Amidst talk of global lockdowns and economic crashes, though, one of the major impacts of the virus has gone slightly overlooked. With millions of workers in the US and worldwide now being forced to work from home, they are more exposed than ever to network security risks.
Many companies have struggled to make remote working more secure for years. During the current crisis, many have been forced to immediately transition to decentralized networks and working practices. The security challenges of decentralized organizations are no longer a niche subject, and new threats are also emerging as a direct consequence of Coronavirus.
In this article, we'll look at the three main ways in which remote working increases the level of cyberthreat faced by your workers and your company. We'll then show you how to mitigate them.
Increased Attack Surface Area
At the most basic level, a remote mobile workforce is a network security risk because of the simple fact that your systems are more accessible to hackers. One of the reasons why analysts have long regarded remote work as a potential disaster is that the sheer number of systems now in use, even in small businesses, provides a huge “attack surface area” for criminals.
In order to mitigate this increased risk, companies will need to look again at the level of access that they grant to their employees. During any transition to remote work, but especially those carried out in rapid response to a global crisis, it is tempting to permit staff to access all the systems they can when working in the house, but now remotely. This is, in short, a bad approach. You should take the opportunity of transitioning to remote work to conduct a thorough audit of which staff members have access to which systems and limit this access (especially to critical business systems) as far as possible.
In the process of doing so, you will likely find that many customer-facing systems, such as email outreach programs and business texting systems, can be accessed by a large number of employees. This kind of "credential creep" is natural and is not necessarily a problem for "traditional," office-based working practices. In remote working, it can be disastrous.
Home Network Security
A second area to be aware of when moving to a remote work environment is that the home Wi-Fi systems that your staff use are likely far less secure than your business network.
You can have the best corporate IT security in the world, but if a hacker can get into an employee's home Wi-Fi, they will be able to access your systems. This is particularly worrisome given that many home-owners have transitioned to “smart home security” systems to protect their house, most of which are now IoT-connected and thus more susceptible to attack.
Reminding your staff of this fact is, therefore, critical to managing your business remotely. You should take the opportunity to remind staff of the importance of strong passwords for their home systems, and ask them to implement encryption on their home networks if possible.
Beyond these simple steps, you should also look in detail at business-critical functions that can be compromised by remote working. For many businesses, the most important of these is the way that they secure backups. Backups are likely to be the largest single source of data being sent between home networks and your business systems and should be locked down accordingly.
Many businesses, in fact, have decided to dispense with centralized backups altogether, and are now using distributed flash storage backups to allow remote employees to recover data without sharing this across the web.
Third, the most direct impact of the COVID-19 Pandemic on cybersecurity is that criminals have used the virus to deploy phishing scams. Almost 90% of cyberattacks still begin with a fake email that will attempt to trick staff into giving away key information or login credentials, and currently, many such emails claim to relate to the pandemic.
Mitigating this kind of attack rests on a number of techniques. First and foremost, you should provide your staff with training on how to spot a phishing email, and how to respond if they think they have received one. You should also lock down access to key systems – as we've mentioned above – in order to limit the damage if they are taken in by a scam.
Beyond this, you should also deploy network protection tools that can make hackers' life harder. Most companies are now making extensive use of virtual private networks that encrypt the connection that your staff has with your business systems and can stop sensitive data being intercepted, read, and used against you.
None of the steps above are new: they have been part of the tips for IT managers moving to remote working for decades. But in the context of the current crisis, many companies are being forced to look at these issues for the first time or being forced to accelerate remote work transitions that were envisaged to take much longer.
It might sound strange, at a time of crisis, to conduct a thorough (and potentially quite slow) audit of user access, and to train staff to use completely new systems. But it is not. If you can use your forced transition to remote working as an opportunity to improve network security, you will have put yourself in a better position to respond to the post-COVID business environment.
In other words, securing your networks now will pay dividends long into the future, because cybercriminals aren't going away.