The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.
So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.
Despite the rise in attacks, only one in five companies are confident their infrastructure security can support long-term remote work, and only 7.5% are confident that their security protections are adequate against phishing and ransomware attacks in the remote-work context, according to a recent survey of 200 North American businesses from IT firm Sungard Availability Services.
So what can you do to make sure your remote employees are properly equipped to protect against cyberattacks? Here are eight things to consider according to cybersecurity professionals.
Secure the home Wi-Fi network. Remote workers need to make sure they're on at least WPA2 encryption, according to Caroline Wong, chief strategy officer at Cobalt, a remote-first "penetration testing as a service" startup. Older security protocols like WEP and WPA have been hacked and are considerably less secure. Other things remote employees can do to protect their network at home is to consider hiding the network name from neighbors, said Wong.
Don't depend on your employees to protect themselves. Sure, you can tell people to secure their networks, but, these days, the reality of remote work is that it happens not just at home, but in coffee shops, at the airport, in Airbnbs and other places that are vulnerable to attack. So it's important to issue a corporate device with pre-installed and regularly-updated malware protections, as well as identity and asset management systems in place like multi-factor authentication, according to Shawn Burke, the global CSO of Sungard AS.
Prepare for people to do company work on personal devices. Even if you provide employees a company-issued laptop, odds are they'll still want the ease of accessing corporate data on personal devices. Consider using a mobile device policy, which is basically a way to remotely set up a security policy and push security controls, said Gartner Senior Research Director Thomas Lintemuth. That being said, "People get freaked out if you're trying to manage their device," so it's important to communicate that these programs are meant to "keep the bad guys out of your personal stuff" and that the company will not use them to track employees' personal information, said Grant Moerschel, VP of product marketing at SentinelOne.
Consider the "people" risk: kids, roommates and partners. This is a concern especially for companies like McKinsey, which often deals with confidential documents that could be seen, screenshotted or shared by other people in the household, according to Venky Anant, a partner in McKinsey's tech, media and telecom practice. Be diligent about setting automatic screen locks, and consider employing a virtual desktop so that corporate data is stored securely at headquarters rather than on a personal laptop, recommends Kathleen Moriarty, the CTO of the Center for Internet Security.
Be alert for more targeted, emotion-driven phishing attacks. Attackers in the age of coronavirus are capitalizing on your emotions and anxieties, and there's been a significant rise in phishing attacks that use COVID-19 as a lure, Moriarty added. Be wary of tailored messaging that preys on your desire to access vaccine information.
Expect to spend more on cybersecurity. Multi-factor is expensive, and so is scaling up VPNs and other solutions to handle more simultaneous usage. One way of dealing with the added cost could be to implement access control segmentations. For example, an engineer might require more security than a graphic designer, said Wong.
Aim for zero trust. An increasingly popular buzzword in the cybersecurity community, the "zero trust" model assumes that you can't trust anyone, and everyone is treated as a potential malicious actor. Authentication and controls are at every point of entry, and everything that's important is protected. That can be costly as well as theoretically productivity-impeding, but as John Kindervag, one of the original proponents of zero trust, puts it, "It's okay to occasionally block something good as long as you're not letting something bad in."
Educate, educate, educate. And gamify it. At Zoom, employees participate in an annual security awareness training complete with prize competitions that divvy out company swag or UberEats credit. Training has to be embedded in the culture of the company, said CISO Jason Lee, who also recommends monthly fake phishing attempts to test for employee preparedness.
