Remote working is now the norm across many industries but remains a huge security risk if implemented incorrectly.
As we’ve previously reported, 50 percent of knowledge workers still say they are not allowed to work from home, but this is changing quickly. LinkedIn’s 2019 Talent Trends report found there has been a 78 percent increase in job posts mentioning workplace flexibility since 2016. That’s partly because, according to a survey done by FlexJobs, only 7 percent of workers believe they’re most productive while in the office, as we pointed out in our guide to remote working.
There is a tendency, particularly among cybersecurity professionals, to blame individual users for some of these security vulnerabilities. That criticism is sometimes justified: as we’ve previously reported, 28% of smartphone users don’t use screen lock even when working remotely, and the level of security awareness of the average remote worker remains low.
On the other hand, insecure user behavior is often caused by the systems that companies have put in place to allow them to work remotely. Making small changes to the way that workers operate off-site, such as mandating biometric security for mobile devices, can have a huge effect on their behavior.
In this article, we’ll look at why remote working remains such a huge source of risk for companies, and how you can increase network security for remote employees.
The Dangers Of Remote Working
The dangers of remote working can be broken into three major factors: theft, connectivity, and access.
Theft, believe it or not, continues to be a major source of risk for employees working remotely. Finding a laptop or a smartphone that has been left on a train is still a common way for hackers to gain access to corporate systems. This is despite the fact that companies should have locked down these devices long ago, and told employees not to write their password on a sticky note that has been stuck to the device.
Second, there is the broader problem of connectivity. Passing commercially sensitive data between corporate systems and remote machines is always going to be risky, but in many sectors this is still done over standard, unencrypted web protocols. These are very easy to crack for an experienced hacker, particularly if employees are using public WiFi networks to exchange this information.
Third, there is the problem of access. The theft of a device, or the interception of the data it is using, is not such a huge problem if remote employee access to critical systems is properly controlled. It is still pretty common for companies to grant the same privileges for remote workers as those they have when in the office, but this is a huge mistake. It potentially allows an attacker total access to corporate systems in the event of a successful hack.
The Balance Between Productivity and Security
All this said, there is a balance to be struck when it comes to implementing remote working protocols. New research from digital services provider Capita illustrates this balance very well. Only half (52%) of the 2000 UK knowledge workers Capita surveyed said that remote working was an option for them. Even fewer, just 14%, said they were encouraged to use their own device.
The most important finding of this research, however, was that the vast majority of employees (92%) said they believe it’s the organization’s job to secure remote working, yet over two-fifths (42%) claimed current security policies make it difficult to do their job.
In short, employees believe that it is their employers’ responsibility to show them how to stay safe when working remotely, and how to store their data securely when doing so. Yet, many of these same employees are frustrated at the security policies that their employers have put in place to protect them and their data.
These data also point to a deeper truth. This is what companies need to strike a balance between allowing their workers to work remotely – and giving them the tools to do so – whilst also ensuring that they don’t grant inappropriate access to remote machines.
In reality, many of these problems are caused by the fact that remote working systems are often deployed ‘on top’ of legacy systems that are not designed to be worked in this way. When granting an employee remote access to simple software tools, such as digital marketing tools, timesheet management software, or even simple blogging platforms, for instance, companies generally use remote desktop clients. The problem with doing this is that, if an employee’s remote desktop session is hijacked, a hacker is going to have access to all of the information stored on the corporate machine.
The solution to this problem is to compartmentalize systems and to move as many systems as possible to cloud models. This is, in fact, a huge growth sector within the cybersecurity marketplace, which is quickly transitioning from large service contracts to more SaaS-like business models, offering huge benefits in terms of accessibility. Employees working remotely can access SaaS products without the need to expose an entire corporate network.
Compartmentalization should take place at every level. Corporate systems should be locked down so that hackers cannot move laterally between them. Cloud storage should be implemented in a secure way by using secure alternatives to Dropbox (which is still the most popular small-scale cloud storage solution). Some companies take this approach even further, and create a separate remote working network that contains the data required by employees when they are off-site, but does not permit access to critical systems.
Segmenting IT systems in this way also has many other benefits. Because employees (whether working remotely or not) access the various parts of a corporate system independently of each other, the chances of a hacker being able to compromise the whole system are greatly reduced. As Capita IT & Networks’ head of workspace and collaboration, Ian Hart, put it to InfoSecurity Magazine:
“By replacing traditional desktops and applications with a more user-centric and modern IT environment, organizations can have better control over the sensitive material they need to protect, while, allowing employees to work more flexibly and safely from any location.”
The Bottom Line
In short, remote working remains a major source of vulnerability for companies. That said, the productivity boost that it affords means that it remains attractive for many. Addressing these security risks need not be hard, but does require that companies take the time to transition from legacy systems that are not designed to be operated from remote machines.
Often, even a little extra effort can go a long way. If you can make your systems even slightly harder to crack than those of your competitors, this is commonly enough for a hacker to move on in search of a ‘softer’ network to compromise.