Organisations have had to adapt quickly to the realities of staff working remotely and that has come with a number of challenges, particularly surrounding cybersecurity.
Businesses that previously relied on employees using work-issued computers and being protected behind a corporate firewall have had to deal with staff using their personal devices and their home internet connection.
And with indications that many organisations believe that, post-pandemic, we will see a switch to a hybrid model with a balance between working at the office and working from home, it’s important that employees are equipped with the right training and tools to keep business data and networks secure against cyberattacks.
SEE: Network security policy (TechRepublic Premium)
Account hijacking is one of the most common means for cyber criminals to gain access to corporate networks. These attacks can involve phishing emails that attempt to trick victims into handing over their username and password, providing criminals with login credentials they can use to gain access to accounts and the wider network.
But sometimes, there isn’t even the need for attackers to use phishing emails, with brute force attacks enough to breach accounts. These are attacks involve the automated submission of common or simple passwords against accounts, in the hope that accounts are secured with common, weak passwords that are easily breached.
People are often told that they should secure their accounts with long, complex passwords – but they can be difficult to remember, especially if people have many accounts. That can lead to password re-use, the use of simple passwords – or both.
“Human beings can’t remember more than four to five passwords, we get cognitive overload. That’s the way our brains are wired, it is difficult for us to remember passwords, so we can’t just keep loading on different passwords that are increasingly complex and expect people to remember them,” says Daisy McCartney, cybersecurity culture and behaviour lead at PwC UK.
So while telling people to use, lengthy, complex passwords is good cybersecurity practice, it’s just not possible for people to remember many different passwords for many different accounts – something that can lead to using weak passwords that cyber attackers can exploit.
One answer to this is for organisations to issue employees with a password manager – software that manages passwords for users, allowing them to use complex passwords for every different account without needing to remember them each time they login.
Another tool that can be used to keep corporate accounts of remote workers secure is two-factor authentication. This requires additional verification to log into an account, commonly in the form of an an alert on an app. This pops up when there’s an attempt to login to the account and the user will gain access after confirming the login attempt was legitimate.
Two-factor authentication provides an extra layer of defence for accounts – and their users – because it prevents cyber attackers being able to gain access even if they’ve hacked or stolen the correct credentials because they also need access to the second element of the authentication, too.
Such is the extent of that protection, Microsoft says two-factor authentication prevents 99.9% of attempted attacks, so all businesses that have remote – and non-remote – workers should apply it for additional cybersecurity.
One of the big changes the move towards remote working has brought about is removing employees from the protection of the corporate firewall. Working from inside the office provides people with anti-virus and other protections that can help to filter out some attacks.
Now, instead of this, many people are working from their own computer from their homes, where they may not have anti-virus at all – and their home router won’t provide a robust defence against attackers like a corporate firewall would.
Criminals know this and are looking to take advantage with cyberattacks, especially when people – rushed off their feet while balancing working from home with the rest of their life – might unintentionally click on a phishing link or respond to a request that appears to come from a colleague but is actually a cyber criminal.
“Humans are are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard, which is often the vulnerable part of the loop,” says Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security.
A VPN – short for Virtual Private Network – provides a protected network connection for remote connections, to the extent that even an ISP provider can’t see what websites are visited or what data is sent. It ultimately acts as something of a corporate firewall for while the employee is working remotely.
And by providing remote workers with access to a corporate VPN, not only does it help keep data and communications secure, an organisation can also configure it so that while the VPN is active, action can be taken to prevent potentially dangerous activity, such as visiting phishing pages and other malicious websites.
But it isn’t fair to put all of the responsibility of staying secure on employees. Enterprise IT and information security departments must continue to play a role in helping the organisation stay safe.
For example, if an employee is suddenly logging in from a strange location or at a strange time and then they’re attempting to access parts of the network that usually aren’t of interest to them, that could indicate suspicious activity that needs to be investigated or blocked.
“We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” says Hunt.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
For many people, the last year was the first time they’d had to work from home and it hasn’t been an easy transition, especially when it happened so quickly, under the pressures of a global pandemic.
“Navigating this really complex topic can be quite scary for people, we need to help them not feel so fearful about it,” says McCartney.
There are also other steps that businesses can take to protect their data. They can make sure that data is encrypted on laptops or other devices so that, if they are lost or stolen, the information is not accessible. On laptops this may simply be a case of enabling encryption; on smartphones it may be a case of introducing some form of mobile device-management software to protect the whole device or the business data on a personal device. Getting staff to use cloud services to store data may be more secure than using USB devices (which can be an easy route to delivering malware to laptops).
Without the right tools and training to help them stay secure, employees may not be confident about keeping secure – but with the right help and support from an employer, it’s possible to adapt to remote work while also keeping safe from cyber threats.