Many companies now allow employees to work from home for at least some of the week. The number of companies allowing remote working increased by 300% from 1996 to 2016, according to a Gallup poll. In 2016, Gallop found that 43% of employees said they spent at least some time working away from their co-workers.
Then came the COVID-19 pandemic, which forced companies to allow virtually their entire workforce to work from home as countrywide lockdowns were introduced. Lockdowns have now been eased and employees are returning to their offices, but many have got used to home working and want to have the option to continue. Since many employers noticed no drop in productivity – some even saw productivity increases – it is likely that some employers will continue to allow employees to work from home if preferred. A study by cartridge People in the UK found 32% of UK office workers were planning to continue to work from home after the lockdown was eased.
Remote Working Increases Security Risks
While productivity may not decrease and employees may be happy with some employees working from home, home working is not without its risks. There are security concerns with remote working. It is harder for IT teams to secure devices and networks when the workforce is spread geographically and are not under the protection of the corporate firewall. With many workers connecting to their corporate networks remotely, it becomes harder to identify malicious connections. It is also much easier for threat actors to attack remote workers who connect to the Internet via consumer-grade routers, which are often never updated and have many security holes.
With office workers, it is easy to check if a request to change bank account information is genuine or other out-of-band request is made. All it takes is a quick visit to the employee’s desk. While phone calls can be made, performing these checks is more time consuming and complicated with remote workers. The pandemic also forced many companies to allow their employees to work remotely using their personally-owned devices, which may lack the security measures implemented on corporate-owned devices.
There are also many distractions in the home that are not present in the office, which can increase the risk of mistakes being made such as responding to a phishing email. Many employees have reported working longer hours during the COVID-19 lockdown and have felt pressured to do so, or at least check their emails outside of standard office hours in an effort to show that they are present and productive.
These long hours and the reduction in true off-time, along with the distractions in the home, can make mistakes more likely. Mistakes are more likely to occur when workers are stressed, tired, or distracted. One recent study conducted by a Stanford University researcher found 47% of employees who fell for a phishing scam were distracted, and 57% of remote workers said they are more distracted working from home.
The boundaries between home and work life become blurred with home working, and there is a tendency for work computers to also be used for personal purposes, especially personal internet access, which further increases risk.
Managing Home Working Security Risks
Remote working is here to stay, but employers have a responsibility to their remote workers and must take steps to ensure that those workers remain productive, do not feel overworked, and to reduce the risk of burnout, cases of which have increased during the pandemic.
Steps must also be taken to ensure that cybersecurity doesn’t suffer. Additional measures should be implemented to reduce the risks associated with home working and with phishing the leading cause of data breaches, taking steps to improve protection against phishing attacks is a good place to start.
It is essential for cybersecurity training to be provided to the entire workforce, but especially remote workers. If workers are not taught how to identify phishing emails, they cannot be expected to spot a phishing email when one lands in their inbox. Training needs to be provided frequently and should include training on the new techniques being used by phishers. Phishing email simulations should also be conducted to identify employees that are susceptible and to single them out for further training.
Anti-phishing solutions need to be implemented to block phishing emails at source. No single solution will provide total protection, so it is best to implement multiple overlapping layers of protection to block phishing and other email-based cyberattacks. If you are using Office 365, you will have Microsoft’s Exchange Online Protection (EOP) protection in place, which is provided free with the license. You should also layer a third-party solution on top of EOP, as many phishing threats bypass EOP. TitanHQ has developed SpamTitan to work seamlessly with Office 365 and complement Office 365 antispam and anti-phishing protections and greatly increasing protection against phishing and social engineering attacks.
Phishing attacks usually have an email and web-based component. Users click links in emails and are directed to malicious websites where credentials are harvested. A web filter will help to protect against the web-based component of the attack by preventing employees from visiting known phishing websites and for blocking malware downloads from the Internet. WebTitan, for example, can be used to protect both office and remote workers with no latency.
These protections will help you to block phishing attacks, but should one succeed and credentials be obtained, multi-factor authentication will help to prevent the credentials from being used to access accounts. Not all MFA solutions are created equal, so it is important to evaluate each solution to ensure it does not affect usability.
It is also important for Virtual Private Networking (VPN) solutions to be used for remote access, but these are not without their weaknesses. VPN software must be kept up to date as vulnerabilities are targeted by threat actors. MFA for VPN logins must also be used. It is also important to log all events and to monitor those logs for signs of compromise and investigate any anomalous behavior.
With these measures in place, employers and employees can enjoy the benefits that come from remote working while effectively managing and reducing security risks.