Before the coronavirus pandemic, only 3.4% of the workforce in the US worked remotely based on data from the Bureau of Labor Statistics as well as the Census Bureau.
As the virus hit, over 88% of business organizations worldwide mandated or encouraged employees to work from home, according to a global survey from Gartner. And even after things return to normal, roughly 70% of business executives surveyed by Salesforce believe that the pandemic has permanently altered the way we work. In fact, remote work will likely overtake in-office work in a few years.
As work from home becomes the new normal, it’s critical for organizations to adapt by securing remote connections and pivoting from a central network mindset to remote user security. After all, all it takes is one errant employee or unsecured device to start a domino chain and compromise the entire network.
Major Incidents Caused by Unsecured Remote Setups
Here are four cautionary examples of security breaches that stemmed from an unsecured remote worker:
2020 Twitter bitcoin scam
In mid-July, a Twitter employee’s compromised account enabled hackers to access an administrative tool and take over several high-profile Twitter accounts, from Barack Obama and Joe Biden to Bill Gates, Jeff Bezos, Michael Bloomberg and Warren Buffet. The verified accounts were used to promote a bitcoin scam that netted the perpetrators almost $120,000 within a few hours.
2014 eBay data breach
In May 2014, hackers used the credentials of three corporate employees to access eBay’s network for over 7 months, making off with the company’s entire user database of 145 million accounts.
2014-2018 Marriott data breach
In one of the longest “sleeper” attacks on record, external actors managed to penetrate Starwood’s network and remain in the system for four years, even after the company’s acquisition by Marriott. The breach affected 500 million customers and is believed to be the product of a social engineering operation.
2013 Target cyberattack
Hackers reprogrammed credit card scanners in Target outlets to dump the data in an access point that they controlled. The sophisticated attack first targeted the employees of an AC contractor that serviced Target, in order to gain access to the air conditioners that were linked to Target’s network.
Top 5 Work from Home Security Risks
According to the latest IBM study of data breaches, almost 40% of data breaches are caused by stolen credentials or cloud misconfigurations. As more businesses pivot to remote operations, that number can only rise.
Here are the five most common remote work security risks that result in such breaches:
1. Improper device practices - This involves usage of BYOD devices for corporate business, or using corporate devices for unsafe personal reasons.
2. Unencrypted and out of bounds data – Unsecured data that can be easily read by external actors, or programs that lack buffer overflow and read data outside the bounds of allocated authority. Even the largest corporations are guilty of sending or storing sensitive data without encryption, sometimes even in plaintext, as evidenced by past breaches from Amazon, Facebook and Instagram.
There are lots of tools to help with this, Brosix, BitLocker, and LastPass, to name a few.
3. Remote access to company infrastructure – Where network access was previously limited to in-office devices, companies now have to contend with remote access from employee-owned devices.
4. Lack of control over security protocols or remote security infrastructure – Some organizations might not have adapted to greater remote access, and either have weak security protocols in place, or in some cases lack a robust remote security solution. In fact, cloud misconfigurations account for 20% of network breaches.
5. Lack of secure networks – An unsecured network can be vulnerable to all types of attackers, from amateur thrill hackers all the way to nation-state actors. Even worse, once they gain access, they can remain in the network undetected for months or even years, as seen in the cases of eBay and Starwood.
5 Tips to Improve Remote Access Security
Now that we’ve established the common security risks, it’s time to plug the holes. Here’s how you can help your remote employees work securely.
Separate home and work environments
· For corporate devices, have a proper device usage policy. This includes strict program and website controls, restricted settings, and a reminder to distinguish between personal and office use.
· If employees are allowed to work on their devices, make sure you have a good BYOD policy. Some useful practices to incorporate are distinct users or sessions for personal and work use; as well as website and file sharing restrictions.
· Never use the local/admin user as the work environment to avoid compromising the entire device system in case of intrusion. According to BeyondTrust in 2019, 81% of all critical Microsoft vulnerabilities can be mitigated by removing admin rights from the equation.
The ideal-scenario checklist:
✓ Use a different device for work if possible
✓ Have a non-admin session for work time
✓ Allocate a storage quota for the work session, or a separate disk partition
✓ Use memory or drive encryption, such as BitLocker for Windows or FileVault for Mac
✓ Have a clear distinction between personal and work sessions, devices, or users.
Practice proper password management
According to IBM, 1 out of every 5 successful breaches is caused by previously exposed emails and passwords. To lower risk, good password management should be instilled among employees.
· Avoid using the same passwords for personal and work accounts.
· If possible, make use of two-factor authentication to mitigate phishing attacks.
· Establish complex password rules to guard against brute force attacks.
· Make use of a password manager to keep credentials organized and smooth out the login process for employees. Some options include Dashlane, Lastpass and KeePass.
The ideal-scenario checklist:
✓ There is a good password policy.
✓ The system has password creation rules that require complexity and periodic password changes.
✓ Two-factor authentication ensures that all log-ons are always user-verified.
✓ A password manager stores credentials securely.
Make use of VPNs
A virtual private network creates a secure connection between remote employees and the network, and encrypts network data from third parties. According to Google Trends, there was a 25% rise for VPN searches in the US during the pandemic, while business VPN sales soared nearly 600%.
· Most large organizations already have a VPN in place. However, check if there are sufficient slots to allocate among the employee base.
· For smaller businesses, avoid free VPNs if possible. Some services have poor server security and leave their databases exposed. Stick with proven providers and brush up on reviews.
Note that even premium and established brands can suffer data breaches, as seen in the 2018 case of NordVPN. Always do due diligence before settling for a VPN provider.
Always have backups and cloud storage
93% of businesses without a disaster recovery plan, and who suffer a major data disaster, cease operating within a year. A data disaster can be caused by many factors, from simple power outages or hardware failure to DDoS and ransomware attacks. In some cases, it could even be an act of employee sabotage, as experienced by Tesla and EnerVest.
· Have a cloud storage solution in place so the data lives on in the cloud. After all, the top causes of unplanned downtime are hardware failure (45%), and power outage or software failure (34% each).
· Cloud storage like Google’s GSuite, Amazon WorkDocs or Dropbox also allow for live collaboration. This makes it easier to update or restore file versions as needed.
· Implement business continuity and data recovery solutions to ensure that data survives.
· Set a recovery point objective. A good RPO can back up data as often as every 5 minutes with minimal drain on system resources.
· In case of a ransomware attack, the FBI’s advice is to notify authorities immediately rather than paying the ransom outright. They also advise to regularly verify the integrity of the backup process, and conduct an annual penetration test and vulnerability assessment. 96% of companies with a backup and disaster recovery plan are able to survive ransomware attacks.
Remember that businesses can lose over $100,000 per data disaster incident due to downtime and recovery costs. Stay ahead of the curve with a proper data backup policy and recovery plan.
Keep track of devices
One cornerstone of remote work security is device monitoring and tracking. Unlike traditional office desktops, today’s productivity devices like laptops, tablets and even smartphones can be lost or stolen. In addition, the wide array of devices, brands and operating systems can make monitoring and patching a headache.
Use a good device management solution that can:
· Monitor all devices in a unified interface
· Keep track of device location and set boundaries
· Make patching or firmware upgrades easier
· Enable memory encryption or remote wiping in case of loss or theft.
Note that device loss accounts for 41% of data breach incidents, compared with just 25% for hacking and malware.
Locking It Up
According to IBM’s 2020 study of data breaches, each incident costs companies $3.86 million on average, with compromised employee accounts and cloud misconfigurations being the most expensive root causes.
And yet, a separate IBM study found that more than half of surveyed employees who work remotely do so without new security policies in place, and almost half are worried about cyber threats in their home office setting.
As more people work from home and businesses shift to remote and cloud-based operations, IT security should likewise pivot from a central network mentality to remote end user and device protection. This makes remote work security more important than ever. A small investment and advance preparation now can avoid a major incident or business loss in the future.