Is Remote Work Insecure?

WFH Makes Cyber Security Challenging

(image via Alistair MacRobert)

There’s a witticism in the world of security (albeit not a common one) that goes something like this:

There are three ways to break into a building: from the roof, underneath through the floor, or through a wall. So, to stop someone from breaking in, protect the roof, the floors, and the walls.

It’s tongue-in-cheek, of course, but it can be helpful to think in such simplified terms. If you can picture every avenue through which an attacker might break in, you can picture everything you’ll need to do to prevent them from being successful.

Extending this analogy, we can picture a corporate IT network like a building. It’s a single structure with avenues to the outside: the open web, email, vendor portals, and so on. So, to stop a cyber attacker, you do your best to block up these holes with antivirus, security monitoring software, by educating employees about phishing, and so on. A motivated-enough hacker might still figure out some way in, but it’ll take a lot of money and effort to accomplish.

(Typical IT network attack surface; image via GRA Quantum)

The thing about remote work is that it complicates this single, coherent image. When employees work from home, a corporate network branches into both physical and cyber spaces beyond what the company itself can easily police. It means having a lot more than just one roof, a floor and four walls to protect.

5 Ways to Hack a Remote Worker

The technical term for what we’re talking about here is “attack surface.”

An attack surface is the sum of all possible avenues an attacker can take towards breaching a system. It includes the roof because there’s a hatch, the walls because they have doors and windows. It’s the security guard standing in front of the doors, because they can be distracted on the job.

If the attack surface of an IT network is like a building, a remote work setup is more like a village. And, sure, it’s possible to put a gate around an entire community. But it takes a whole lot of effort to set up and police.

Let’s consider some of the security challenges that arise when employees aren’t all under the same roof:

(Example of a simple phishing email; image via IT Governance)

• Phishing: Phishing scams often take the form of an email from a colleague. When everyone’s apart, it’s more difficult to spot such a scam. You can’t walk over to your colleague’s desk and ask “hey, did you send me this link?”
• Home networks: Hacking directly into home networks is rare (it’s usually just not economical for hackers), but it’s not unheard of either. The more common attack vector is through other devices connected to the same home network. A roommate’s laptop, or a simple IoT device, can transmit nasties over the network onto an otherwise secure work computer.
• Public networks: As if home security wasn’t bad enough, plenty of folks prefer working in public: in a coffee shop or coworking space (pandemic aside), or the park when it’s nice outside. There are secure ways to use the internet from such spaces but, more often than not, people connect to local WiFi networks. This is so inadvisable that it deserves its own article.
• Shoulder surfing: Arguably the easiest, most low-tech method of hacking is simply to look over someone’s shoulder while they’re typing in a password, or looking over a sensitive document. In public, pulling this off is very simple.
• Remote software: Remote work requires all kinds of software — software for communicating with your team, collaborating on documents and presentations, and so on. Employees must choose wisely, though, as not all software is made equally secure.

Ultimately, all of these concerns root from one, inescapable fact of distanced working:

It’s more difficult for a company to keep remote employees secure than it is for malware on a remote employee’s laptop to reach the company.

Think of it like a steep hill: difficult to go one direction, effortless to go the other.

6 Ways to Secure Remote Work Environments

With all this in mind, we can say that there are two approaches to security in a remote work setup.

The first is to focus on protecting employees from contracting malware. Obvious as it may be, this is no small task.

Let’s review a few different ways a company can help its employees with their cybersecurity.

1. Training: Many third-party companies offer training in how to spot phishing attacks, and other cyber threats that come up during work. The more knowledgeable an employee is, the better they’ll be at protecting themselves.
2. VPNs: A virtual private network (VPN) is like a secure, underground tunnel connecting a remote worker with the company network they’re logging onto. Encrypting all traffic makes it much more difficult for an outside party to break in.
3. Password resets and 2FA: A company can encourage good cyber hygiene of its employees by requiring passwords resets at regular intervals. And two-factor authentication (through SMS or email or, more ideally, via an authenticator app) means that even if a hacker does manage to steal an employee’s login credentials, they won’t be able to act on it without the secondary authentication mechanism.

(image via ResearchGate)

The second approach to security in a remote environment is to admit that employees pose an inevitable security risk. In this view, rather than trying to protect every employee from every possible threat, you focus on protecting the company itself from employees. It sounds harsh, but it’s for the greater good. A breach of one employee’s laptop is bad, but a breach of an entire company’s IT infrastructure, and potentially everyone connected to it, is much worse.

Let’s consider a few ways a company can keep its home field secure, even from its own employees.

1. Privileged access management (PAM): Not every user on an IT network has equivalent privileges. A system administrator will be able to access parts of the network that an intern won’t even know are there. It’s crucial, therefore, that these two accounts be separated in such a way that a breach of one does not equate to a breach of the other. This is the specialty of PAM providers.
2. Network segmentation: Some IT networks are built like valleys — open, even across, so that it’s easy to travel from one end to the other. More secure networks are built like mountain ranges: uneven, with tall barriers blocking passage from one area to another. Having firewalls and privilege checks between less and more sensitive areas of a network makes it more difficult for malware to transmit from an employee laptop to more sensitive areas of the corporate network.
3. Network monitoring: Keeping track of the activity occurring over a network, including the data traveling in and out, in order to catch hackers in the act. It’s a big job that’s almost always done using AI, with human assistance. On its own it’s not sufficient to spot every possible attack, as hackers have all kinds of ways of masking their activity to bypass the AI. Nonetheless, it is a step in the right direction.

(Simple firewall-based network segmentation; image via Illumio)

Certain solutions may fit some companies better than others. In the end, though, the principle remains the same for any company operating in a remote setup. Namely, that it is harder to protect a village than a building. It requires more resources, teamwork, and strategic thinking.

Since COVID will be around for a while longer, and remote work may well continue even after, these issues won’t be going away any time soon.

This article was published for EnjoyTech Web. For more information on third-party risk, visit www.enjoytechweb.com.