How to maintain security when employees work remotely (top 3 cybersecurity threats)
Working from home has its perks for employees: they can work in their pajamas, keep their furry companions close by, and sleep in a few extra minutes with no morning commute to worry about. But it also presents major challenges toward maintaining cybersecurity while working remotely.
Remote working has exposed employees to a new threatscape, and 88% of businesses have seen an increase in cyberattacks as a result. It’s easy to see why: during March 2020 alone, 45% of companies had one or more devices accessing their corporate network from a malware-infected home network. Considering that homes now have an average of 12 devices and that these devices lack inherent security and basic updating capabilities, the stage is set for disaster.
In order to combat the myriad of threats posed by our new WFH normal, businesses must continuously iterate on their security training and best practices and employees need to remain up to speed. In this blog, we’ll explore the top three remote work cybersecurity threats and present the best solutions for protecting the new corporate edge: the remote employee home.
Threat #1: Phishing attacks on the rise
The 2020 Xfinity Cyber Health Report found an average of about 104 cybersecurity threats per home per month. According to IBM, the global average total cost of a data breach in 2020 was $3.9 Million. Although it’s not possible to perfectly protect company assets, minimizing the likelihood of a phishing attack will help to avoid these costly incidents. However, employees who work remotely might know next to nothing about cybersecurity—and won’t have access to in-person IT resources for help.
Unable to monitor every facet of the home network, IT might not realize when an employee has taken cybersecurity into their own hands, downloading malicious or insecure software that discretely infects their devices with ransomware. Employees often lack sophisticated cybersecurity knowledge, so they are, for example, more likely to configure VPNs or firewalls incorrectly if required to do so.
In June 2020, a VPN phishing attack targeting remote workers made its rounds for up to 15,000 recipients. This isn’t the only attack with remote workers in mind—the Cybersecurity and Infrastructure Security Agency issued a warning about an uptick in these types of phishing and malware attacks, and it’s only expected to increase in the future. For employees with minimal security know-how, it's easy to fall for well-crafted email scams or click on links to malicious sites without even realizing—until it’s too late.
Solution: Provide mandatory employee cybersecurity training
In addition to implementing robust WFH security measures, businesses should view their employees as another line of defense and train them accordingly. Companies should work with their IT teams to develop a list of best practices and invest in cybersecurity training courses or exams specific to their remote workforce. Providing educational material to employees like instructional YouTube videos or monthly quizzes will keep security at the forefront of their minds, minimizing the chances of them falling prey to phishing or malware schemes.
Threat #2: VPN and endpoint protection aren’t enough
Using a work device for personal use is ever-more present, and can allow for malware infections on the work PC. Before the user notices a performance issue and runs antivirus, a program might execute to send sensitive files to the cloud somewhere. And so, if the work device becomes exposed or compromised through one of these scenarios, the VPN can now double as an attack vector on the corporate network.
This past summer, the New York Times reported on findings from Symantec: a Russian hacker group called “Evil Corp” was specifically targeting large companies and government entities whose employees were working from home. Their goal was to get unsuspecting employees to download updates to their browser or Flash Player when visiting seemingly innocuous websites. However, those sites had been hacked and carry malware payloads. Once the employee connects to the corporate network over VPN, the malware uses that connection to attack corporate resources.
The VPN is now an attack vector for ransomware, and endpoint solutions like antivirus aren’t enough to block such threats, since malware often disables Windows Defender and other antivirus software.
In addition to a VPN, businesses often employ endpoint security, but while it may work on PCs and mobile devices, you can’t download antivirus software on smart home devices—like a Google Nest Camera, Peloton bike, or an Alexa smart speaker. And since corporate devices sit on the same network as these devices, a compromised IoT device or home network can then turn that VPN into an attack conduit instead of a protector.
Solution: Adopt a Zero Trust model
Protecting remote employees’ home networks from being compromised should be a top priority for any company's IT team. These networks are largely unregulated and pose one of the biggest threats to the corporate network with insecure IoT devices and potentially infected laptops, phones, and even gaming consoles connected to them. This is where a Zero Trust model comes into play.
A Zero Trust model, "requires authorization for any person or device attempting to connect to a network or access network resources, even for users already within the network perimeter" (note that non-corporately owned devices should not be given access). Zero Trust is based on the concept that companies should not inherently trust anything outside or even inside its perimeters; every bit of information must be verified before being given access to sensitive (or even insensitive) data. In it, IT teams set up firewalls and data protocols like IP logging at a network level, giving corporate networks another layer of defense against malware.
Threat #3: Insecure IoT devices
Homes now boast an average of 12 internet-connected devices with high-end users having as many as 33, increasing the likelihood of a compromised network. However, employers can’t dictate the personal use of employee-owned networks, so the burden falls onto the shoulders of IT teams to troubleshoot everything from common networking problems such as dropped calls to a complete takeover of a home network thanks to a malware attack. This leaves them little time to gain insights into employee home networks and maintain their duties as before.
Personal computers, phones, and even gaming consoles connected to a work network can all easily become infected with malware or spyware, even with endpoint security measures in place. If an employee connects to a business’ network with an infected laptop, the malware could spread and compromise an entire corporate network.
Even the best corporate security strategies will fall short for remote working if they don’t take the home environment into account: a compromised home network can infect the corporate network, so it’s just as important to secure threat-prone consumer IoT devices like Amazon Alexas, Ring Doorbells, and Chromecasts as it is to secure corporate laptops and mobile phones.
Solution: Network-level security built for the home
When it comes to protecting against IoT and router vulnerabilities in remote environments, VPN and Endpoint protection aren’t enough. A network-level security approach is needed to fill these gaps.
We’ve talked about insecure networks surrounding employer-provided devices. Securing the integrity of the home environment from threats such as malware, botnets, lateral attacks, listening attacks, and inappropriate content requires network-level solutions such as Minim.
Minim acts as a complement to existing traditional enterprise security technologies. It provides businesses with remote-networking WiFi management and a secure cloud platform to facilitate the co-management of employees’ home networks. Minim delivers remote network visibility and security tools for both the employer and employee, plus it gives remote workers the ability to segment their work and home networks for enhanced security.
Using separate SSIDs (networks) for work and personal devices can help minimize the risk of an attack on the corporate network: even the FBI recommends keeping isolated networks for IoT devices. Paying for internet access can also enable companies to mandate separate networks for work and personal devices: this ensures only corporate devices can connect to the work network and gives IT teams better insights into the health of those devices. If an IT team can view the health of employee networks in real-time, they can proactively address threats and mitigating potential risks before they turn into real problems.