Advances in networking and mobile technologies have enabled remote workforces on a global scale, whether that's employing full-time staff members who live thousands of miles away or simply allowing employees to work while at a conference or at home with a cold.
While remote work policies often hinge on company culture or manager preferences (like Marissa Mayer's controversial ban on remote work for Yahoo! employees), most companies must at the least accommodate a mobile workforce—employees who check their work email via phone at 10pm or diehard workaholics who insist on sending out that memo, even though they're on vacation in Thailand.
Therein lies the challenge.
Always-on access to work documents, emails, and instant messaging/collaboration programs creates loopholes for cybercriminals looking to infiltrate a company's network. "Remote workers are a known weak link in almost every organization’s security profile, which is why threat actors target them," says Justin Dolly, CISO of Malwarebytes. "The farther away from the typical corporate network you get, the less security there is protecting the users. There has always been a challenge managing endpoints, especially with the advent of Bring Your Own Device (BYOD) some years ago."
The most common security challenges for remote workers center on the following:
More devices, more problemsWhile full-time remote workers often use company-assigned equipment, contract workers or employees who are traveling usually connect on personal devices—especially mobile phones. In addition, some industries, such as education, support even more diverse endpoints, since an ever-changing roster of students and faculty rely on BYOD policies. A combination of personal and company devices, each with potentially different OSes, decentralizes management and makes keeping company data safe a challenge.
And let's not forget the high potential for data leak through lost or stolen devices. According to a 2014 study commissioned by information security firm Imation, nearly one-third of remote workers admitted to losing unsecured and unencrypted mobile devices in a public place.
Insecure connectionsMany companies require remote workers to log in with virtual private networks (VPN), but that may be tough to enforce. For convenience, workers may use their own Internet connection or set up in a coffee shop and use public Wi-Fi. Those on business flights or staying overnight in a hotel typically connect on airport or hotel Wi-Fi, open connections being accessed by thousands of other travelers a day.
Public Wi-Fi is insecure by nature—it requires no authentication to connect to the network, allowing cybercriminals to easily intercept the connection and distribute malware. Hackers can also spoof public Wi-Fis by creating fake access points and mimicking the names of legitimate connections.
If you're in a coffee shop and the shop's wifi name is COFFEE_SHOP-WIFI, they might call theirs COFFEE_SHOP_FREE_WIFI. Users would have no idea they had connected to the wrong one, since they'd be able to browse the Internet with no apparent interference. Those connecting to rogue access points can have all of their traffic harvested in plain text, including passwords and other sensitive company data.
On the flip side, while remote workers who do not use VPN are at risk, the danger is less severe than if threat actors gained access to the entire network. Remote actors on private ISPs or public Wi-Fis could have their machines infected and their data harvested, but a criminal would only gain access to data contained on that device and not the network at large. If a marketing professional gets hacked, the criminal might see some marketing data, but he won't tap into company financials or proprietary code.
Vulnerable endpointsWith the onus on remote workers to keep their machines updated, there's a lot of room for error. Out-of-date software, plugins, and browsers, plus unpatched and unprotected systems leave remote employees even more vulnerable to attack.
Cybercriminals have been known to target remote workers, developing malware that identifies programs installed on a remote desktop in order to determine whether this particular employee's data is worth gathering. If a remote worker has unpatched systems or isn't running updated security software, he leaves the door open for threat actors to start the attack chain, collecting passwords for FTP clients or recording keystrokes.
Remote workers with unpatched systems are especially vulnerable to malvertising campaigns and their associated exploit kits, which are known to drop ransomware payloads. According to a recent survey by Osterman Research, nearly 40 percent of businesses have been victims of a ransomware attack in the last year—and unprotected endpoints are part of the problem.
"Part of the reason [that there are so many attacks] is that we have people that are using their own devices, and privacy regulations in the US aren't as strict as in other countries," says Mike Osterman, President of Osterman Research. "So there's a lot of information that's not as protected as it needs to be, a lot of endpoints that aren't as protected."
To add insult to injury, remote employees whose systems are outdated or who don't have proper security software run the risk of exposing the entire network to the potential for breach if they connect via VPN.
Say a remote worker using Adobe Flash goes to a trusted website to conduct research. Unbeknownst to that user, the website is hosting malicious ads that deliver exploit kits. Without ever having clicked on the ad, the user can become infected—the exploit kit discovers a vulnerability in Flash and delivers its payload. Now, when that user logs in to VPN using credentials, she's giving cybercriminals access to the company server, the network, the infrastructure, and sensitive data.
Eight ways to protectSo what's a company to do? "Establishing policies that educate remote workers on known pitfalls, while also rolling out software and hardware requirements wherever possible, can give the IT staff some peace of mind," says Dolly. Here are eight ways that businesses can better secure their remote workers.
- Switch to cloud-based storage. Look into cloud services that offer high levels of encryption so that data is not only easily accessible for remote workers on the move, but also better protected from threats like ransomware.
- Encrypt devices, when possible. When assigning laptops or other mobile devices to remote workers, encrypt hard drives to protect any data stored directly on the machine. However, not all security programs work with encrypted devices, so be sure to double check tech specs before doing so.
- Create secure connections to the company network. Remote employees should be connecting to the network through VPN so that their Internet traffic is encrypted. However, to protect the network at large, IT staff should only allow remote users to connect to VPN if their system is properly configured and patched, and their security products are updated and active.
- Roll out automatic updates. Take updating hardware and software out of remote workers' hands by putting their devices on a standard image and activating automatic updates, especially for their security programs.
- Use an encrypted email program. Since checking company email offsite is a common practice, even among in-house employees, using a secure email program that encrypts messages is key. Cloud-based applications such as Mimecast manage business email security for Microsoft Exchange and Microsoft 365, for example.
- Implement good password hygiene. Safeguard against lost or stolen devices by requiring that remote workers (and all employees) use strong passwords that are long and memorable enough that they needn't be written down. Request that employees also password-protect their phones, since they are the easiest to lose, be stolen, or hacked.
- Increase user awareness. Rather than attempt to restrict personal browsing or monitor other digital behavior (which can actually lead to decreases in employee satisfaction and productivity), IT staff should put an emphasis on user education. Distribute a cybersecurity policy that spells out how to identify phishing emails, tech support scams, and other social engineering tactics that threat actors use to bypass otherwise strong security measures.
- Deploy an endpoint security program. If not already implemented, look into endpoint protection platforms, such as Malwarebytes Endpoint Protection, that can be deployed remotely and managed from a central location. Your endpoint protection platform should also include a strong anti-exploit component in order to shield unpatched programs and legacy systems.