Remote work is here to stay and, as the most recent COVID-19 pandemic declaration is beginning to demonstrate, it can be a highly effective disaster mitigation and recovery strategy when implemented properly. However, too many companies and other organizations have been caught unprepared technologically, and attackers have been waiting for just such an opportunity to pounce. My intent here is not to argue the merits or drawbacks of remote work in its various forms as a daily practice, but rather to highlight some of its inherent risks when implemented on such a vast scale so quickly under the impetus of external factors.
The first of these risk factors is social. Various studies have shown that a majority, at least, of human communication is in the form of body language and other nonverbal forms. Lacking inflection, tone, and posturing, many electronic communication media that so easily facilitate remote work also make it harder to determine legitimate from illegitimate communications without an effectively trained workforce that is adept in identifying attempts at misleading them into taking actions harmful to the organization. Take for instance email. Now, we all get bombarded with attempts to steal passwords, data, and documents on a daily basis, also known as Phishing. Spear Phishing, however, is becoming much more prevalent and are essentially the more highly targeted forms of routine Phishing. Spear Phishing leverages publicly available information on a person to either manipulate or impersonate them. It can often be hard to detect, especially when relying predominantly on email for communication amongst your newly remote workforce.
When you work in an office and you receive an email from someone two cubicles over telling you they need “all the company payroll data,” it is easy to verify the validity of that request with a short walk, a discussion about the rationale, talking to a supervisor to ascertain the person’s authorization to access the information, and responding accordingly. What such processes are in place for your remote workforce? It can be done, but typically involves a more asynchronous form of communication; you send a message, move on to other work whilst awaiting a response, and proceed from there. But what if the message was far more urgent? The recipient would then have to make a snap decision on the validity of the request, and this is a tactic that attackers leverage to coerce their intended target more effectively, especially if the “request” seemingly comes from a someone in a position of authority. That split-second decision, especially when perceived to come from an authoritative resource within the organization, can make-or-break your company. This is why mandatory training on common social engineering attacks (like Phishing) should be implemented routinely (i.e. annual at the very least), especially for anyone participating in remote work. Making so called “cyber hygiene” training a mandatory requirement for remote work participation is also a good idea. Doing so will inform your remote workforce of the processes used for validating and responding to requests while more easily identifying and reporting the malicious ones.
Training is great, but it can’t do everything. The second risk factor is purely technological. The systems and tools you use to facilitate remote work are crucial to success, but also play an outsized role in the security and confidentiality of your data now, too. It is inevitable that some employees will attempt to leverage personal devices for work related tasks. What sort of controls does your organization have in place to manage corporate data, even if processed using a personal device? A solid mobile device management (MDM) suite along with data rights management (DRM) policies will help prevent leakage or loss of sensitive data on portable devices, even personally-owned employee ones. For instance, Office 365 has exceptional MDM and DRM policies and filtering that can be set up rapidly to prevent the transmission of sensitive data, like financial information and social security numbers. MDM can also provide functionality to remote-wipe a device if lost and enforce security protocols such as strong passwords and data encryption. Even better, Microsoft provides their comprehensive Security and Compliance Center to visualize threats, alerts, and other critical information pertaining to the overall security posture of your organization. This is just an example of one provider offering, there are many others – it’s more important that you leverage the tools you have effectively than to choose one particular vendor over another. Companies that specialize in these types of remote security management can provide cost effective expertise to mitigate your biggest cyber threats that a remote workforce creates and help prevent hundreds of thousands or even millions of dollars in breach remediation costs.
The last portion we will discuss here is policy. Training, Policy, and Technology is sort of the “iron triangle” of basic cyber preparedness. Without one side, the rest will fall. Policy need not be bureaucratic to be effective, contrary to many practices. A solid set of policies and documentation will guide employees on what to do and what not to do while standardizing your response to incidents, implementation of security procedures, and provide a reporting structure so everyone is properly informed and knowledgeable, regardless of their workplace location. Essential policies that your organization should already have go beyond simple things like password requirements and deeper into areas such as electronic resource availability (e.g. file sharing), personal device usage (e.g. BYOD), connectivity requirements (e.g. VPN usage, email, etc.), physical workplace restrictions, and contingencies in the event of breach or loss of connectivity. Defining and describing these things ahead of time will go a long way in preparing your workforce for the security challenges of remote work. It will also provide a standard “playbook” so to speak from which everyone within your organization can operate from. Once policies are in place, it is a good idea to have employees review and sign them along with a comprehensive remote work agreement that outlines their responsibilities, duty hours, requirements, and other attributes. Many companies have standardized templates and can help you get started quickly with such policies, but they are of little use if not enforced. Enforcement of policies requires discipline, as it would be easy to make exceptions for every little bump in the road, but that is not safe. While your chosen policies should not hinder the work of remote employees, it still has to ensure the safety and security of your data that is now being transmitted off-site. There is a balance, and each organization has to fine theirs based on risk profile and what level of risk is considered acceptable to your operations.
I’ve gone over some of the basics of remote work security, focusing on the core attributes of training, policy, and technology. This is a framework from which to get started with securing your corporate data as it moves out of the office and across the country. Keep in mind there are other aspects, legal and supervisory for example, that aren’t covered but also important. Many companies will also have far more complex requirements, and should not hesitate to retain experts in implementation for the simple reason that an ounce of prevention is worth a pound of cure. The “cure” in this instance, being the remediation of often disastrous and costly effects of a breach that include loss of customer confidence, legal fees, higher insurance premiums, and lost business. As the size of the world’s remote workforce increases year after year, every organization should be prepared to take advantage, even if only for use in mitigating the impact to business operations of external factors. Leaders must be aware of the ever-shifting landscape of tools, technologies, and threats to such operations, however, in order to stay ahead of the curve, and the best way to do that is to rely on experts.