Your employees can fire off emails from their iPhones while waiting to check out at Whole Foods, edit Google Docs on iPads once their kids give the devices back after Peppa Pig marathons, and track leads in SalesForce while sitting in the park with a laptop. But the ease of working remotely also increases the difficulty of keeping your company’s information secure.
To maintain personal privacy and protect sensitive business information, employers need to make remote workers aware of cybersecurity threats and develop ways to reduce risk. Of course, on-site employees face security hazards, too. Haven’t you repeatedly warned them about downloading suspicious files? But vulnerabilities shift as you move to a remote workforce, with your team on different networks, and some using personal equipment. You also lack an on-site IT guru walking through your office, checking for potential risks.
Kudos if your business has already implemented cybersecurity monitoring tools that can block threats from anywhere. Extra credit if you switched to trusted cloud-based file storage solutions for your company’s sensitive data. Despite your best efforts, though, cybercriminals constantly evolve their tactics, trying to stay one step ahead, and they may be able to bypass your protections. Remote work can open up new cracks that you need to seal.
Don’t Get Caught on Phishing Hooks
Although phishing attacks can hit any employee, your remote team could be particularly susceptible. Since phishing attacks rely on tricking employees into giving up sensitive data, your remote workers could be prime targets, especially staff new to working from home.
Consider that a remote worker might be getting more emails than an on-site employee. So an email supposedly coming from IT to reset a password might not seem strange if your employee is used to communicating with this department over email. Or a parent working remotely may rush to respond to messages during their baby’s one-hour naptime and may not notice some of the warning signs of a phishing message, like spelling errors or unusual sender IDs.
During COVID-19, phishing attacks have evolved to match the shifts in workers’ behavior. For example, cybersecurity software company Abnormal Security reported in July 2020 that attackers have sent highly convincing phishing messages to more than 50,000 email accounts. These messages pretend that the recipient’s Zoom account has been suspended and prompts users to visit a landing page where they can enter their Microsoft Office 365 login credentials to “fix” the issue. Because the landing page is a trick, however, that login data winds up in the hands of attackers who then have access to employees’ Office 365 accounts—and your company’s information.
As Abnormal Security explains on its site, “The importance of Zoom as a communications method is essential in a world under the shadow of the COVID-19 pandemic. Thus, the user may rush to correct their account, click on the malicious link, and inadvertently enter credentials on this bad website.”
So how can you help your remote employees help keep your company data safe? For one, you can ramp up employee education on phishing attacks so your team can more easily recognize warning signs. KnowBe4, a security awareness training platform, provides resources on what to watch out for, and companies can use platforms like KnowBe4 to send test phishing messages to employees. Companies like Abnormal Security also offer anti-phishing software, which offers protections like automatically blocking suspicious emails, beyond the ones your spam filters pick up.
Businesses also should require employees to use two-factor authentication. With this extra step in place, even if an attacker snags an employee’s password, the hacker still needs the second method of authentication. Having to enter a code received via text message after entering login credentials seriously decreases the risk of hackers being able to access important data and information.
Expand Your Network Protections
Just because your remote employees have the flexibility to log in while sunbathing on the patio doesn’t mean they should ignore preventative security measures. Staying alert for phishing attempts is one thing, but browsing the web, downloading files, accessing cloud applications, and conducting other activities online creates additional risks.
In an office, all web traffic goes through the network protections such as firewalls that a company has in place, and your IT experts can configure all corporate devices with the latest anti-malware software. But your remote employees may be using personal devices that lack solid security software, and their home WiFi network is almost certainly not as secure as a corporate one. And who knows if a next-door neighbor is a world-class, black-hat hacker?
Tools like virtual private networks (VPNs) can extend protections by encrypting traffic coming from a remote employee’s network, essentially making it as though an employee is logging in from your company’s office.
That said, VPNs are not foolproof, with potential security issues ranging from the VPN provider itself to employees forgoing VPNs so they can more easily connect to websites and applications. Even if employees know they should, say, connect to their work email via a VPN, if the technology doesn’t work well or is overly complex, they may decide instead to check their email via their personal smartphone.
“Remote access VPN falls short because users typically connect to a gateway for access to data center applications, and then disconnect from the VPN to get better performance (but less security) when accessing cloud and internet applications,” explains cybersecurity software firm Palo Alto Networks in a product sheet for its Prisma Access solution. Prisma Access works in the cloud, so whether your employees use personal or corporate devices, the solution can provide protections such as blocking access to malicious websites and helping ensure that employees’ use of cloud applications follows your corporate security policies.
Stay Out of the IT Shadows
Shadow IT services sound spooky, and they can be if they lead to security breaches.
Shadow IT essentially refers to your employees using applications or other technology outside of the purview of IT teams. Maybe you have a remote worker who uses a data analysis tool on their own without informing IT. The external tool might not have the security standards your company wants, or your employee might have non-secure settings within an app. This puts your data at risk.
Although shadow IT can creep in through any employee, remote workers are potentially more vulnerable. For example, your remote employees may need more communication, collaboration, and project management tools than do on-site workers, to make up for lost in-person interactions. If your company uses clunky tools, employees may take matters into their own hands and find the apps that work for them. After all, you hired them to solve problems, right?
Like with phishing, educating your remote workforce on this security issue can help reduce risk. Technology can also play a role. Programs like the Microsoft Cloud App Security solution analyze activity on a corporate network to identify shadow cloud apps and services. You get a report of the assigned risk and can take action accordingly.
Look on the Bright Side of Remote Work Security Risks
Although remote work can create new security risks, you don’t need to rush to bring employees back into your onsite office. If your leadership team, IT team, and the rest of your employees chip in with resources and some effort to increase security, the benefits of remote work remain within reach.
Think of remote work security risks as blessings in disguise. Although remote work can have more security risks, it also can help you become more aware of issues like shadow IT or phishing expeditions—which occur offsite or on. Remote work prompts your business to confront these issues so you become an even stronger company in the long term.