The Remote Playbook is a regular column for people who manage and oversee remote teams. As a remote worker, CIO Dive's Roberto Torres can help shed light on the issues and trends impacting the management relationship. Want to read more on a topic? Email him directly at [email protected]
Peril lurks online – and off – for remote workers.
Logging in from their home networks, often on personal devices out of their employer's control, workers access company systems through home Wi-Fi. Unaware of it, they're a cyberattacker's ideal target: distracted and far away from the protections of an enterprise-grade network.
Even before the pandemic hit, workers were inconsistently adhering to key cybersecurity best practices. Use of virtual private networks (VPNs), automated software updates and antivirus software are the top three most abandoned online safety measures, according to researchers from the University of Michigan School of Information and NortonLifeLock's Research Group.
Asked why they abandon an online safety practice, 20% of respondents said the practice was "not needed."
"They say, 'I have 1,000 different things that are more important and are [a] priority to me," said Yixin Zou, a doctoral candidate at the School of Information at the University of Michigan and lead author of the study.
The scope of the problem grew broader in the pandemic-swept world, as countless workers log onto home networks to send and receive company info.
Company data at risk
Watching the number of infected cases rise, checking on relatives and stocking up on groceries are taking precedence over cybersecurity in workers' minds.
"My guess is that, sitting at home and having more time, they won't necessarily switch to the mindset that 'now I need to protect my privacy and security,'" Zou said.
A workforce lax in a cybersecurity practices can compromise company data.
When employees switch quickly to a work from home setting, access to information will need to be opened up, with employees downloading information to home devices, said Curtis Simpson, CISO at Armis, in an interview with CIO Dive.
"Bad actors are more than aware of this," said Simpson. "They'll continue to target folks at home even after some of these events start to change. The reason is because those home PCs still have all that data they've downloaded during the event."
In this scenario, the company loses control and visibility into its data, which puts intellectual property at risk. Data may also be leveraged to perpetrate cyberattacks.
Privacy legislation brings about an additional layer of financial risk for companies right as analysts foresee a recession brewing.
Organizations that inadequately protect sensitive user data will face sanctions by way of regulation, including the European Union's General Data Protection Regulation, or the California Consumer Privacy Act (CCPA). The breach of protected health information can mean additional sanctions under the Health Insurance Portability and Accountability Act (HIPAA).
Home networks, the weak link
An enterprise might have robust cybersecurity systems in place, but those systems aren't battle-tested for an entire workforce that's now home-bound.
"The larger the organization, the more equipped they are," said Josh Williams, VP of Solution Engineering and Channel at INAP, in an interview with CIO Dive. "But if you look at a small- or mid-market company, that company's core business isn't IT. They're used to having maybe 10 people working from home. Not all 200 or 175 of those 200 work from home."
Most homes are going to be compromised through vulnerable PCs or devices in their local network, according to Simpson. Endpoint protection software can help, and managers who are able to offer employees the ability to buy a license for home use should do so.
Another time-sensitive maneuver to lower cyber risk is to upgrade operating systems used at home.
"Anyone using Windows 7 needs to update now," Simpson said. "They need to migrate to Windows 10. The likelihood is attacks against those devices are going to skyrocket."
In April, Microsoft patched 113 security exposures on Windows 10, which for the most part also exist in Windows 7, which is no longer supported by Microsoft. Windows 7 continues to run in 26% of PC devices despite the end of support, according to Netmarketshare.
When managing a remote workforce, the focus of cybersecurity should be on three key elements, according to Richard Torres, director of security operations at Syntax.
- Critical review of policies and procedures: Companies operating today are in brand new context. Reassessing current cyber risk policies and procedures is of critical importance. For example, upping physical monitoring of key infrastructure as offices are deserted.
- Shielding connectivity: At home, workers connect their devices to aging Wi-Fi routers. Malicious actors could create parallel Wi-Fi networks with the same name, hoping unaware workers sign on by mistake. Increased employee awareness and broadened VPN access can help reduce this risk.
- Sharp focus on authentication and identity access management: Cycling passwords and enacting multifactor authentication are critically important as phishing attempts spike, providing malicious actors with an avenue into company data and resources.