Businesses are preparing for a world where more of their employees work from home — a March 2020 Gartner survey of 317 CFOs found that "74 percent of respondents said they will move at least 5 percent of their previously on-site workforce to permanently remote positions post-COVID 19."
While this mix of in-office and virtual work may unlock a host of exciting benefits for companies of all sizes, it raises a number of cybersecurity questions and concerns that businesses need to address in order to keep their customer, employee and company data safe.
New Cybersecurity Threats for Partially Remote Offices
The pandemic saw spike in malspams, phishing attacks and other forms of cyber-attacks. Some experts think the trend is likely to continue — or get worse — as more and more companies work from home.
"The social and economic situation we find ourselves in is going to drive an increase in digital crime," says Gregor Noriskin, principal software architect and security expert for Microsoft News and Feeds. "I believe that a significant downturn in the global economy will increase the availability of skilled and motivated hackers, because of layoffs and reductions in legitimate contract work."
To stay ahead of cybercriminals, some experts recommend using cloud-connected services, providing company-owned or managed connected devices, and offering licenses for anti-malware software.
Use cloud services.
Organizations need to close all the holes they opened to keep their employees productive during the pandemic.
"I would imagine that many organizations have allowed employees to connect directly to their networks via VPN [virtual private network] from the employees' home computers," says Noriskin.
"This effectively makes their network entirely porous or vulnerable to even the least-skilled hacker," Noriskin continues. "Organizations need to control, or at least manage, all nodes on their network, whether they are sitting on their premises, in the cloud or the homes of their employees. And ownership means all the way down to the hardware unfortunately and most certainly includes the OS."
According to Noriskin, the solution is using cloud services where possible, and/or to only allow machines that are fully managed by the organization to connect to the network via VPN.
Use a bookmark.
As companies have migrated to cloud solutions like Google GSuite, Microsoft 365 and Slack to make remote access easier, criminals have amped up the volume of phishing attacks targeting these services.
What do phishing attacks look like? Chester Wisniewski, principal research scientist at Sophos, provides two examples:
Usually," says Wisniewski, "they impersonate a message you might receive often when you use these services. For example, "Sharon Simpson has shared a document with you. Click here to open it in OneDrive".
Or you might get, adds Wisniewski, "New Voicemail. You missed a call from Ted Johnson (416) 555-1212 that could not be transcribed automatically. Click here to listen".
Multi-factor authentication is a critical tool, but many users will be unfamiliar with it. Training and support on how to safely and easily get onboarding with MFA across email, VPNs and other services are critical.
—Michael Argast, co-founder and CEO, Kobalt
Both redirect you to a web page that looks like Microsoft 365 and asks for your login and password to read the document or listen to the voicemail.
"If possible, deploy multi-factor authentication and educate your staff on the risks," says Wisniewski. Teaching users to always use a bookmark to access their online drive, email, or office suite can go a long way toward being safe."
Provide company-owned and managed devices.
Virtual machine images allow you to run a completely different operating system within another operating system, typically with the guest operating system and the host operating system isolated from one another. Using company-managed Virtual Machine images, advises Noriskin, is one approach to mitigating cybersecurity threats, but it is not foolproof.
"Even if the user is running a company managed VM on their home computer," he says, "it is possible for an adversary to compromise the VM via the host. My advice would be that if employees legitimately require full access to the corporate network that companies provide them with company-owned and managed devices."
Provide free licenses for anti-malware.
Michael Argast is the co-founder and CEO of Kobalt, a cybersecurity company for small and medium-sized enterprises. He recommends providing free anti-malware licenses for employees' personal computers.
“There are two primary benefits," says Argast, "first, there is almost always a little leakage of work files to home machines and this helps keep those secure, and second, getting people to think about security at home makes them more conscious of security at work.”
Cybersecurity Policies to Adopt
Confusion about cybersecurity protocols is bound to happen when employees work from home, colleagues work in the office and another group does a little of both. In addition to ensuring VPN software is in use for remote employees, Argast says companies need to make sure IT is easy to reach, and policies are clearly communicated, for all groups of workers.
These best practices can help protect your company from cybersecurity threats.
Establish an amnesty program.
During the return to working from the office phase, Wisniewski recommends asking employees to tell you which unauthorized or personal tools or accounts they needed to use to get their job done from home.
"This will allow you to be sure you have a supported way going forward to accommodate future work from home situations, whether due to a virus flare-up or an earthquake, hurricane, or flood," Wisniewski says.
Provide clear guidance on the privacy of communications and other safety issues.
What about conducting confidential company conversations when WFH?
Argast advises including guidelines on how to handle the privacy of company communications. With kids, partners and other family members in the background, employees need to be aware of what are and aren't appropriate communications to have in the presence of others.
Any cybersecurity policies should also include clear guidelines on accessing work data from personal devices and procedures on the safe use of personal devices for non-work purposes.
"If personal devices are in use," says Argast, "provide clear security policies and support." (For example, running anti-malware software and ensuring devices are protected by full disk encryption.)
Ensure New Remote Hires Practice Cyber Safety
New and uninformed employees can accidentally leave the digital door wide open to cybersecurity attacks. Consider some of these strategies to help you safeguard your data.
Establish a security hotline.
"Make sure people feel welcome to ask questions about suspicious documents, links, etc.," Wisniewski advises.
For example, let employees know that "if you have a question, call 555-HELP or email email@example.com, and we will reply within 30 minutes," he suggests. "Encourage people to work as a team when they cannot reach out to the person next to them."
Guard against IT impersonators.
"I can imagine," observes Noriskin, "that hackers will take advantage of the fact that people working from home cannot engage face-to-face with corporate IT and impersonate IT employees to get credentials."
Companies should have protocols for interactions that may require communication of sensitive and confidential information over the phone. You could instruct employees to call back to the corporate central phone number and ask for the department and the person making the request, rather than accepting a call from someone who says they're from IT.
Provide extra IT support.
According to Argast, extra IT support will be required for onboarding employees so they can be productive on day one. He also recommends ensuring remote support options are enabled for workers who won't be able to visit IT if they run into issues.
"Multi-factor authentication is a critical tool," says Argast, "but many users will be unfamiliar with it. Training and support on how to safely and easily get onboarding with MFA across email, VPNs and other services are critical."
Ultimately, the biggest threat to a company's cybersecurity is its employees' unintended bad security behavior. As Noriskin puts it, "humans are always, and by a large margin, the weakest link in the security chain, and you can't run anti-malware or a firewall on the human brain."
Train employees to be extra vigilant and not take cybersecurity policies lightly. Above all, help them understand how their digital habits may inadvertently make their company more vulnerable than ever in our brave new world.
Read more articles on cybersecurity.
Photo: Getty Images