During the pandemic, remote and mobile working was seen as a means to an end; to keep productivity, operations and the economy moving as offices and transport networks shut down. But, post-pandemic, remote working has stuck around and, for many organisations, is the only way they work now. This has led to a significant rise in the security risks of remote working, and it's time we address them.
To put it into context, Gartner reports that 18% of remote workers have no interest in returning to the office and 50% of all employees will continue to work remotely long after the pandemic. Office of National Statistics (ONS) data for the period between September 2022 and January 2023 reveals 44% of UK workers classified as home or hybrid workers.
However, this shift towards remote work brings a multitude of cyber security risks that organisations and employees should be vigilant about. In fact, since the beginning of the pandemic, cyberattacks on remote workers have increased by 238%.
The debate about whether remote workers pose a greater cyber security risk than their in-office counterparts continues. But, threat actors aren't picky; they exploit vulnerabilities and target unsuspecting employees, regardless of their location. Statista reports that 72% of organisations express significant concern over the online security risks their remote employees face.
This article delves into the critical cyber security risks of remote working and offers a comprehensive guide to the best practices for ensuring a secure remote work environment.
MalwareBytes Labs’ report reveals that 20% of organisations experienced a breach because of a remote worker, highlighting the growing concern about remote work security risks. So, what risks does remote working create?
Let us explore 15 common cyber security risks that remote workers face:
Remote workers are prime targets for phishing and social engineering attacks. In these scenarios, cybercriminals craft convincing emails, messages, or phone calls designed to trick employees into revealing sensitive information or downloading malicious software. The isolation of remote work can amplify the effectiveness of such tactics, as employees may not have immediate access to colleagues or IT support to verify the legitimacy of such communications.
Unlike centralised office environments with robust security measures, remote work settings usually lack the same level of security infrastructure. Home networks, for instance, are typically less secure, making them susceptible to cyberattacks, including unauthorised access, data breaches, and malware infections.
Failing to regularly update operating systems, software applications, and security patches can leave remote workers vulnerable to known exploits. Cybercriminals actively seek outdated systems as entry points into the corporate network.
Distributed Denial of Service (DDoS) attacks can overwhelm an employee's internet connection, rendering them unable to work. With remote workers relying heavily on internet access, the impact of DDoS attacks can be especially disruptive to operations, reputations, and employee digital safety.
The physical absence of employees from the office can result in a lack of oversight, making it easier for employees to engage in risky online behaviour. Furthermore, security teams often struggle to monitor and enforce security policies effectively in remote work environments.
Remote workers often use unsecured public Wi-Fi networks or poorly protected home networks to access corporate resources. These networks can be compromised, allowing cybercriminals to intercept data or launch attacks on remote devices. This is a massive cyber concern for remote workers; so much so that the US Cybersecurity & Infrastructure Security Agency (CISA) issued a specific warning on network exploitation last year.
In remote work settings, identifying and responding to security incidents can be delayed due to the absence of immediate physical presence. The time it takes to detect and mitigate threats can significantly impact the severity of an incident. In Velocity Smart Technology’s remote working report, it is revealed that not only has 70% of remote workers experienced IT problems during the pandemic, 54% had to wait for more than three hours for issues to be resolved. Furthermore, IBM’s Cost of a Data Breach report reveals that organisations with a remote workforce took 58 days longer to identify and contain a breach when compared to office-based organisations.
Remote work environments expand an organisation's attack surface, as it encompasses not only the corporate network but also the various personal devices and home networks used by remote workers. Each of these becomes a potential entry point for cyber threats. Check Point’s Workforce Security Report reveals that 51% of organisations allow remote access to corporate applications via personal mobile devices, 52% allow access from personal laptops and 32% allow access via third-party devices.
Bring Your Own Device (BYOD) policies, while convenient, introduce a level of risk. Employees using personal devices for work may not have the same security measures in place, and they may inadvertently expose sensitive company data to security threats. According to CISCO’s Benchmark report, organisations are finding it difficult to manage the cyber security of phones and mobile devices by remote workers.
Working in public places like coffee shops or airports exposes remote workers to physical risks such as line-of-sight snooping and shoulder surfing. Individuals with malicious intent might engage in spying on screens or overhearing conversations to gain unauthorised access to sensitive information.
Unsecure and easily guessable passwords present a considerable risk. Remote workers who use weak passwords are more vulnerable to unauthorised access and data breaches. The use of multi-factor authentication (MFA) is a critical defence against this risk.
Misconfigurations in cloud services can expose sensitive data to unauthorised access. Remote workers who interact with cloud-based applications must understand the importance of proper configuration and access controls.
As remote work relies heavily on video conferencing tools, the risk of webcam hacking or "Zoombombing" is a growing concern. Attackers can access video streams and disrupt virtual meetings, leading to privacy breaches, reputational damage, and data breaches.
The isolation of remote work can sometimes cause employees to underestimate security risks. They might become complacent or ignore security best practices, potentially exposing the organisation to cyber threats. Data Basix reveals that 47% of employees cited distraction as the reason for falling for a phishing scam while working from home.
Sharing sensitive documents and files without adequate security measures can result in data leaks and breaches. Remote workers must understand the importance of secure file sharing and data encryption to mitigate this risk.
Cyberattacks worldwide surged 38% last year, and this upward trend shows no sign of slowing. Understanding cyber security best practices, especially for remote workers, becomes critically important in light of these rising threats.
Let’s explore the best practices to combat remote work security risks:
According to Zipdo, 50% of businesses allow remote workers to access their organisation’s IT network without any multi-factor authentication. Implement MFA/2FA across all systems and accounts. This practice provides an additional layer of security, requiring remote workers to supply multiple forms of verification (such as a password and a temporary code) before gaining access, significantly bolstering protection against unauthorised access.
Encourage remote workers to use a reputable password manager. These tools generate strong, unique passwords for each account, store them securely, and automatically enter them when needed. This minimises the risk of weak passwords or password reuse and increases password security.
According to Zipdo, only 43% of employees use VPNs when working remotely. Enforce the use of VPNs to create secure, encrypted connections between remote workers and company resources. This shields data from interception, especially when employees are accessing the corporate network over unsecured Wi-Fi connections.
Develop a comprehensive work-from-home security policy that outlines best practices and guidelines for remote workers. Ensure that it covers security measures, acceptable device usage, and remote access procedures. Ensure that it is readily accessible.
Remind remote workers to avoid public Wi-Fi networks for sensitive work-related tasks. When public Wi-Fi is necessary, using a VPN becomes even more critical for added protection.
Encourage employees to keep a clear separation between work and personal data on their devices. This minimises the risk of individual apps or accounts compromising corporate information.
Remote workers should arrange their workstations to prevent unauthorised individuals from viewing their screens. This is especially important when working in public places.
Stress the importance of locking devices when not in use or when stepping away from your desk/workstation. Automated locking and strong, unique passwords or biometric authentication enhance the overall security posture.
Set up a routine for software updates, not just for operating systems but also for applications and security patches. Regularly updating devices ensure that vulnerabilities are promptly addressed. Instead of making this an employee responsibility, log software updates as mandatory for employees in calendars and via internal communication channels.
Caution remote workers to be selective when sharing their screens during network calls or presentations. Always verify the content that will be displayed and limit screen sharing to what is necessary.
Employees should be educated on the potential risks of sharing personal or work-related information on social media. Oversharing can provide attackers with valuable information for social engineering attacks.
Encourage the use of webcam covers or software controls to disable the camera when not in use. Webcam hacking is a real threat, and remote workers should be proactive in protecting their privacy.
Keep company data centralised in secure, cloud-based, or on-site storage systems. This eases data management and minimises the risk of data dispersion to unsecured locations.
Security teams should employ tools and practices to map and monitor all remote connections. Full visibility into remote work environments is essential for early threat detection and response.
Unfortunately, 30% of remote workers do not get regular training from their employers and Data Basix reveals that 44% of employees receive no cyber security training on the threats of working from home. This must change. Ensure that remote workers have easy access to cyber security policies, training materials, and resources. Promote ongoing education and awareness to keep employees up to date on the latest threats and best practices.
By expanding on and rigorously implementing these best practices, organisations can create a fortified defence against the cyber security risks associated with remote work, ensuring the safety of their valuable data and operations.
A staggering 47% of organisations now offer employees the option to work remotely full-time, and an impressive 82% permit work from home at least one day a week. Remote work is here to stay, and organisations must adapt to the evolving cybersecurity landscape.
Recent peer-reviewed studies, though on a limited control group, suggest remote workers often exhibit more robust cyber security behaviours than their on-site peers. Yet, the threat level remains high. The shift to remote work has bumped up the average data breach cost by $137,000.
By acknowledging the security risks of remote working and adopting the best practices from this article, you can boost your organisation's cyber security and protect remote workers from threats.
Developing comprehensive remote and office cyber security policies is vital in supporting the integrity and security of an organisation's data and operations in this digital age.
At The Security Company, we specialise in boosting cyber awareness and tackling issues such as remote work security risks through transformative human behaviour strategies. Through our tailored subscription services, targeted and customised eLearning and awareness materials and our behavioural assessments, we're committed to helping organisations like yours instil long-term, security-conscious behaviours.
Our method is distinct. We begin by diving deep into your team's current mindset, pinpointing lax behaviours, security gaps and departments in need of focus and attention. From there, we craft tailored solutions that encourage better cyber practices from your employees. With comprehensive training and seamless integration into your current systems, we're here to fortify your team against modern cyber threats and be your trusted cyber security and awareness partner.
Ready to take the next step?
We can help you to formulate an effective and comprehensive cyber security training and awareness program for your organisation.
Do not hesitate to contact us for further information.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
