The Coronavirus (Covid-19), having reached a pandemic level of infections – and emergency responses to the crisis causing the global economy to come to a sudden halt – businesses worldwide have taken to having their staff work from home during Covid-19 lockdown. While maintaining some semblance of economic activity is key to keeping these firms afloat, managing a remote working staff does present some risks on the cyber security front.
Telecommuting/working, or remote work is not a new phenomenon, and has seen an increase in recent years, as cost cutting and emissions concerns have become large parts of our collective social conscience.
In fact, a study conducted by the serviced workspace provider, International Workplace Group, in 2018, found that about 70% of employees spent at least 1 day, a week, working from home. The Covid-19 pandemic appears to have accelerated the trend, however. With over 2.5 million infection cases recorded globally, governments have urged citizens to remain home and adhere to strict social distancing protocols – in an effort to mitigate the effects of Corona. The organizations that can, have responded by continuing to operate through a remote staff.
Security Risks Of Having Remote Staff
In many cases – even if firms already had protocols in place, that accommodated remote staff – global businesses were taken unawares by a crisis of this scale and likely scrambled to ready staff for the new conditions. Probably with scant (if any) regard to the cyber-security attached to such an undertaking.
Although some companies may already have a portion of their staff working from home some of the time, government enforced quarantine measures have given firms little time to equip whole staffs to continue productivity from home. These are some of the risks posed by the migration of whole offices to a remote-work model, from a cyber security perspective.
Access To Company Network
In a remote-working arrangement, key staff are not within close proximity of each other, as in an office situation. This means that much of the firm’s processes will need to be conducted online, with employees accessing its internal network from business and personal devices. This increases an organization’s cyber security threat surface, putting endpoints, connectivity, and other enterprise architecture and infrastructure at risk of exploitation by malicious actors.
While large multinationals would have some degree of security in place to ease the transition to remote work, smaller firms are probably at a higher risk of attack, as servers, collaboration tools, firewalls etc. may not be ready for such a shift, leaving them vulnerable to cyberattacks.
Internal network infrastructure taking excess strain from multiple devices accessing it simultaneously, carries risks to productivity, as well as cyber security. Companies pursuing a work-from-home strategy will have to scale their networks accordingly.
Devices
IT departments tasked with managing a remote network of employees, all accessing the organization’s internal systems on various devices will have a number of challenges to contend with.
On one hand, users might access the enterprise network or cloud via a company issued device – in which case, all necessary safeguards should be in place – on the other hand, employees could try to use their own devices to get work done. Which heightens the risk of bad actors surreptitiously getting to company data through phishing.
Additional risk factors to consider when regarding the security of devices that staff use for work is theft/damage. If an employee’s devices are lost, stolen, or damaged, valuable work time could be lost, not to mention the danger of company information being compromised. These factors are further exacerbated by the fact that members of staff likely share their living space with friends or relatives, who might gain access to said devices.
Internal Threats
This refers to human error and the potential for an organization’s staff to inadvertently allow bad actors access to the firm’s systems. This could occur through an act as simple as clicking a link on a solicitous email while cyberslacking, or using a business device for personal means, or vice versa. Cyber criminals tend to use current events to trick users into clicking or downloading content which secretly plants data-stealing software onto web-connected devices, these actors will be out in full force during the Covid-19 lockdown period.
With employees not being within close proximity of one another, communication becomes a big concern. As employees will mostly be communicating by digital means, in many cases, messages could be intercepted by cyber criminals. Authentication, authorization as well as measures to prevent fraud and data theft will have to be considered.
Beefing Up Security
There are measures that companies can put in place to sure themselves up against cyber attacks or data loss while ensuring that they remain operational through a remote staff.
Businesses will have to gain an understanding of their threat surface and work with their IT, or Cyber Security team to identify attack vectors, and make securing their most sensitive data a priority.
They will need to provide their staff with clear remote working policy and give instructions on how employees can make their homes’ working environment more secure. In addition to making sure they have consistent access to IT support.
Investment in security solutions like customer identity and access management for customer-facing applications is critical. Cutting costs in this area is not viable if companies wish to remain protected against online threats.
Ensure that the devices and systems staff will be using are equipped with appropriate security capabilities; VPN, MFA and encryption, where necessary
Employees, on the other hand, will need to maintain clear, and strict, working hours to establish work/life balance. Remote staff will also need to be especially wary of Covid-19 related solicitations coming in the form of emails, calls, or text messages, as well as never mixing business and pleasure (Keeping work devices strictly for work, and personal devices strictly personal).
