Depending on your industry and occupation, the ability and opportunity to work remotely may have been growing steadily, for years. But, owing to the COVID-19 pandemic, organizations of every size and stripe are rushing to figure out how to equip and manage a partially or entirely remote workforce for the first time.
While priority one is to ensure their employees can work-from-home as safely and securely, many don’t fully understand the risks, or have the tools, processes, and policies in place to manage it all.
Changing environment means new cyber security risks, and since most breaches can be traced to human error, the biggest areas of new vulnerability will stem from employees new to working remotely.
There are three primary types of data and other confidential information you need to protect:
- Personal Information: i.e. Social security numbers, passport, banking and financial accounts and balances, biometric and medical records
- Proprietary Business Information: i.e. Financial records, trade secrets, patents, contracts, sales and customer/client information, human resources records
- Classified Government Information: i.e. Defense, military and security data, international and foreign service information, and other formally protected documents
What cybersecurity risks are remote employees especially vulnerable to?
- Malware (including ransomware, spyware, etc.): Malware is an overarching term used to describe all types of malicious software designed to corrupt computer systems, including viruses, ransomware, file infectors, and so on. Malware is often distributed through attachments or links to compromised websites.
- Phishing: This type of attack usually consist of hackers using specifically targeted email messages to trick people into giving up confidential information, like account numbers or passwords.
- Man-in-the-Middle (MitM) Attacks: Generally, when an attacker inserts themselves between a trusted client and a server. Types include session hijacking, IP address spoofing, and reply (where an attacker intercepts and saves old messages, using them to impersonate a trusted participant.)
- Eavesdropping: This type of attack occurs by intercepting network traffic and ‘listening’ for confidential information, like password and account numbers. In many cases, hackers are looking to eavesdrop on individual conversations in digital channels, including email, social media, and VoIP calls.
How do you reduce the risks to your organization?
In a recent blog*, the SANS Institute for Security Awareness identifies 3 key employee behaviors that organizations should focus on to significantly reduce the risks inherent in working remotely.
- Awareness of Social Engineering Attacks: The key to successfully combating social engineering attacks is training and awareness. Teach employees what social engineering attacks are, what to look for, and what to do when they see it. There are scores of resources available through SANS, KnowB4, and other organizations dedicated to eliminating threats from cybersecurity attacks.
- The Use of Strong Passwords: Weak passwords continue to be one of the primary reasons behind security breaches. Conversely, a strong password protocol is one of the most effective defenses. Establish policies requiring the use of strong passwords and passphrases and mandating they be changed frequently. Consider implementing two-factor or multifactor authorization for access to especially sensitive applications or data.
- Ensuring Systems and Applications are Up to Date: Finally, one of the best habits your employees can get into is ensuring the operating systems and apps they use on their own devices to work remotely must be kept up to date. As a start, encourage them to enable automatic updates for both their devices and their software. Of course, ongoing updates and maintenance of corporate-owned laptops, smartphones, and applications should be standard procedure.
Managing your organization’s risk from cyber attacks in a non-stop mission, but there are resources, expertise, and solutions to help you at every step.
We have deep expertise working with organizations that rely on a remote workforce, and handle highly sensitive medical and financial data. If you have questions about improving your own cyber security and options for reducing risks from remote employees, please feel free to contact us.
* SANS.org, Security Awareness Blog; “Top Three Behaviors for Creating a Cybersecure Remote Workforce”; by Lance Spitzner, Director, SANS Security Awareness; March 11, 2020
When it comes to running and growing your business, the technologies you rely on can give you a competitive advantage, or open you to unnecessary risk.
STEADfast IT can provide the tech assurance your business needs to thrive.