Challenges and Solutions
Organizations with remote workers should stand up to any threat
- By Abhishek Iyer
- Dec 01, 2018
Technological advancements are resulting
in trends and movements that improve the
quality of life and business. One such trend
is the “distributed workforce,” wherein organizations
are willing and able to employ staff
without any strict requirements for physical
presence in offices. Time saved by avoiding long commutes
has been utilized to increase employee productivity as well
as work-life balance. Research in 2016 found that around
half of U.S. workers held jobs that allowed them to work
remotely at least part of the time.
Unfortunately, technological advancement often engages in a
tug-of-war with security. This rise in remote working has led to
a host of security challenges that attackers continue to leverage
while targeting enterprises. Whether it is lack of awareness, lenient
policy enforcement, or deceptive attacker techniques, the
result is a likely breach with serious repercussions. With the monetary
impact of cyberattacks expected to rise to $2.1 trillion by
2019, the business risk is real and present.
All in the Cloud
Although cloud adoption has increased across the board, employees
working from home are much more likely to use a range
of cloud-hosted applications to perform their daily tasks. While
applications bought for and maintained by employers are generally
more secure, employees tend to use multiple open-source and
free-to-use applications for actions ranging from file conversion
to file transfer across systems.
Each application added to a company’s “fingerprint” increases
the chances of compromise, both due to employee login data that
can be vulnerable and the actual company files that are stored/converted/transferred using these applications.
I Spy a Wi-Fi
When employees work from home or any public place outside
enterprise networks (such as coffee shops), they leave their devices
open to attack because of security risks inherent in public
Wi-Fi networks. Attackers can mimic public Wi-Fi networks
and trick their targets into joining the fake network, or attackers
can join a legitimate public Wi-Fi network and tunnel into
target devices (especially if employees have turned on their device
discoverability).
Late last year, there was a deadly root access bug uncovered
in Apple devices that allowed attackers to gain administrator access
on target systems and cause dangerous levels of compromise.
While that bug is patched and fixed now, the security threat of
public Wi-Fi networks remains.
Awareness Issues
The most secure cyber defenses cannot stand up to human error.
Even if organizations are aware of security threats and communicate
them to employees, ingesting and retaining this communication
is often not incentivized enough (or not interesting enough)
for employees. This leads to reduced awareness levels and employees
repeating the same mistakes that—if they’re working remotely—
are much likelier to lead to successful cyberattacks.
What can we do?
Improving organizational security for remote workers is not
rocket science, and many points this article mentions might seem
self-evident. Nonetheless, it’s surprising how often simple fixes go
ignored. The following suggestions are a good starting place to
ensure that organizations stay secure while continuing to promote
the positive aspects of remote work.
Str!ct P@ssw0rds
Make sure that employees use strong passwords and that they use
different passwords across systems. A single password used across
applications might be convenient but it then takes just one vulnerability
to compromise all the employee’s accounts. For guidelines on
password strength, you can refer to NIST’s latest identity guidelines.
Historically, lengthy passwords with a combination of letters,
numbers, and special characters are less likely to get breached
through brute force. Contrary to popular opinion, NIST recommends
against changing passwords regularly. Employees usually
change just a couple of characters from password to password
this way, leading to confusion without increased security.
VPNs Are A Must
Whether employees are working from home or any other public
location, organizations should ensure that Virtual Private Networks
or VPNs are used. By combining encryption protocols and
virtual P2P connections, VPNs protect any sensitive company
data that employees might access while connected to non-enterprise
public/private networks.
There are various VPN protocols out there: some provide encryption,
some facilitate connections, and some do both. Protocols
such as SSH, SSL, or TLS fulfill both duties (encryption and
connection) and should be preferred by organizations that aim
for security as well as convenience.
Awareness Programs with A Twist
Security awareness programs delivered through dry, text-heavy
presentations are unlikely to have the intended effects, no matter
how positive the intent. A few tactical tweaks to awareness programs
can drastically improve uptake:
- Including interactive, engaging assignments as part of the training.
For example, a “design your own phishing email” contest
where employees come up with their best phishing emails.
- Encouraging and rewarding employees that show “good security
behaviors” and sharing their successes with the group.
- Learning from security failures and sharing with transparency
to avoid repetitive mistakes.
- Creating a culture of openness and blamelessness so that employees
that have made mistakes come forward honestly without
fear of being punished.
Update, Patch, Maintain
Devices with out-of-date software, certificates, and agents create
conditions where compromise becomes easier and more likely.
Organizations should monitor the version recency of operating
systems, SSL certificates, and security software (such as firewalls
and endpoint tools) on all employee devices and especially those
that avail of remote work.
Although any deficiencies along these lines won’t create security
incidents on their own, they will weaken a device’s “immune
system.” Attackers will usually scan devices for these deficiencies
and target accordingly.
These solutions are by no means exhaustive, but they represent
“first-pass” guidelines that organizations can set up and
build upon. Even with all these precautions (and more) in place,
it’s inevitable that breaches will occur. But by being proactive in
defense and agile in response, organizations and their remote
workers stand a good chance of coming out on top.
This article originally appeared in the November/December 2018 issue of Security Today.