Working remotely is convenient, but remote employees may unintentionally put your company’s data and networks at risk. Unsecured wi-fi connections, unattended computers, and data breaches are just some of the potential negative impacts a company may experience. Add in a remote employee with low technical skills, and it’s a combination that can leave your company vulnerable to cyber attacks.
Remote working is convenient and has many benefits, but it also exposes both employees and companies to a range of cyber security risks. In today’s online-first world, it’s essential companies give serious consideration to remote cybersecurity for their remote employees.
Creative and persistent hackers can exploit even companies with the best security practises and cybersecurity policies. They’re always on the lookout for vulnerabilities in remote working situations and tech stacks. And according to one study, they’re finding them as 57% of companies globally dealt with successful phishing attacks last year and 66% of U.K. organisations were hit with successful attacks.
We’ve gathered five of the top security concerns for remote working that companies should be aware of today. See if your company needs to incorporate these remote working tips into your remote work policies to secure your data and employees.
Top Security Concerns of Remote Working
1. GDPR and remote working
Remote work means an employer has less control and visibility over employees’ data security. GDPR mandates that companies protect personal information and reduce the risk of data breaches through various security measures, but handling it for remote employees is challenging. A strong remote work policy that outlines the corporate access control policy ensures compliance with GDPR, reduces risk, and keeps data safe. It should outline which employees have access to corporate servers, what data they can use, and how they can use it as part of their daily tasks.
2. Phishing Emails
Most malware and other hacks are delivered via phishing email attacks, and they’re working. In the U.K. alone last year, 66% of surveyed organisations experienced a successful phishing attack, and 30% of them experienced a malware infection as a result.
Phishing attacks often rely on topical stories to exploit people’s fears and emotions to get them to open malicious attachments or click links to spoof sites. The scams are designed to fool people into handing over login details or downloading malicious software that gives criminals access to the computer. These emails have become so sophisticated that it’s increasingly difficult for employees to detect them, especially if they make it past the corporate email filters into their inboxes.
Training employees on how to detect and avoid phishing emails can reduce the risk posed by these emails. It should be implemented for both existing and new hires to ensure that everyone is aware. Companies should also schedule regular training and refresher courses for phishing detection to keep employees updated on the latest risks, something U.K. organisations excel at as over half (52%) hold quarterly security training for employees, more than the global average (41%.) Regular reminders and training are especially important for remote employees using their own software or devices to access the corporate network. Security teams should also tailor the training to incorporate non-standard or non-corporate devices, such as personal devices or tech stacks.
3. Weak Passwords
Even with VPNs, firewalls, a remote working security policy, and regular training, people are the biggest security risk to a corporate network. The human factor is the biggest risk of all, especially when it comes to passwords. Employees have so many passwords to remember today that they often store them in unsecured places, such as a sticky note on their monitor or a digital note on their smartphone. They repeat passwords and don’t lock their computers when stepping away from them because they’re working from home. All of these actions put their employer’s entire corporate network at risk. Cybercriminals know that remote workers are more lax in their security practises outside of the office and use these methods to crack passwords to get past sophisticated security software to access sensitive corporate information.
Documented password policies can help foster a sense of responsibility with remote employees and combat most employees’ poor password choices. Bans on using personal information in passwords and repeat passwords for account logins can also help reduce the risk. All employees should be discouraged from using personal information in their passwords. Hackers can find this information easily online through social media and other online sources.
Passphrases are more secure than passwords because they’re harder for hackers to crack yet are still easy for employees to remember. Employees can create secure ones by stringing together a random group of 5+ words, ensuring to exclude any personal or corporate information that’s easy to find online.
For companies assigning corporate computers to remote employees, adding a login app or lock screen triggered after a time delay can make it harder for third parties to access. Companies can also use a password manager solution like 1Password to help remote employees store their passwords securely while reducing the number of passwords they need to remember.
4. Unsecured Home Devices
When employees work remotely, they’re usually using their personal devices to access the corporate network. Most aren’t given corporate laptops and printers, which can be a problem security-wise.
Companies with good cybersecurity usually have virtual private networks (VPNs) and single sign-on solutions with encrypted tokens that keep everything secure, no matter the device that’s accessing the corporate network. However, the average person doesn’t think to encrypt their smartphones or use a VPN to access the internet at home, even if they’re just checking their work voicemails.
Personal computers are typically not as secure as corporate ones. So, the security features that most employees take for granted, such as email filtering, firewalls, and encryption, might not be available, and corporate security teams will have no oversight into what’s going on. Without this extra security, corporate networks are at risk from hackers who may use these personal devices as entry points.
Another device that’s become popular with hackers is the personal printer. Today’s WiFi printers have multiple features that make printing easier and have serious security gaps hackers can exploit. Not only that, when remote workers print business documents from personal printers, they often don’t have access to secure shredding services like they do at the office. Printing anything puts corporate information at further risk.
One solution to protect remote workers using unsecured personal networks is to deploy VPNs as they allow companies to provide secure connectivity between devices, such as a personal computer or smartphone and the corporate network. They typically encrypt data “in transit” so hackers can’t steal the data as it travels across an untrusted network. They provide another layer of remote working data security against misconfigured or unpatched devices since most people don’t keep their devices updated. A VPN can also help IT security teams monitor and filter employees’ network traffic for legal and security reasons. VPNs can be used to protect connections made by computers, laptops, and smartphones.
To protect printers, remote employees can disable WiFi printing on their home printers, turn off printers when not in use, and avoid printing corporate documents at home. Companies can help by excluding personal printers from VPN connections, thereby preventing employees from printing in the first place.
5. Unencrypted File Sharing
Companies may have encryption policies for data stored on their networks, but they may not consider encryption on data in transit between systems. That includes third-party cloud file-sharing services and email solutions. Employees share a lot of sensitive information daily, from client data to proprietary product information, so companies cannot afford to use unencrypted file sharing solutions or services. Stolen information can lead to ransomware attacks, theft, and reputational risk.
Companies can ensure remote employees share files and data securely via file-sharing services with built-in security such as Dropbox, Box, OneDrive, and WeTransfer. For encrypted email, companies can use ProtonMail or HushMail or ensure that all email is on the corporate network via the VPN. (Most VPNs include end-to-end encryption options, though the specifics may vary by deployment.)
6. Open Home WiFi Networks
This is especially important for companies that allow remote workers to access the corporate network via personal devices. Companies often forget about the security situation of their employees’ personal networks, and more specifically, the employee home WiFi network. When people think of security hygiene and their personal devices, they often forget about their WiFi routers. It needs to be updated and maintained just like any other piece of hardware, yet most people forget about it completely.
Routers that aren’t updated will have security gaps hackers can exploit and lead to corporate data breaches over time. Likewise, the WiFi router, which can lead to a false sense of security for remote employees. But, since most people don’t change the default passwords on their routers and neglect to change their WiFi network’s password regularly, their router is left wide open to an opportunist hacker.
The easiest solution to protecting a home WiFi network is to change the default WiFi password and change it regularly. Also, anonymizing the WiFi network name (the service set identifier or SSID) is a more secure option, especially for remote workers living in urban areas where many networks are available. Avoid including personal or other identifying information in the name to make it harder for hackers to know who it belongs to.
Advise remote employees to enable network encryption on their WiFi routers, such as WPA and WPA2. Router security options are typically found under the security settings of the wireless configuration page. Finally, ensure employees are running the latest version of their router firmware by regularly checking the settings. Patches and updates often address potential security concerns before they become issues.
Keeping your business and your remote workforce protected
Remote working is here to stay, and it can be just as secure as employees working on-site behind the high tech security fence most companies have in place. By understanding the top security concerns for remote work and taking the time to mitigate them, you can ensure your company data and systems are protected. Employees will have a more thorough understanding of the threats and how they can take steps to protect their home networks and devices while working remotely.
Today’s online world means employees can work from anywhere, but it doesn’t mean that companies have to put their data, information, and systems at risk. With these precautions, remote employees and companies can be more confident in their remote security and shut the door to any hackers who might want to take advantage of them.
If you would like to discuss your organisation’s remote working security and opportunities then get in touch with the Redcentric team today.