of a cyber incident which would have been unlikely to happen if the employees concerned had been in the same room at the time. The social engineering attack involved criminals pretending to be “the fraud team from the bank”, phoning more than one finance team employee during the course of a morning. They were able to persuade the employees to download remote-access software, and then logged into their accounts. Isolated as they were in their home offices, the employees complied, and the attackers were able to complete funds transfers to external accounts. Had the employees been in an office scenario, the jig would surely have been up very quickly.
The benefits of remote working, both for employees and employers, are many. Home-workers can keep an eye on a child who’s home sick from school, chuck on a load of washing at lunchtime, and be there for that all-important online shopping delivery.
Meanwhile, employers choosing a remote set-up avoid the significant overheads of a bricks-and-mortar office, and open themselves to a much wider geographical pool from which to source the best candidates.
Cydea is a remote business. Yes, we all get together once a month for a group session (and usually a good meal,) but the rest of the time we’re beavering away in our various far-flung corners of the country.
Some companies are entirely office-based, some are entirely remote with no central location, and some are a mixture of the two, with a physical office location where employees work some of the time, and the option of doing some days from home.
Organisations offering flexible hybrid working may seem like the best of both worlds for employees, but could be the worst case scenario for cyber risk. These hybrid businesses face the standard set of on-premise risks as well as an expanded set of remote-working risks for each employee who spends a couple of days a week remotely.
Simply put, hybrid-working employees may have a false sense of security, as they will be used to measures in the office environment that probably aren’t present in their home.
In terms of hardware, traditional office-based companies are likely to have some on-premise endpoints, such as servers, which will eventually reach the limit of their supported life, increasing their vulnerability and the company’s overall attack surface. These physical assets are also at additional risk of breach, particularly if USB ports haven’t been disabled.
Meanwhile, remote-working organisations are more likely to be entirely cloud-based, which reduces risks associated with on-premise assets, but brings a new set of cyber risks, some of which are associated with the availability of those services.
Key cyber risks that are increased with remote working could include:
Weak security on home wifi networks
Home networks are usually less secure than corporate networks, leaving remote workers more susceptible to unauthorised access.
Loss of access to home wifi networks
Not all internet service providers are famous for their speed and reliability; some are better known for the opposite reason.
Phishing
Remote workers may be more likely to forget their training and click on malicious links in emails when they’re alone. Worse still, they may be less likely to admit they’ve done so due to a lack of immediate access to IT support.
Social engineering attacks
There is also an increased risk of vishing attacks, because a real human voice sounds so much more convincing when the rest of your day is spent in a virtual world.
Unsecured personal devices
Employees’ own laptops or phones probably don’t have the same level of security protection as the company devices you issued them, creating a potential entry point for attackers. While this is also a risk for on-premise workers, your BYOD policy is certainly going to be easier to enforce in an office situation.
Unauthorised sharing of data
It’s 9am, do you know where your staff are? When employees aren’t in your office, you don’t necessarily know where they’re working, or who else can see their screen. Opening your laptop on a busy train or in an open-plan coworking space can have real implications for data security. Additionally, an increased reliance on email can lead to incidents of data accidentally being sent to the wrong recipient.
More complex monitoring
It can be harder to monitor remote worker activity and identify potential security breaches when people aren’t always in the same place, or accessing systems through the same IP address.
Lack of physical security
In an office, there is often more control over physical access to sensitive data, which is harder to manage when working remotely.
So what do we do about this? Because our pets have gotten really used to having us around during the day. Here are some ideas for strengthening security for remote workers:
Strong policies and procedures
You can implement as many high-value technical solutions as you like, but without documenting and socialising a set of security policies, you can’t expect employees to understand what is expected of them. These should include strict BYOD guidelines for personal devices used for work, stating mandatory security updates and encryption.
Regular security training
Not popular with staff, but also typically non-negotiable with your insurance provider. There are some much better options out there now, including gamified and video content. Whatever you go for, regular training is vital for keeping security top of mind.
Endpoint security
Necessary in-office, but critical when people are remote, deploying endpoint protection on employee devices can reduce the risk of malware infection or unauthorised access. Adding a mobile device remote-wipe facility can also help reduce your blood pressure when a remote worker leaves their laptop on a train again.
Additional communication channels
Office-based working comes with the luxury of turning to the colleague at the desk next to you and saying, “Hey, does your screen look like this, or should I be worried?” The next best thing is a secure communication channel that doesn’t always have to involve your laptop. Slack is a good example. In fact, just this morning a colleague who’d forgotten his laptop password was able to pick up his mobile and Slack the rest of us an SOS.
Multi-factor authentication
Requiring MFA for everything, all of the time, will help to reduce the risk of unauthorised access to your systems from any of the company endpoints that are out there roaming the countryside with your remote workers. At Cydea, we use biometric data (a fingerprint, in our case) as additional authentication, so there’s no question of who’s logging in.
A really secure cloud workspace
Last, but certainly not least, you need a secure place to store and share what you’re all working on. Cydea uses Google workspace because we like its security features and its usability. Other providers are available, but whatever you use, take a moment to stop and think whether you really trust it with your crown jewels.
Every business is unique and, whatever your working situation, Cydea can help you understand your cyber risk. If you’re considering offering staff the option of working from home, a risk assessment could be a good idea.
Alternatively, if you’d just like some support getting those all-important policies together, drop us a line to arrange a meeting – remote, of course.
Photo by Bruno Cervera
