The State of Remote Work Security

The essential ingredients that have enabled successful remote work in the past year arguably come down to four Cs: cloud, collaboration tools, connectivity, and cybersecurity. By the look of things, remote work is not going away anytime soon. Organizations of all sizes now realize that at-home workers remain productive, and many are planning to let them stay the course, in some cases, permanently. 

It's something of a double-edged sword, though. The increase in cloud usage translates to a larger attack surface that businesses must contend with. According to a March report by Cybersecurity Insiders (registration required), 86 percent of 287 IT professionals surveyed said they intend to support their remote workforce even after the pandemic is officially over. 

Despite this large proportion, however, three-quarters of respondents noted that they still had serious concerns regarding the security risks of their remote workforce. Topping the list of most pressing remote work security concerns were user awareness and training (57 percent), Wi-Fi network security (52 percent) and the potential leaking of sensitive data (46 percent). 

Security risks introduced by remote workers

Remote work remains a work in progress, especially where security is concerned. Once organizations got through the basic operational challenges of moving people out of the office, IT had to contend with people relying on home networks to get corporate resources running in different locations and clouds. 

Employee-owned devices also created a 'wild west' environment for administrators, who struggled to establish some endpoint security standards. 

Fast-forward a year, and most organizations feel that they have built a better security posture, thanks to the use of secure VPNs or new secure access service edge (SASE) technologies. But other research reveals that many IT organizations remain concerned about the security risks introduced by remote users, cloud resources, and SaaS apps. 

The ongoing work-from-home model means that the traditional, 'hardened perimeter with firewalls at office locations' model is dissolving rapidly. Remote access is no longer an edge case; it's the primary case, and the importance of secure remote access management has never been greater.

Business owners agree. "The first thing I did after COVID hit and we moved to a remote environment was to secure our identity and access management,'' says John Ross, CEO of Test Prep Insight, an online education company. Ross deployed a platform that uses multi-factor authentication to ensure that users who log onto the network are who they say they are.

"It is not cheap, and it is a little more cumbersome for employees when logging into our network," he adds, "but it gives me peace of mind at night."

Ross also updated the company's security policies to require that all employees use two-step verification for certain software programs, and to mandate that they never use public Wi-Fi. "It may be a little paranoid, but I also feel that cybersecurity risks are greater than ever,'' he says. 

Without the protection of office-based security protocols such as firewalls and blacklisted IP addresses, home-based workers are exposed to far more cyberattacks targeting VPNs, phishing schemes, and attempts to crack passwords, says Ouriel Lemmel, CEO and founder of WinIt, an app that lets drivers manage and dispute parking/traffic tickets.
Employers have little control over the devices remote workers use or where they use them, he adds. 
To minimize the risks, Lemmel suggests mandating that only workplace devices be used "and no company information should be accessible without two-factor authentication. Policies also need to be applied regarding the handling of company information in public places and the accessing of non-work-related websites or third-party services," he says.
In some cases, the remote work model has necessitated bringing in third parties to augment security. Robert Johnson, founder of woodworking company Sawinery, also sees a rise in phishing attempts since the pandemic began.

"Companies must create and invest in a competent IT group … to scrutinize and oversee [their] cybersecurity,'' Johnson says. "This means that installing firewalls is not enough... These security measures must be available to all employees working online or outside working premises."

Enter zero trust

Charles Edge, CTO of Bootstrappers, which invests in early-stage startups in the Midwest, recalls a recent conversation he had with a CISO that got him thinking about constant, repetitive attacks. "His point was that we all know the basics, and those looking to exploit our systems haven't necessarily gotten more sophisticated. But they have gotten more persistent,'' Edge says. "And so a small, even temporary, lapse in best practices can result in a breach."

Even before employees were sent home, many cybersecurity practitioners had been working toward a zero-trust model of security, he says. "But the past year has only hastened those types of implementations for every system we use."

At this point, everyone in the company must be granted the least amount of privileges they need, Edge says. Access management solutions must verify – every time – that systems are in the appropriate state and that connections are secure. It's important to adjust access privileges and protocols based on where and how the user is accessing company resources, too. 

And it can't be said enough: Employees remain the weakest link, and organizations must remain vigilant about training.
"Unfortunately, the best technology available cannot provide protection for data where personnel have not properly implemented the technology, fail to comply with policies, or have not been trained about key threats,'' says Kimberly Verska, managing partner and CIO of the law firm Culhane Meadows PLLC. "With respect to the first two, personnel need clear written rules… Best practices dictate that each person agree in writing once the policies have been adopted by the firm's management."  

In part 2 of this story, we'll focus on what happens when businesses transition to hybrid models, with workers coming into the office some of the time. Stay tuned!