How to manage the security risk of remote working

By Jon Lucas, Co-director, Hyve Managed Hosting

What was once regarded as a perk of the job has now become an outright necessity. Once an optional luxury in select businesses and industries, remote working is now one of the central pillars of the so-called ‘new normal’, at least where desk-based working is concerned. Even businesses that are keen to get workers back into the office as soon as possible are at least keeping the door open with regards to remote working, such has been the uncertainty of the past two years. According to a new report by Gartner, more than 80% of employees worldwide are expected to be given the opportunity to work from home at least once per week after we’ve emerged from the pandemic. It’s never been clearer – remote working is here to stay. But are businesses adequately prepared to facilitate remote working long-term?

Two years ago, businesses were taking a steady and gradual approach to digital transformation. Those that were already embracing remote working will have already established remote security controls and policies, from virtual private networks and remote desktops, to controlling which devices are able to access certain data and applications. Security policies are extremely complex and nuanced in an office-based environment, so applying similar levels of security to workers logging in from their dining tables at home requires a great deal of planning. However, during the initial stages of the pandemic, time was very much not on the side of business. Businesses that had never even considered letting their teams work from home were suddenly thrust into a sink or swim environment where they simply had to make it work or risk stalling their operations. Security, perhaps unconsciously, took a backseat.

So, now that businesses have had time to navigate the choppy waters of the pandemic and adapt their processes, many will be turning their attention to creating a long-term, sustainable, secure hybrid working environment. They need a modern cybersecurity strategy that’s up to date and fit for purpose, particularly at a time when cybercrime is rising across the board. According to the Identity Theft Resource Center (ITRC) the number of data breaches reported in 2021 eclipsed that of 2020 by as early as October. Clearly, there is work to be done. So where should businesses be focusing their cybersecurity efforts?

Security misconfigurations and human error
You may be surprised to learn that a staggering 65% of cloud network security breaches are due to a simple case of user error. Misconfigurations are by far the most persistent human error issue, leading to everything from accidental compliance violations and unplanned outages, right through to leaving the door wide open for bad actors and malware. Some of the most common security misconfigurations include overly permissive access, such as giving employees at a lower security grade more access than they need to ‘cover them’ long-term; opening ports to known vulnerable hosts; creating rules that bypass the proxy and violating egress policies; and offering access to a zone, subnet or host where it’s not needed. Even prior to the pandemic, back in 2018, IBM revealed a startling 424% year-on-year increase in data breaches due to cloud misconfigurations caused by human error.

Security gating that’s based on users rather than devices
One statistic that’s guaranteed to send a shiver down the spines of CTOs and CISOs everywhere, is that more than a fifth of remote working employees report that their work devices are also used regularly by their family members. This is a common occurrence when security policies are based solely on devices rather than the users of those devices. It’s one thing to limit access to sensitive applications or data to one device, but if that device is being at home and is left logged in, anybody can access it. What’s more, staff may choose to log into their devices to give access to other members of their household, however this is more to do with staff training than it is with security configuration. Businesses are used to taking a ‘least privilege’ or zero-trust approach when it comes to giving devices access to their networks – they should take the same approach with humans.

Using the cloud to its fullest potential
Remote access, by its very nature, is less secure than on-site access. But that doesn’t have to be the case. Smart use of virtual private networks (VPNs) and remote desktop virtualization can give employees the in-house experience while they work remotely, both in terms of performance and security. Tooling up with VPNs and antivirus software will make even less secure channels like WhatsApp and Slack less exposed, keeping your sensitive data secure.

There are inherent risks associated with remote working, but with the right security policies, training and technologies in place these risks can be heavily mitigated. While some businesses might be looking at broadscale SD-WAN or SASE adoption, those that aren’t can still pave the way to a more resilient and sustainable future by embracing tools that are already at their disposal. We’re past the point where remote working can be regarded as temporary, so it’s time to evolve from temporary security fixes.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display