Is Remote Working a Cybersecurity Risk?
The Covid-19 pandemic had a huge impact on employment. Perhaps one of the most important was the rise in remote working. Some workers chose to work remotely to protect themselves - others were asked to as a part of a plan from their company to help limit the spread of the virus among members of staff.
Many businesses worried that productivity might be an issue for remote staff - but statistics have shown that having experienced a large part of the workforce carrying out remote work over the pandemic, employers found that productivity either stayed the same (67%) or actually improved (24%).
However, one consequence of remote work that employers were not necessarily so alert to was this issue of cybersecurity. Already a hot topic and a challenge for companies across the world, there has been the suggestion that having staff work remotely actually increases your cybersecurity risk.
Here we take a look at whether remote workers pose a cybersecurity risk to companies, and what businesses can do to mitigate that risk.
A greater variety of devices
In an office environment, it’s more likely that an employee will use a single device for all of their work. This device will likely be protected behind the company firewall as well as various other cybersecurity processes and software already in place. But away from the office, things are different.
Remote working often means employees making use of their own devices. This can lead to a lot of work being done on a laptop, while emails might be accessed through a mobile device, and even meetings taken on a tablet. Using more devices widens the potential places cybercriminals can attack, especially as some of these devices may not be as secure as others.
“Mobile security often gets forgotten about,” says Michael Cowley, Head of Pre-Sales at Redscan “however, with more of us working remotely and using our own personal devices to access corporate information, its importance shouldn’t be overlooked.”
“If your business doesn’t have one already, consider creating a formal mobile device management policy that mandates employees to protect personal devices with numeric or alphanumeric passwords, use antivirus software and configure automatic software updates to stay on top of vendor security patches.”
Out of date software
Sometimes it is the little things that really matter to good cybersecurity. In a traditional working space, the IT team ensures that all relevant hardware and software is kept up to date at all times as a matter of course.
With remote workers, it is not necessarily as easy to ensure that all patches and updates are being installed as soon as possible.
“Cyber attackers will regularly look to take advantage of systems that haven't received the latest security updates by deploying malware with exploits that target those particular flaws,” says Danny Palmer at ZDNet “that might be as part of an intentional attack on a particular company, or the organisation could be caught in the cross-fire of a more general attack that takes advantage of a particular exploit.”
It is important for businesses’ IT teams to factor this issue into their policy and ensure that all remote staff are keeping their devices up-to-date and patched.
Phishing and social engineering
Phishing remains one of the most common forms of cyberattack. And unfortunately, it is common because it can be so effective. Cybercriminals send an email that takes the guise of something or someone that the receiver would trust. This could be anything from a password reset email from the work system, or a message directly from the HR department asking for personal information.
This type of phishing can be a form of social engineering, where staff are tricked into giving away details without even knowing that anything has gone awry.
Of course, this kind of phishing attack can take place against office staff - however, it has been noted that phishing attacks have risen significantly during the Covid-19 pandemic, and much of that is down to the fact that cybercriminals see an opportunity.
Indeed, it can be harder for staff to verify whether an email has come from a legitimate source if they are away from their normal work environment. It is also possible that staff are more likely to have their guard down at home.
The most effective solution to this issue comes through education. Teach staff how to spot fraudulent emails and what to do if they suspect they are being targeted.
The rise of shadow IT
Shadow IT refers to applications and software that is installed on a work device without the knowledge of the IT team. It might not sound like a big deal, but it can actually be a huge issue from a cybersecurity perspective.
In the office, the IT team is able to closely monitor the software and applications being used by staff. If a member of the team wants to use a new piece of software, the team can take a look to make sure that it doesn’t have any flaws or weaknesses that could potentially compromise the cybersecurity measures put in place.
We have already discussed, however, that away from the office, staff can use a much broader range of devices to access sensitive company data. If apps and software are installed on these devices that present a backdoor for cybercriminals, it can render all of the cyber defences ineffective.
Staff should make sure that they provide information on all of the devices, applications and software that they use at home, and also ensure they get specific permission from the IT team before installing anything new.