The gradual trend towards remote working has been expedited by recent events, and now businesses and employees alike find themselves adapting to moving almost everything online to accommodate a distributed workforce. Obviously, this has a massive impact on how we behave and how we work, which inevitably has an impact on security culture.
In this blog, we’ll discuss what we consider to be the main challenges and questions that arise from moving to a remote working model, and how both management teams and employees can make good decisions about security.
It may seem harmless to send an email containing a spreadsheet or a project proposal to your personal email address in order to have easy and quick access whenever you need it. But doing so is risky for a number of reasons.
The bottom line is, sending sensitive information to your personal email accounts increases the risk of data exfiltration, both from insider threats and outsider threats. You can read more about this – including how to prevent data exfiltration – in this article.
While for now, most of the world is working from home, “working remotely” can extend to a number of places. You could be staying with a friend, catching up on emails during your commute, or getting your head down at a café. Of course, to do work, you’ll likely rely on internet access.
While connecting to public Wi-Fi is not encouraged, the risks can be managed if the right systems are put in place.
As an employer, you should ensure that any services an employee must connect with over the internet (such as a web portal for your email or time tracking app), are only served over HTTPS. This is the encrypted version of HTTP, which is used to transfer data over the web. Using HTTPS ensures that all data transmitted between your network and the employee’s device is encrypted.
For any services that should not be offered over the internet but that employees will require access to, you should enable them to connect via a VPN.
As an employee, here’s what you can do to be safe:
Importantly – and despite many articles written stating the contrary – using a personal mobile phone as a hotspot to connect a work laptop to the corporate network can actually raise more concerns than connecting via public Wi-Fi.
From a security perspective, any device used to connect to your network could be a risk. Why? Because there’s no way for a company to effectively manage the software and security of devices they do not own. If a phone is being used as a hotspot and has already been compromised by an attacker, it’s possible it could be used to pivot to the corporate network. Any connections made over HTTPS will still be encrypted, of course, but it’s still important to weigh up the risks and err on the side of caution.
This may be easier to understand with an example.
Let’s say you open a malicious attachment from a phishing email on your mobile device. If that malicious attachment contains spyware, hackers can (rather easily) infiltrate your phone. That means that if you then connect to your company network on your laptop via your phone’s hotspot, hackers will have a foothold into your company network, too.
Top tip: Any personal devices used in this way should fall under the domain of your corporate “Bring your own device” (BYOD) policy. Each organization’s policy will be different, so it’s best to check with your IT and security teams before you consider using a hotspot as a workaround in the case of limited access to Wi-Fi.
For many organizations, cloud services have replaced company local networks to store, manage, and share information. While it’s fair to say that the transition from office-to-home is certainly easier with cloud storage, there are still some security concerns that must be addressed in order to lock down your sensitive information.
Most concerns center around the perceived risks of allowing someone else to host your data. And, because it’s stored on the “cloud” it can – in theory – be accessed by anyone on the internet with the right credentials. In the worst case, this could be an attacker who comprises a user laptop or guesses a weak password.
But, there are several ways to ensure your cloud system is secure. Organizations considering moving to a cloud system should consider:
Not sure how to navigate these considerations? Concerns about standards and support can all be worked out during the contract stage, and many companies offer secure and resilient storage. It’s no different to any risk assessment phase when purchasing a new service.
At Tessian, we use Google Drive.
It’s still necessary to put in the work to ensure that your data is stored in the correct places, and appropriately secured, just as you would with a local storage solution.
Folders should be structured and locked down with appropriate access permissions to ensure that only users who are authorized to view the contents can do so. For example, you can restrict access to and sharing with people outside the corporate network. In addition, requiring two-factor authentication for Google accounts is very important.
Remote-working means an increased reliance on conferencing, chat, and other collaboration applications to stay in touch with colleagues. All such applications come with security considerations.
IT and security teams must be clear with employees about what sort of information can be shared over these applications, after assessing their suitability. Without clear guidance, employees may act in ways that are less than secure in order to do their jobs, which means comprehensive policies and procedures must be put in place and communicated clearly across an organization.
We share our criteria for vetting and onboarding new tools in our blog, 11 Tools to Help You Stay Productive and Secure While Working Remotely. You’ll also find a list of tools we use across departments to stay connected while working remotely.
Additionally, it’s important to ensure employees understand which applications should be used to share which kinds of information and where the design of the application itself may lead to a compromise.
For example, a screenshot of a conference call or online meeting may reveal information that would be useful to an attacker; such as a Zoom meeting ID that allows anyone to join that meeting without a PIN. If such a screenshot were shared online, this could be exploited by an attacker and give them unlimited access to private, internal communications.
Working on devices outside of the office, even in a home environment, carries additional risks. There is always the potential for an attacker to get physical access to a device.
In the home environment, employees should be reminded that their devices are gateways to sensitive information. They should always lock devices, and make sure they’re secured with good passwords or, in the case of mobile phones, 6-digit PINs or complex swipe codes.
Employees should also make sure that devices aren’t left in plain sight, such as near windows at home or on a passenger seat if travelling by car. This will help prevent opportunistic theft.
While it may sound unlikely, you should always assume that devices might be stolen. In fact, in an organization of reasonable size, it will almost certainly happen. That means that encryption should be used to protect the data on them, and employees should know exactly when and how to report thefts to the support team. This ensures that the devices can be wiped if they are activated.
Any organization that has a remote-working policy in place should also provide employees with privacy screens for their laptops, and encourage them to always work in positions that minimize line-of-sight views of their device screens by others.
This has the added benefit of showing clients or other professional contacts that the business takes security seriously.
“Hi, I’m on vacation right now, returning April 15th. If it’s urgent, you can contact me directly on my personal number or email below, or my line manager at…”
It’s human nature to want to be helpful. When setting an out-of-office message, therefore, we often try to give the recipient as much information as possible to help them out. However, it’s important to consider whether that information really needs to be shared, and whether it might be useful to an attacker.
When planning a spear phishing attack – a type of phishing attack that is targeted at a specific individual or small set of individuals – an attacker will try to gather as much open-source intelligence about their target as they can in order to make the email as believable as possible.
Phone numbers, alternative email addresses, details about company structure and reporting lines, and other data points are all things that could be useful to an attacker.
Again, businesses should make sure employees are aware of these risks and should provide them with a simple template for OOO messages alongside guidance on how and when to forward important emails while away.
During this transitional period, we think it’s incredibly important to provide everyone – our employees, our customers, and our community – with as much information as possible. With that said, you may also find the below links helpful in getting your team set up to work remotely.