Although remote work is not a new concept, it has substantially increased its traction since the Covid-19 pandemic started. A significant number of companies were forced to operate remotely and had to quickly adjust to the new circumstances. But what does this abrupt change represent in terms of security? In this post, we will explore exactly those impacts and how companies can maintain security when employees work remotely.
Adjusting to any change can be complicated, even more, when it is so abrupt as was the remote shift for various companies all over the world in 2020 and 2021. Most had not had any previous experience when it comes to a remote work environment, so naturally, there was a steeper learning curve. In fact, before the coronavirus pandemic, only 17 percent of U.S. employees worked from home 5 days or more per week. During the pandemic, this figure grew to 44 percent. The tendency is that remote work is here to stay and companies will likely adopt hybrid methods in the future.
Throughout these past 12 months, as times were still uncertain and businesses were adapting, there were new opportunities for attackers to explore. In fact, in the first half of the pandemic, 4 out of 10 Covid related emails were spam, and there was an increase of 46 percent in the number of suspicious incident reports for home IoT devices.
As the social engineering techniques used by attackers continue to evolve, many organizations have fortified their cybersecurity in order to secure their digital operations and avoid falling victim to attackers. So, let’s get into some of the practices you can implement to maintain security in these trying times.
What can companies do to maintain security in a remote work setting?
Define a remote work security policy
One of the first key steps to increase and maintain security, if you have not yet done so, is to define remote-work security policies and adequately communicate them with your workforce. If you do not have a document with these policies defined, it can be difficult to identify what it means to maintain security within your company. The idea is to draft a policy document that not only outlines the different security protocols but also identifies how the company intends to support compliance with those protocols among employees.
Provide training on cybersecurity best practices to your employees
Another good starting point is focusing on educating your employees on cybersecurity best practices to reduce the threat surface. Having an informed workforce is one of the key aspects to prevent attacks and maintain security. Companies should provide a thorough explanation when it comes to the security policies instead of just stating them, as it will promote a better adoption rate.
Guarantee Network security
As far as network security goes, and in case your employees used to access a secure office network to do their jobs, you’ll want to transfer that security to a remote setting. To still provide a secure network to all your employees regardless of their location, you will need a remote access VPN. That should give you more power in terms of access control and privacy. However, contrary to popular belief, blindly trusting that a VPN will resolve all your cybersecurity concerns is not a good option. It is not about one perfect solution but rather a combination of various practices and tools.
Still, on the topic of using a VPN service, it is a good idea to not overload it, as it will cause undesired slowdown. To do so, you may need to prioritize the use of VPN for specific services, choose a provider with a large server network and manage its usage adequately.
Personal devices usage regulation and maintaining systems updated
When employees use personal devices to work, they increase their vulnerability to attacks, because their devices could have outdated antivirus or use weak passwords, making them more susceptible to attacks. Therefore, it is important to regulate the usage of personal devices and, if there is no alternative, maybe it’s a good time to consider providing employees with a suitable antivirus license, for example, to diminish these risks.
Companies should also encourage regular security scans and implement a secure password manager to help employees easily manage multiple strong passwords. This is very important when it comes to maintaining and creating a secure strategy to control the access of a multitude of confidential information. Using a password manager encourages employees to implement and store strong passwords, simply without having the hassle of remembering everything.
When it comes to systems, it is also very important to always keep updated tools like firewalls, antivirus, and others. This will assure there isn’t any problem caused by outdated software.
Continuous verification (Zero Trust) approach
The overall principle of this approach is that there is a continuous verification process to grant access based on identities and respective permissions.
Some good practices to implement in line with this concept are Multi-Factor Authentication (MFA) and the use of strong passwords. Combining both of these strategies will contribute to increasing the security of your employees’ activities and consequently of the sensitive data they access.
Provide adequate IT support to employees
Lastly, as employees start embarking on this journey and shifting their day-to-day work practices, companies need to make sure that there is IT support available to guide them through any insecurities or uncertainties. Only with adequate support will they reap the full benefits of the training process and ensure that new security measures won’t impact productivity.
Ensuring Security beyond employee activity
It is also important to mention that maintaining security is not just about guaranteeing your workforce follows your remote work security policies - the pandemic also shifted how companies should address the security of their own websites.
In E-Commerce, for example, there was an increase of 49% in online shopping which also resulted in a growth of 20% in web skimming attacks. In these attacks, attackers are able to infiltrate malicious code into websites without ever having to breach companies’ servers, and this code can silently steal the full credit card details of all shoppers.
Using the same strategy, attackers can exfiltrate data from any website, including sensitive information such as personally identifiable information (PII), protected health information (PHI), and credentials.
Because these attacks are rapidly becoming more sophisticated, it’s critical that companies follow secure coding practices and implement threat monitoring technologies that can readily detect and block client-side attacks like web skimming and data exfiltration. On this note, Jscrambler is contributing to the holistic security approach and offering three months of free Magecart detection.
The pandemic has created huge opportunities for attackers - not only to target remote-working employees but also to target websites that handle sensitive data. The traditional security approach doesn’t cut it anymore.
As we have explored in this post, maintaining security is not just about discovering the one secret ingredient, but rather combining various practices and building one robust strategy.
To build a robust security strategy, companies need to be informed and keep up with the ever-changing technology market. One step in that direction is keeping up to date with entities like NCSC, NCSA, OWASP, and others, that will provide guidelines for cybersecurity best practices and evolving threats. Now more than ever, it’s companies’ responsibility to ensure the security of their employees and of their end-users.