A Microsoft survey in relation to the pandemic asked companies to rank their top security investments. The top five responses were multi-factor authentication, endpoint device protection, anti-phishing tools, VPN, and end-use security education. These all relate to remote work.
Global quarantine orders created the largest remote workforce in history that suddenly transformed how people function, and the ways companies manage their employees. This massive shift reinforced the need for security teams to focus on the end-user and their experience. For remote workforces to function properly, they need technology that gives them on-demand access to necessary resources. Making this possible, safely and securely, requires a concerted effort to extend security features, such as MFA and endpoint device management, to protect their companies and employees while they are working remotely.
The need for improved security for remote workers requires more resources; however, the ongoing economic conditions often require lowering costs. The Microsoft survey found most leaders increased budgets for security and compliance (58 and 65% noting an increase), while 81% of respondents also reported pressure to lower security costs overall. IT is therefore tasked with protecting their company’s networks from the remote work-related threats while operating with leaner budgets. Doing this effectively will require multiple strategies to make sure your network is secure with the shift to remote work. Here are three examples on how broader security can be achieved.
1. Manage Shadow IT Activities
Employees accessing services and applications outside of corporate IT are known as “shadow IT” activities. Most remote workers engaging in this practice aren’t “bad actors”, they are simply filling knowledge or process gaps with a familiar and easy-to-use technology tool. This often involves using “risky” apps to interface with colleagues and/or sharing company resources through unsecure communication platforms and file sharing services.
Preventing the risks of shadow IT requires companies to proactively plan for remote work’s challenges. What will remote workforces want to collaborate with, get access to, or share with each other or customers? And how can IT make that possible with as little friction and risk as possible using current or new tools? For example, could the firm use a secure platform (such as GOFBA CHAT) instead of vulnerable chat apps to protect file transfer and communication?
Managing shadow IT requires a multi-pronged strategy:
- Educate your remote workforce about the risks of shadow IT. Don’t just give them a list of approved apps and platforms but give them context about the dangers and how they can impact their jobs and the company.
- Monitor your network to find the current assets, spot anomalies, and respond to threats quickly and effectively.
- Use vulnerability scanning to find unauthorized usage and related threats.
- Communicate with employees to find the apps they want to use, so IT can then make recommendations for approved apps, with similar functionalities, that are more secure.
2. Analyze Traffic
When remote workers use unsecure devices, IT needs, in place, ways to analyze network and application traffic. Otherwise, malware and viruses can slip through undetected. Attacks at the application layer are using app or protocol vulnerabilities to penetrate web servers, voice services, or other entry points. Network threat detection tools can spot suspicious behaviors at various endpoints, so companies can better protect themselves from devices that have little or no built-in security. If an endpoint is not behaving properly, the security team can slow down and/or prevent a breach that can lead to malicious attacks.
Companies also need zero trust architectures in place that treat every device as a threat and help them spot malicious traffic. With a zero-trust network access (ZTNA) policy in place, firms can require all users to be authenticated, authorized, and continuously validate security configurations, before giving access to applications and data. Firms can also better manage employee access, by preventing “over-privilege”, a common condition where staff receive broader access than is required to do their jobs, and make sure that unmanaged devices can get access to corporate resources safely and securely.
3. Build At-Home Specific Training Content
The typical worker that’s transitioned to their home office is not an IT expert. An obvious statement, but one that deserves repeating because it points to a pressing need for education for remote workers. If they spent the past 10 years in a traditional office, then they were protected on the back-end by the entire security apparatus. At home, they need training to understand how to use the right platforms and ways to reduce risks. Allowing work-from-home to continue means training is a must. This should include guidance on how to:
- Access the corporate VPN
- Understand and avoid phishing and smishing schemes
- Employ strong password and MFA practices
- Avoid unsecured Wi-Fi networks
- Use internet searching responsibly
Training sessions should also highlight the dangers of internet searching. Remote workers tucked away in a home office are more likely to visit questionable content and sites. An April 2020 report from Kaspersky found an alarming 51% of remote workers used their company devices to access “adult content.” These types of sites are often filled with viruses and malware. Companies can thwart these threats by mandating the usage of safe search platforms like GOFBA that actively block pornographic sites, violent content, and other inappropriate sites.
Remote work is here to stay. Security departments must transform their operations for this new reality with enhanced training, expanded apps for collaboration and access, and traffic analysis to keep workers and the company safe and secure.