A look at how businesses can help employees work from home securely during COVID-19 isolation.
One of the biggest stories of the year is the growing impact of the COVID-19 coronavirus pandemic. The global response is mind-numbing; the public is scrambling, the stock market is all over the place, and there are hundreds of stories published each day discussing the changing death rate and new cases.
The virus is also changing the nature and priorities of how we work. The coronavirus has ignited what Bloomberg calls the “world’s largest work-from-home experiment.” Companies are suddenly having to enable an increasingly mobile workforce. Rife with technical ramifications and considerations, the notion of remote work has emerged a necessity, requiring businesses to consider.
Growing numbers of employees in office-based environments are being encouraged or mandated to work from home and communicate with colleagues via email, instant messaging, and teleconferencing applications.
Tech giants like Google and Microsoft, which long ago established the infrastructure for remote working, are well prepared to adapt to the new imperative for social distancing but for smaller organisations that are unaccustomed to their workforce being dispersed, remote working will entail new security risks that they might not be prepared for.
With this in mind, here’s what you need to know about the security implications of your business joining the mass migration to a home-based workforce.
Extended corporate network
In recent years, much effort has gone into securing data transmission and storage in on-premise and cloud servers as well as corporate network perimeters. But work-from-home policies are effectively extending the activities of companies beyond the secure confines of corporate networks.
With remote workplaces, there is a significantly greater risk of data breach because companies have limited control of the security profile of unmanaged endpoints, whether these are mobile phones or personal laptops – or even corporate devices – that are only using conventional security software. This creates two key security challenges: first, the security team loses control over the environment in which the user is working. Second, companies will face a challenge providing their employees with secure access to IT resources. In a world of growing SaaS [Software as a Service] and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users with a secure way to access those systems.
Business security best practices: home working:
- Ensure that ALL your operating systems are up to date across every device connected to the internet
- Use quickly deployable and configurable security solutions, to protect data on BYOD and unmanaged applications, such as anti-keystroke data capture software
- Use secure VPNs to avoid exposing the corporate network to the public internet and secure it against eavesdropping
- Promote and enforce crystal-clear security hygiene rules such as enabling Multi-Factor authentication and avoiding clicking on suspicious links
Shadow IT Solutions – Know the Security Risks
Inefficient management of IT resources can push employees to adopt their own ad-hoc solutions. For instance, a team of employees that are used to working together in the office might stay in touch remotely using free online communication and file sharing tools such as Messenger, Whatsapp. Dropbox etc.
Some companies might welcome and encourage this kind of behaviour since it’s a cost-effective way to preserve team dynamics during times of crisis. But again, this can create new security risks, since the companies don’t have control over the data being stored on these cloud applications. Also, they won’t be able to enforce security policies (like strong passwords) or detect and handle potential security incidents, such as phishing attacks and account takeovers.
New malware targeted at remote workers
The past few weeks have seen more than a dozen new malware or phishing campaigns that are targeted at remote workers. Emotet, Agent Tesla, NonoCare, LokiBot, Ursnif, FormBook, Hawkeye, AZORult, TrickBot, and njRAT are just a few examples of the malware being deployed to exploit the health crisis.
What characterises these malware is that they have key-stroke data capture functionality, which is why endpoint security against keyloggers for home workers is so essential.
People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing which increases the risks that they can introduce to their employers and colleagues, by clicking on malware links.
Given the urgency of the situation, organisations must find products that can be deployed quickly and without special configuration. This means selecting proven anti key-stroke data capture software that can protect every keystroke in any application and prevent screen-scraping malware from stealing credentials and sensitive corporate data.
Companies need to use security solutions that are specifically designed to protect data entry on BYOD [Bring Your Own Device] and unmanaged devices, particularly into remote access apps like Citrix, VMWare, WVD [Windows Virtual Desktop], web browsers, and MS Office applications.
Businesses should consider deploying corporate VPNs (virtual private networks) as an important layer of protection. This approach can be multi-layered:
- A VPN which
company sets up for users to gain access to the company network. Need to be a
VPN with security policies implemented to prevent unauthorised access.
- A VPN which users use to protect their network traffic and provide online security (anti-phishing, malicious URL protection etc) while connected to the internet.
VPNs can ensure that communications remain secure from eavesdroppers regardless of home network configurations and security.
Education is key
But even the strongest endpoint security tools can’t replace employee awareness and education. It is now more important than ever to promote and enforce security hygiene rules such as enabling two-factor autentication on business accounts.
Take the time to warn employees to be ultra-cautious. Also be crystal-clear about your work at home IT policies.
As the physical boundaries of personal and professional life dissolve, organisations must make sure the digital lines remain firm. Following the same protocol that we’re following to stop the spread of coronavirus, namely isolation is a good approach to ensuring the security of a business’s data.