When the COVID-19 pandemic struck in 2020, businesses quickly adapted.
So did cybercriminals.
Companies emptied their office buildings and sent their employees home to work remotely. And organized criminals quickly learned to exploit the “new normal” by targeting improperly secured connections, applications, and unprepared work-from-home (WFH) employees.
Read on to discover how WFH increases your vulnerability to cyberattacks, and the steps you should take to protect your networks, data, and reputation.
To jump to a specific section, click on one of the links below.
The New WFH Normal
According to research conducted by Professor Nicholas Bloom of Stanford University, 43% of the US labor force was working from home in June 2020 as the global pandemic was spreading and as state and local governments began mandating lockdowns.
A 2020 Gartner survey of company leaders found that 80% are looking at work from home as the new normal and plan to permit employees to work from home or remotely at least part of the time after the pandemic has lifted. A further 47% of company leaders plan to allow employees to work from home permanently.
In another survey of 669 company CEOs, conducted by PwC, 78% agree that working from home and remote collaboration are the new normal for the long-term.
According to studies conducted by the US Bureau of Labor Statistics, only 29% of Americans could work from home before COVID-19. But today, a whopping 98% of workers would gladly work remotely at least part of the time, and for the rest of their careers (Buffer).
This new WFH normal is being mandated by governments, encouraged by businesses, and enabled by technology. In particular, remote work is largely made possible by new cloud technologies, including:
- Office productivity suites (Microsoft 365, Google Workspace)
- Storage (Microsoft OneDrive, Dropbox)
- Email (Microsoft Outlook, Gmail)
- Video conferencing apps (Zoom, Microsoft Teams, Google Meet)
The New Remote Work Security Threats
Business leaders are discovering that the new WFH normal is coming at a cost. Mandating that hundreds or even thousands of employees work from home is bringing some expected—and some unexpected—complications.
Employees who are working from home report feeling more stressed, and worker productivity has seen a drop in some cases. But the greatest threats to businesses are coming from the increased exposure to cyberattacks posed by remote workers.
"Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce. It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that's what this is all about."
–William Altman, Senior Analyst at the Global Cyber Center of NYC, operated by SOSA
According to a study conducted by Malwarebytes:
- 20% of respondents faced a security breach as a result of a remote worker.
- 24% had to spend money unexpectedly to resolve a security breach or malware attack following the WFH shift.
- 28% admitted that they're doing work on personal devices more than they are on company devices.
- 18% acknowledged that cybersecurity was not a priority for employees.
This study and others demonstrate that the shift to working from home has caused a surge in security vulnerabilities and breaches. And yet many businesses and employees alike remain oblivious to the increased vulnerabilities—and unaware of best practices for protecting their remote workers from cyber threats.
Remote Work Security Risks
A number of factors are conspiring to make working from home a prime target for cybercriminals.
Unsecured Home Network Setups
Naturally, many businesses are reluctant to enforce their corporate cybersecurity policies upon their WFH employees, which leaves these remote workers vulnerable to breaches and compromise.
Increased Distraction and Stress
Employees are suddenly working in close quarters with partners, homeschooling their children, and can become distracted throughout the day by the joint responsibilities and pressures of work and home life all under one roof. They simply don’t have the mental bandwidth to be hypervigilant about cybersecurity, making them prime candidates for phishing attacks, social engineering and other attacks that catch them unawares.
What all of this means for your organization is simple: If WFH is the future of work for your organization, then your exposure to WFH threats won’t vanish when COVID-19 does. You must prepare today for the growing cyberthreats of tomorrow.
How to Take Action
Protecting your organization against WFH cyber threats involves your people, your platforms, your policies, and your processes. You must take a step-by-step approach to ensuring that you protect your networks and your data using WFH best practices.
Here are some practical tips to discovering your security situation, evaluating your security posture for your remote workforce, and deciding what you must do to fill in any gaps.
Step 1: Document Where You Are Today
Start with an audit. You can’t get to where you want to be tomorrow without knowing where you are today. So, get out a pen and paper and start documenting where you are right now. Here’s what you must audit.
Plans, Policies and Procedures
- Cyber-Incident Response Plan. Does your organization have a documented Cyber-Incident Response Plan? And, if you do have one, when was the last time you updated it? And if you have, when’s the last time you and your team went over it together?
- Cybersecurity Policies and Procedures. If COVID-19 hasn’t changed your cybersecurity policies and procedures, it should have. Look for gaps that indicate your exposure to work-from-home cyber vulnerabilities.
- BYOD Policy. If you allow your employees to bring their own devices to work, and if you have that permission documented in a BYOD Policy, is that policy still accurate, now that employees are using devices at home that your current policy may not cover?
- Remote Working Policy. If you had remote workers before COVID-19 hit, you likely have a documented remote working policy. Now that a larger percentage of your workforce is working from home, is that policy still accurate and comprehensive enough to reflect the current situation?
- IT User Policy. You likely have a policy that governs acceptable uses of company-issued computers and devices. But is your acceptable use policy still relevant now that many of your workers are using their work computers at home? Plus, have all your WFH employees signed it?
- Security Awareness Training. Does your cybersecurity training reflect the new WFH reality? If your organization is typical, most of your cybersecurity training concentrates on best practices to be used within the four walls of your corporate offices. But what about training that includes the new cyber threats your staff are facing at home?
- WFH Employee Awareness. Are your WFH staff aware of the increased threats posed by unsecured home networks, personal devices, phishing attacks and more? If you have not conducted any new or refresher training since the pandemic hit in 2020, your staff are likely in the dark, unaware of the threats they (and your corporate networks) face.
- Security Standards. Are you subject to ISO 27001, NIST, CMMC, FAR/DFARS, HIPPA, CJIS, FINRA, or other security standards? Are you in compliance with those standards? Have those standards changed since COVID-19 arrived and your security posture changed?
- Data Privacy Regulations. Are you subject to GDPR, CCPA, PIPEDA or other data privacy regulations? Have any of those regulations changed in recent months to reflect the new reality of work from home? Plus, are you in compliance today?
- Supplier Policy. Your suppliers may present a weakness in your cybersecurity defenses. If you operate an ERP, supplier portal or other system that gives your suppliers access to your remote employees, and vice versa, have you checked that your suppliers meet your standards for WFH security?
- Vulnerability Scanning. When did you last conduct a vulnerability scan of your corporate network? Are you testing your networks frequently enough? Do your tests reflect the kinds of attacks that cybercriminals are mounting after breaching work-from-home employee accounts?
- Firewall Configuration Review. Is your corporate firewall configured to reflect the latest WFH threats? Have you reviewed your firewall configurations recently, and tested their validity and effectiveness?
- Remote Access Security Review. If you have remote workers, you have increased security vulnerabilities. If you have increased numbers of remote workers, you have increased numbers of vulnerabilities. Have you hunted for remote access vulnerabilities recently?
- Phishing Assessment. One of the greatest threats you face is phishing and spear phishing expeditions conducted against your WFH employees. When did you last go on a white-hat WFH phishing expedition to discover how alert your employees are to these attacks?
- Software. Some of the protections against WFH attacks involved people and training. Others involve software. Are your anti-virus and anti-malware software up to date, both on-premises and off-site, in your employees’ homes?
- MFA. How are you protecting your networks and data against attacks that are made possible through the theft or loss of login-credentials? For example, do you require WFH employees to use multi-factor authentication to access corporate networks?
- VPN. Are you operating a Virtual Private Network that enables your WFH employees to send and receive data across shared or public networks as if their computing devices are directly connected to your private network? Do you require your WFH staff to access corporate networks through your VPN?
- Encryption. Some threats come from portable devices (laptops) and removable storage devices (USB drives). Are you guarding against cyberattacks by insisting that all remote worker hard drives and USB drives are encrypted?
- Storage. Do you prevent WFH staff from saving sensitive documents to personal devices, devices that can get stolen from homes and cafes?
Step 2: Decide What You Must Improve Immediately
Once you have audited your current policies and procedures, training, compliance, and safeguards, you will have a clear picture of where the gaps are. You are ready for remediation. Here are the things you should do first to ensure that you quickly gain as much protection as possible against WFH threats.
Secure Identity and Access
- Passwords. Ensure that WFH employees are using strong passwords. Strong passwords are hard to guess, by humans and by computers. Require that employee passwords contain a larger number of characters, and contain a mix of numbers-, upper- and lower-case letters, and special characters.
- MFA. Employ Multi-Factor Authentication so that WFH staff need more than a simple username and password to log in to corporate devices, accounts, and networks.
- Lost credentials. Protect against lost or stolen login credentials with MFA and self-serve password reset.
Secure Personal and Company-Owned Devices
- Devices. Require employees to keep all work documents and data on company-owned devices.
- Remote Desktop. Enable remote desktop access so that apps and data are no longer stored on WFH computers.
- Storage. Limit the diversity of storage repositories available to WFH employees to limit the number of avenues of attack.
- Apps. Prevent employees from using cloud-sharing applications that have not been vetted for privacy and security.
- Operating Systems. Ensure that employees secure their devices based on best practices for their operating system, whether Windows or Apple OS.
Safeguard Confidential Business and Customer Data
- VPN. Ensure that all WFH employees access corporate networks only through secure VPN connections.
- Backup. Backup data on remote devices to guard against loss or theft. Don’t allow employees to only backup data on local devices in their homes. Insist that another backup is also made to a device outside the home.
- Encryption Encrypt email communication and all sensitive documents so that any data intercepted in transit by cybercriminals is protected.
Protect Your Users Against Cyberthreats
- Training. Protect against accidental data leaks by training WFH staff how to recognize and avoid phishing attacks.
- Spoofing. Defend against impersonation and spoofing by using software that protects WFH employees against these threats (Defender for Office 365, for example).
- Malware. Deploy AI-powered malware scanning to detect malicious email attachments.
- Web content. Guard against malicious web content by filtering for offensive, inappropriate, and dangerous content.
Ntiva’s Recommended Security Services
Ntiva offers a number of services to protect your WFH staff, remote workers, corporate networks and data against cyberattacks. We recommend that you employ as many of these protections as your situation and budget allow.
Multi Factor Authentication
Phishing Prevention Training
Cloud Backup and Recovery
Vulnerability Scanning and Remediation
Intrusion Detection and Response
Endpoint Detection and Response
Remote Work Security Resources
Guarding your networks, data and brand reputation in the age of WFH and remote workers means re-thinking many fundamental areas of your security posture. You need to re-think your BYOD policies, your acceptable use policies and other policies and procedures. You need to get a handle on the protections you currently have in place, and then take orderly steps to add security where needed.
During your journey, you may want to consider using the services of a company that delivers Managed Security Services.
At Ntiva, we build affordable, comprehensive cybersecurity solutions for businesses of all sizes, in any environment. Our in-house team of cybersecurity experts protect your data, help you meet compliance requirements, and give you confidence that your business is safeguarded against the cyber threats posed by WFH and remote work.