The continued impact of the pandemic has made working from home the new normal, rapidly accelerating digital transformation in companies of all sizes. While this is great news, there's a downside.
Criminals have been quick to exploit gaps in hastily organised remote working arrangements, actively targeting businesses' internal and external infrastructures. In addition to this, 9 out of 10 employees believe it is the responsibility of the employer to implement cyber security measures for company home working setups, further underscoring the emerging - and urgent - need for defined remote working security procedures.
According to government figures, 60% of medium firms and 61% of large firms recorded cyber security breaches or attacks in 2019. On average, these cost medium businesses an annual hit of £9,270 and large companies £22,700 in loss of data or assets.
With more and more staff working remotely, even the most stringent IT security protocols are exposed to a higher number of variables as new networks, applications, devices, and software systems enter the mix.
Here's our take on the top 5 risks posed by home working:
Arguably the greatest threat to a company's cyber security.
A lack of remote working policies and procedures exposes your corporate network to issues such as inadequate security patching, infrequent vulnerability scanning, lax back-up arrangements, and an erosion of access control safeguards.
Employees' personal devices are unlikely to have been vetted by your IT team. As a result, they may feature:
- Less ironclad security measures - for example, outdated anti-virus software, lack of two-factor authentication, inadequate security patching.
- Untested applications and products
- Zero or inactive encryption, increasing the risk of data being accessed if the device is stolen or misplaced.
Unsurprisingly, there's been a spike in coronavirus-themed phishing emails, as cyber criminals aim to capitalise on the fear and uncertainty stoked by the pandemic.
Remote workers are being targeted by scammers sending emails that direct them to malicious sites; this has the potential to cause a malware infection or provide unauthorised access to sensitive data.
The majority of today's businesses depend on some form of cloud-based tool, from SaaS (Software as a Service) to Iaas (Infrastructure as a Service).
The online nature of these tools presents hackers with more opportunities to seek and exploit weak spots, especially when protocols aren't being followed, insecure devices or networks are being used, or maintenance is not being carried out as usual.
Furthermore, your workers may be using new kinds of software and applications that have not been thoroughly vetted, leaving open the possibility of undetected threats.
Cloud-based video conferencing platform Zoom was a case in point: critical weak spots in the tool allowed criminals to harvest Windows passwords, hack Mac microphones and webcams, and "zoombomb" private meetings.
As more people work from home, more are opting to use virtual private networks (VPNs). VPNs allow employees to remotely access company services, encrypting data in transit between their chosen network and your corporate network.
Subsequently, criminals are actively targeting VPN services to find insecurities they can exploit. If they succeed, they can hack into your corporate network and steal data.
Even during 'normal' times - before remote working became widespread - companies as big as Facebook and Equifax took almost 6 months to identify data breaches in their systems. Take a look at our latest Cyber Nightmares post for another example!
If your employees are working from home, it's vital to adapt and reconsider your IT security measures with remote work setups in mind, assessing everything from SaaS security to your incident response plan.
Let's look at the key cyber essentials your company can implement for more secure home working:
If possible, all employees should work on a corporate device that has been thoroughly vetted by cyber security experts.
These devices should feature:
- Up to date security patching and anti-virus software
- Two-factor authentication for corporate networks and applications
- Strong passwords for all user accounts
- Remote access for your IT team to monitor suspicious activity
- Data encryption at rest
In addition to training employees to recognise and avoid phishing attempts, you should create a cyber security policy for all home-based employees to follow.
This should include:
- Guidance determining how specific devices, software, and applications should be used
- Instructions for keeping devices and software up to date
- Advice on securely storing devices
- Stipulations for strong passwords and approved networks
- A lost or stolen device reporting procedure
- A clear outline of incident reporting protocols and your incident response plan
It's critical to revisit and analyse every aspect of your internal and external corporate infrastructures, in addition to agreed cloud security measures for any tools you use.
Likewise, you'll need to evaluate the security of networks employees use to access your corporate services online, ideally opting for a fully vetted VPN that is properly patched.
While consistent monitoring and vulnerability scanning help detect visible risks business-wide, neither will actively target your systems - whereas a cyber attacker would.
OnSecurity's specialist ethical hacking team can perform a deep dive into your company's IT security setup, whether your workers are based at home or onsite.
Our penetration testing service includes:
- Internal networks
- External networks
- Mobile applications
- Web applications
- Cloud infrastructure
- Social engineering
- Physical penetration testing
Penetration testing is an investment in the financial and reputational security of your company. We put your systems to the test, identifying and providing comprehensive solutions for weak spots, so your business is fortified by robust cyber security safeguards.
Don't lose any more sleep over employees' remote working setups. Get in touch today and book a security consultation with a member of our experienced team - we're here to help keep your business safe.