In the wake of the ‘new normal’ following the Covid-19 pandemic, we have spent considerable time advising companies on the risks they need to consider and address when supporting remote working.
Since the final lifting of restrictions across England on so-called ‘Freedom Day’ on July 19th, many companies have opted to take a hybrid approach with their workplace. Some are not even returning to the offices at all, instead opting to go entirely remote. However, as more companies make the switch to a blended working model, the challenges for both the remote worker and traditional management increase. This is something that the government is looking into as it debates the policies and procedures that will need to be implemented, but don’t wait for the green light from Boris Johnson, get ahead of the curve to ensure your workforce are prepared for the challenges around cyber security in a remote working environment.
It’s also important to consider that 85% of breaches contain a human element, according to findings from the 2021 Data Breach Investigations Report*. Educating your employees and providing robust training on cyber security awareness is key to the continuity of your business. We’ve highlighted the six main areas of concern that companies should consider when working in these new circumstances:
Risk #1: Unsecured internet applications and web-based applications
Colleagues may be using unsecured home connections or public connections to access web-based applications, or they may log out of the company virtual private network (VPN) to surf the web.
This threat also includes insecure routers and working in places such as cafes with public WiFi hotspots. As more people begin to work remotely on a permanent basis, they may be looking for a change of scenery and opt to work in cafes and other public spaces. This always carries a risk as people can’t be sure what they’re connecting to.
In this day and age, you’d be amazed at how easily people can fake a public WiFi network. All you are looking for is an internet connection, and when you arrive at the destination no-one really questions it. Hackers can fake a public WiFi hub and call it anything, even something like ‘Café’ which could easily foil an unsuspecting person. It just needs to be an open connection and anyone can join it. There is also the ability for attackers to ‘watch’ internet traffic too. You don’t know what they’re doing, you don’t know how they’ve set that up… and you don’t know if it’s a legitimate connection.
Make sure your employees avoid working on public networks wherever possible.
Risk #2: Increased attack surface
This can come from migrating data, services, and workloads to Cloud laaS and SaaS environments.
When looking at IaaS and SaaS environments, it’s important to differentiate between the two. There are many different cloud servers that you can pay for to deliver certain services. Infrastructure as a Service (IaaS) requires you to hire a physical server, whereas Software as a Service (SaaS) requires that you pay a provider X amount to deliver you a particular service. For example, in the case of SaaS, the service may be to host a website, but this doesn’t mean that you can access the entire server, whereas the IaaS provides you with that comprehensive access.
As people begin moving their services online in the advent of remote working, this can open a can of worms for cyber security. In order to facilitate remote working, a company’s work and access to sensitive data will be moving online with it. The fact it is online poses a risk to company data, since this sensitive information becomes more accessible.
Risk #3: Threats and vulnerabilities relating to misconfiguration errors
From either a lack of cloud security controls, processes, and/or expertise.
When lockdown was first enforced, companies rushed to move their business online to facilitate remote working and continue trading throughout the pandemic. In the haste, it is understandable that companies would not have had much time to put cyber security at the forefront of their remote working process. In addition to this, they may not have thoroughly tested their security controls and processes for remote working.
As we move into the ‘new normal’, it’s important to make sure that security is prioritised and regularly tested as this could highlight any misconfiguration.
Risk #4: Increased use of “Shadow IT” cloud applications
From remote workers attempting workarounds to remain productive, which could include sharing or storing sensitive information on unsanctioned apps.
The potential lack of direct supervision for remote workers may lead to a situation where it is tempting to cut corners and shortcut sensible security practices for the sake of perceived convenience. This could quickly create vulnerabilities and risks that, if exploited, could grant attackers access to the company network.
It also includes the use of shared drives and temporary folders that could be used to move company data around. It’s important for employees to save work in line with their company policy, and to make sure that copies of work aren’t left on desktops and other areas.
This risk can also include untried or unauthorised apps, such as Dropbox and OneDrive.
Risk #5: Increased use of personal devices and laptops
Which can lead to use by others in the same household, or non-IT managed access to corporate networks and data.
As our Director Damian Walton aptly puts it, this can be referred to as BYOD (bring your own device) or BYOD (bring your own disaster). Whilst personal laptop use could prove to be a saviour to keeping your business afloat, it is imperative to carefully manage this infrastructure.
For example, employees may use their own devices to access their personal emails. If they fall prey to a phishing email from their own personal email account, this may put a virus onto their personal laptop that is also utilising the company network. If they subsequently log onto the company VPN, they are then at risk of unwittingly spreading viruses throughout the company network.
Another risk factor could be employees downloading games with additional plugins. With a company-owned and correctly managed device, however, this shouldn’t even be possible. This would ensure that employees are not accidentally downloading malware by reducing the scope of what can be transferred onto a computer. With a personal laptop, employees have full access, whereas with a company laptop you can limit activity with only the access needed to undertake a specific job role.
Moreover, if your employees were using a company device, you would be able to implement a group policy. This would provide you with the powers to dictate what your employees can and can’t do. A huge benefit of this would be to remove privileges so that employees cannot install software, which would eliminate a substantial amount of risk.
Best practice would be to provide your employees with a company laptop or another device wherever possible. Additionally, it is pivotal to properly train and educate your staff when it comes to cyber security and their responsibilities.
IntaForensics provides a comprehensive range of security services designed to prevent, monitor, and respond to security breaches.
We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.
Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.