Some security challenges never change, and this remains true with the shift to a remote workforce.
Human fallibility is always in play, even the most secure systems come with inherent risks, and bad actors will eternally seek out any and every chance to exploit vulnerabilities.
It makes sense, then, that cybersecurity sometimes feels like a long-term series of “the more things change, the more they stay the same” episodes. This is also why security advice tends to adapt to new environments rather than getting a hard reboot.
Yet we’re now living in a time where it seems as if everything has changed, and nothing is the same. Are the same security challenges and mitigation strategies still relevant with so many people working from home indefinitely?
Yes and no.
The challenges (and responses to said challenges) are evolving. Is human error still an issue? You betcha, but your previous definition of human error probably didn’t account for an employee also helping their kids navigate distance learning, or the general COVID-19-related anxiety so many people are still feeling.
So, while you probably don’t need a reminder about the need for strong passwords, bear in mind that even in “normal times,” we were regularly presented with evidence that many people still need to be told that “1234” is a pretty flimsy password for their phone.
Password strength, as with many other basics of online security hygiene, were common security challenges in halcyon days. People probably aren’t becoming online security ninjas while they’re balancing remote work with myriad other issues.
Anytime an attack surface increases, as it does when people are working remotely, individuals and companies become more vulnerable.
4 remote security challenges
The more applicable saying here is “everything old is new again,” because while security fundamentals still apply, how you apply them may need reinforcement or revision for managing remote employees.
Let’s look at four common security challenges that might require attention for organizations with a remote workforce.
More security responsibility shifts to individual employees
Most security pros know that in an ideal world “Security is everyone’s responsibility,” but this is rarely the everyday reality.
With many people working remotely from a home office – which might be a kitchen table, a living room couch, or anywhere they work – security responsibility has more literally shifted more to the individual, even though the individual might not realize it. We’re talking home networks, ready access to personal devices and services, and a host of other vectors that are now part of the ordinary day-to-day.
In the office, we are protected by a corporate security bubble. Employers invest heavily to ensure that the right solutions are in place to protect data and keep threats on the outside. For remote workers, their corporate device will still carry a level of protection, but the risks are heightened by the environment.
A remote workforce requires rethinking some things and adjusting the best you can. While external threats such as malware are as present as ever, internal risks are also growing.
Reminders to your employees about the basics of home network security, are the new “use strong passwords.” If people are still using the default network name and password that is, quite literally, on a sticker pasted to their router, well, they’re doing it wrong.
The onus is on us to take extra responsibility applying corporate awareness to our own environments.
People are more susceptible to scams
Remote work can be enormously productive, but there are plenty of distractions when working from home: children, deliveries, a sunny patio, or a walk with the dog at lunchtime. The bad guys know this and will have malware targeted toward broadband connections, looking for remote workers on their home network.
Human error is a constant, and this is why COVID-19-related phishing scams and other attacks are prevalent.
Phishing is not just an email game; text messages, social media, and other spaces where people connect online are fertile ground. Watch for scam text messages with seemingly helpful links to more information. If you were not expecting the message and do not recognize the number, never click on the link.
Make sure your employees feel comfortable reporting a possible incident if they do get duped by a phish. Phishing attacks can start compounding rapidly when people fear retribution or embarrassment for becoming victims.
It can happen to anyone.
Your VPN isn’t a superhero
A virtual private network (VPN) has long been a mainstay for remote-work access, but it’s not a masked crusader that can clean up every blight. The underlying issue here is that even people who are used to periodic or regular remote work may now lean too heavily on VPN as a safeguard.
When we work from home, most of us will use a VPN. It makes our work computer behave as if we are in the office, saves on extra authentication, and in some cases, is the only way to access corporate information. However, a VPN is also a chokepoint into the network, and too many users can slow down access.
Someone who’s paying their personal bills, reading the news, or doing a Zoom happy hour doesn’t need to be logged into the corporate VPN. And even some corporate accounts, such as cloud-based email and other SaaS applications, are probably better served with multi-factor authentication and other protocols outside of VPN.
In general, your VPN shouldn’t be viewed as a catch-all sentry guarding against external threats.
Security priorities get scrambled
One of the biggest security challenges is that “normal” is not really a tangible concept at the moment.
Even organizations with strong security programs can struggle with this paradigm. This isn’t the time to abandon your playbook, however. Security awareness training is as important as ever. How, when, and where you create that awareness might shift, but it’s still needed.
One critical area that probably isn’t getting enough attention: User privileges might need to be revised on the fly.
Permissions that were once designated for IT are now necessary for other departments. Some people’s day-to-day responsibilities are evolving with the shift to work from home, as organizations adapt. As the definition of a privileged user evolves, security teams often struggle to maintain visibility of what these users access – at what time and for how long – from various remote work locations.
In some cases, employees require elevated privileges beyond what they had in the past and are often given access without the requisite security policies in place. This makes it easier for attackers to exploit the access, using it to launch and execute attacks and potentially gain control over all infrastructure.
This means extra vigilance is in order.
What about your integration business? How have you overcome the common security challenges associated with the shift to a remote workforce? Let us know in the comments below!
This article, by Kevin Casey, first appeared on The Enterpriser’s Project, and has been shared under the CC-BY-SA license.
Read the full story here – How to Maintain Security When Employees Work Remotely: 4 Common Challenges