Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Keeping remote workers secure: cybersecurity’s bold new frontier
“The use of virtual environments is key to providing capacity and flexibility, but this means placing applications in the public cloud for easier access.”
A quote from Alex Schlager, chief product officer in the cyber-security group at Verizon. This means “traditional ‘physical’ perimeter security solutions that have protected critical applications in the past are no longer effective”.
The workplace is changing fast, particularly in the corporate sector. A 2019 study by International Workplace Group found that 50% of employees work away from the office at least two and a half days a week. Aside from the COVID-19 outbreak, the surge in remote work is related to another trend - short term work. More and more companies are turning to remote freelancers to augment their capabilities, especially digitally mature organisations. The broader issue is how businesses of all scales are now becoming globally interconnected, as more and more supply chains, trade and operations go digital. Which means an exponential increase in points of vulnerability from a cyber risk perspective.
“It makes [cyber security] a lot harder when your attack surface — the culmination of all the networks and systems you use for work — is sizeable,” says Justin Harvey, global incident response lead in the security division of consultancy Accenture.
Combine that with a digitally-enabled, ever-shifting workforce scattered across multiple locations, often using their own devices, identity assurance becomes a significant problem. Moving work applications to the cloud can mitigate some of these issues, but it’s still far from a fool-proof solution.
Creating an effective work-from-home security policy
So, what does it take to develop a smart and effective remote working policy? Obviously, a lot depends on your existing tech stack and goals, but there are a few basics which need to be put in action first.
- Make sure their tools are secure
All employees, onsite or remote, should be using the same approved tools, like cloud storage platforms, communication/video conferencing tools, project management tools, etc. The blurring of boundaries between home and workplace can be risky. BYOD policies combined with Human Error make security even more difficult to implement, so make sure your employees are using secure devices and are trained in basic cybersec hygiene.
- Train them to take the right actions in a crisis
Make sure your team can recognise the signs of a compromised account. They should have clear steps to follow, which includes details about who to report the incident to and what actions to take. These steps should be included in their mandatory cybersecurity training.
How to keep your remote workforce protected and cybersecured
1. Use multi-factor authentication
This is one of the essentials you must have in place for your team. Things like biometric security, fingerprint, facial recognition, or passphrases that can also determine how a user types by measuring variables such as the speed between each letter, are all good options. But at the bare minimum, standard 2FA is a must.
2. Use a secure VPN and firewall
You can never be sure what kind of internet connection your employees will be using. Cafes, airports, hotels and public WiFi can be big cybersecurity risks, so mandating the use of a secure company VPN and firewall is essential. Make sure people don’t disable any security features on their devices. These include firewall settings, web security settings and antivirus settings.
3. Keep your people updated with threat alerts
Human error is the biggest cyber risk, which is why your people need to be aware of the current threat landscape. A lot of COVID-19 scams are doing the rounds, and they should know never click on any links or attachments related to COVID-19 that come from outside the organisation. That includes messaging apps, SMS, or personal email providers like Gmail. Even emails from trusted brands like the World Health Organization (WHO) can be a scam. Making sure your people stay informed is one of the strongest cybersec measures you can take.
4. Guard your credentials
Never click on links in emails that ask you to enter or update your username and password. If you feel a request is legitimate, type the URL directly into your browser to make 100% sure you are on the correct site before logging in. Everyone in your organisation needs to be trained to do this.
5. Beware of ‘Shadow IT’
Stay on guard for ‘shadow IT’ - employees using outside systems, tools or networks instead of company ones. Some workers find company tools to be a hassle to use and may use external tools for the sake of convenience. Dropbox is a common example; many employees will exchange files through Dropbox or Wetransfer for the sake of convenience, but that also opens them to a whole new set of vulnerabilities. Same goes for everything from USB drives to personal email accounts.
“The fastest way to get a ton of shadow IT is to make the normal IT path difficult,” says Charles Henderson, global head of IBM’s hacking unit X-Force Red. “If you make it hard to [access certain data], users are still going to do it, in a new and interesting way.”
Any apps unapproved by IT and Security could have backdoors built-in, possibly compromising device and even company data. This also goes for seemingly harmless chat apps like Slack, Whatsapp, and Facebook messenger. These apps are already merging the boundaries between work and socialising, with many employees thinking nothing of sharing confidential company information over these channels. “There are some platforms out there that basically never delete your history,” says Justin Harvey, global incident response lead in consultancy Accenture’s security division.
Whatever channels they use, employees need to be aware of the risks involved, undergo the right training and have access to company tools that minimise the need to turn to unsecured platforms in the first place.