September 12, 2023
Since the year 2020, we’ve witnessed a massive change in the way we work. The global pandemic accelerated a host of technological advancements that have enabled remote working to become the norm.
While this change brings huge benefits for both people and businesses, it also brings challenges – particularly for cyber security professionals.
In this article, I’ll aim to explore the various aspects of managing cyber risks in the world of remote working and look at some of the predictions for the rest of this year and beyond.
Understanding the shift to remote work
The rise of remote work in the digital age
It’s safe to say the digital age has brought huge changes to working life. With high-speed internet and powerful collaboration tools at everyone’s fingertips, people can now work from anywhere in the world.
This opens up opportunities for businesses to tap into a global talent pool, while offering employees a better work-life balance – regardless of their location.
Then there’s the cost effectiveness argument – for businesses, a remote workforce lower overhead costs which can be used to fund innovation, product & employee development.
The impact of COVID-19 on remote work trends
It’s hard to understate how the COVID-19 pandemic accelerated the adoption of remote work. With social distancing measures and lockdowns enforced in virtually all countries around the world, how else could most businesses continue to operate without shifting to a work from home model?
Although this was a forced experiment, it’s now become a permanent fixture in society with businesses offering far more flexible ways of working that take on many forms.
During the pandemic, remote working proved to be a lifeline for businesses that allowed them to navigate the challenges posed by the crisis. It enabled employees to stay productive, connected and safe. However, the reliance on remote work also highlighted the importance of digital infrastructure, cyber security and employee well-being.
It’s crucial to point out that it also had its drawbacks. The boundaries of work and life blurred, people had to adopt new routines and then find new ways to maintain a healthy balance, such as time-blocking, setting boundaries and other self-care strategies.
Additionally, remote work presented both challenges and opportunities for team collaboration. Physical distance usually poses communication and coordination challenges, but the widespread adoption of collaboration tools like video conferencing, project management tools and instant messaging platforms allowed people to stay connected, work together and unwind together (remember the weekly Zoom quizzes?) regardless of their location.
It’s clear that remote work is here to stay – it’s revolutionised the way we work and is an inescapable part of the modern workplace. But this also means that the risks it poses are here to stay – and they evolve quickly.
The cyber security risks in remote work
As beneficial as remote working is for businesses and staff alike, it presents several major challenges for cyber security professionals.
Pre-COVID-19, cyber security teams focused on defending their on-prem networks and systems – the traditional security perimeter. Then, when everyone was sent to work from home, new challenges arose for cyber security teams.
How on earth do you secure every single staff member’s home network and devices?
The vulnerabilities of home networks
The home network poses a unique challenge in terms of cyber security. It’s not like a corporate network that has firewalls, robust security policies and other tools in place. Many home networks lack the necessary safeguards to defend against cyber threats.
One common vulnerability (probably the most common) is the use of weak passwords. Many individuals tend to use the same, easily guessable password on multiple accounts – which means if one account is compromised, all accounts are compromised. It might sound simple, but it really is essential to use strong, unique passwords and enable MFA wherever possible.
Outdated firmware is another potential entry point for hackers. Many home routers and other network devices may not receive regular updates from manufacturers, leaving them vulnerable to known security vulnerabilities.
Unsecured WiFi networks are a big risk that often goes overlooked. Let’s be honest – how many people change the default password on their home network? These networks are easy targets for cyber criminals and allow them to intercept sensitive data and compromise the security of remote work activities.
Common cyber threats for remote workers
It’s not possible to write a blog about cyber security risks and remote working without including a section on common cyber threats. Nothing is off the table for cyber criminals.
Phishing, malware infections and ransomware attacks are all obvious choices. Criminals will take advantage of relaxed security measures on a home network to infiltrate your company network and steal data – so it’s even more important to pay attention to who’s sending the email or what links you’re clicking on.
In all honesty, the threats remain the same whether you’re at home or in the office – the only difference is how far an attacker can get before they are detected.
Strategies for managing cyber security risks
There are many ways to manage cyber security risks and many different tools to do it with. But from a remote working perspective, there are two main ways for an organisation to manage cyber security risks: implementing robust security policies and providing comprehensive employee training.
Implementing robust security policies
Let’s look at three key areas:
– Updates and security patches
– VPNs (or equivalent)
– Passwords and MFA
Updates and security patches
First, make sure your corporate devices have the right software installed before you give them to employees. Nothing is more frustrating than having to call IT on day one because someone’s forgotten to install the VPN software or something simple like that.
It’s also crucial that you have a system in place that allows you to push/force any and all corporate devices to install updates and security patches overnight/outside of office hours. You’d be surprised how many times businesses are breached because a member of staff hasn’t run Windows Update in a couple of months – or hasn’t restarted their machine recently.
Believe it or not, tech providers and software manufacturers spend a lot of time and money updating their respective bits of kit and – if you don’t keep them up to date, you don’t have anyone else to blame.
VPNs (or equivalent)
Using a VPN will protect your business. Simply put, even if the home network you’re working from is wide open to the world, using a VPN will encrypt and protect your company data from hackers.
Now, with solutions like Cloud Access Security Brokers available, coupled with the advent of SASE/SSE, you don’t necessarily need a VPN if your security architecture is designed in the right way and you have the right controls in place.
Passwords and MFA
Again, this is an obvious point to make – but, as I mentioned earlier in the article, people reuse passwords and if you crack one, you’ve cracked them all. You should always insist on strong password protocols by implementing complexity requirements (minimum number of characters, letters, numbers and symbols) to safeguard your data.
Multi-Factor Authentication is another easy way to add an additional layer of security to protect company data. By requiring people to provide multiple forms of ID, such as a password and unique code sent to a mobile device, you can reduce the risk of unauthorised access.
Security Awareness Training for employees
Of course, technology plays an important role in cyber security – but, realistically, 8 out of 10 times, the employee is the first line of defence.
You should invest in comprehensive cyber security training programs to educate employees about best practices for remote work.
Training sessions can cover topics such as identifying phishing attempts, secure file sharing and safe browsing practices. By educating employees about the common tactics used by cyber criminals, you give them the knowledge they need to not fall victim to a simple trick.
Phishing attempts, for example, are one of the most common methods used by hackers to gain unauthorised access to sensitive information. Training employees to recognise suspicious emails and avoid clicking on malicious links or downloading attachments from unknown sources can significantly reduce the risk of falling victim to such attacks.
Let’s be honest – an email from Microsoft, or your CEO, isn’t going to have a cat as the profile picture or come from email@example.com. It takes two seconds to check and those two seconds are worth taking.
Secure file sharing is another often overlooked aspect of remote work. Even though most businesses use collaboration tools like Microsoft Teams or Slack, these applications need to be secured too. There will always be occasions where you need to send larger files. This is when you need to make sure you use an encrypted file sharing platform, with appropriate user permissions (review these regularly!), to avoid accidental data loss.
The final and fairly obvious element of Security Awareness Training is safe browsing practices. Now, most people know not to click on pop-ups these days, but it’s important to reiterate this during the training process – along with advice around downloading files/software from untrusted sources.
If you have the facility to block .exe files from running on corporate devices, apply it. Only relevant admin users should be able to run executables that aren’t sanctioned or part of the standard corporate device build. This minimises the risks of accidentally running malicious applications. Of course, if your organisation has some form of EDR/MDR solution or Managed Service in place, this should flag anything like this to the relevant internal teams.
Future predictions for remote work and cyber security
The future of remote working will see the development of innovative cyber security solutions and measures – from more advanced threat detection systems to AI-driven automated security solutions.
Adaptability will be key in the working world as time goes on – those that can, will thrive – those that can’t, will not.
Predictions for 2023 and beyond
We haven’t climbed the peak of remote working yet – the landscape continues to evolve and the cyber security landscape will continue to evolve as well. Staying a head of emerging threats is a revolving door of new technologies and tactics and the eternal game of cat and mouse between hackers and security teams will continue.
It’s a safe bet to assume that, in the coming years, attacks will become more targeted and sophisticated. Remote workers will not be exempt from this – in fact, they are likely to become the main target – forcing organisations to either mandate a return to the office, continuously update their security measures (this should be happening anyway) or, and this is unlikely, equip remote workers with the relevant hardware/capabilities to secure their home networks in the same way the office perimeter is secured.
Given that the security perimeter seems to shift every week, this is a tall task.