1. Remote working has become part of “business as usual” for companies of all sizes and sectors around the world. The shift away from the old office-based working paradigm brings with it a need for companies to revisit approaches to cybersecurity which may have been built on outdated assumptions from an earlier era.
2. Business leaders must guard against both deliberate and accidental cybersecurity threats while ensuring that the policies they institute are realistic and compatible with normal working practices and productivity goals.
3. Corporate cybersecurity policies and practices may need to flex or change entirely when employees are located outside a traditional office environment. Home working, or working from any location beyond the employer’s control and/or with equipment not supplied or serviced by the employer, carries its own attendant cybersecurity risks which must be managed.
4. Good practice and sensible investment in IT hardware and software can support an effective approach to cybersecurity for remote workers. With the right tools, systems and knowledge for creating, storing and communicating data, workers are more likely to be able to maintain the level of security required by their employer.
5. While tools and systems are important, insider cybersecurity threats are more common than external attacks. Considering human factors is therefore also vital. The majority of insider cybersecurity breaches are reportedly a result of carelessness and negligence, perhaps caused by stress or skipping or overriding security processes for convenience or to avoid slowing down work flows.
Whether a workforce is flexibly located, static-hybrid or fully virtual, the latest trends indicate that remote working is here to stay following the pandemic boom of 2020-21. Business leaders will need to make sure they grasp the challenges and risks of cybersecurity for remote workers and are able to address them in the context of their own business plans.
Good practice in cybersecurity is underpinned by robust company policies, effective staff training and availability of the right IT tools and systems to carry out work securely and productively. Where all or part of the workforce operates remotely for any amount of time, a company’s cybersecurity policies, training and IT equipment provision must factor in the influence of remote working.
What are the cybersecurity risks and challenges of remote working?
From an employer’s perspective, remote working environments tend to be less controlled, less consistent and therefore less predictable than a fixed office environment. Increasing rates of remote working go hand in hand with a rising risk of insider cybersecurity breaches from multiple sources, for example:
1. Insecure WiFi networks
In dedicated company offices, there will normally be a centralized and secure wifi provision for use by all staff on-site. The company will have selected an internet service provider (ISP) who meets their IT needs and cybersecurity requirements, and provision will be delivered via equipment which can be easily approved and checked by IT security colleagues or an external contracted service.
In a home office set-up, or when working from other remote locations, employees may use a range of wifi connection options, some more secure than others. Coffee shop, hotel or airport wifi is often unsecured. This opens up the possibility that third parties could access or hijack a remote worker’s connection, allowing them to view confidential work, or even log in using the remote worker’s credentials.
2. Work from personal devices
Networked computers in a company office will generally have core cybersecurity tools installed by default, with updates and system checks running automatically. Personal devices may not have this same high standard of cybersecurity protection, leaving them less able to recognize and neutralize cyber attacks, unauthorized access to systems or the unauthorized release of confidential material.
3. Lack of firewalls
Home workers are unlikely to have an enterprise-grade firewall set up to protect their domestic network and are more likely to use consumer-grade routers provided by their ISPs. In other remote locations, protection could be even weaker. While employers can provide a secure virtual private network (VPN) for their remote workforce in order to make sending and receiving data safer, mandating log-in to the VPN is hard to enforce.
4. Personal data processing
Remote working can be a particular challenge for companies who carry out personal data processing and need to ensure that their ways of working are compliant with local laws on this issue. In the EU, the General Data Protection Regulation (GDPR) governs how personal data should be stored and handled. China, Brazil and many other countries have their own similar regulations. Companies must be sure that they are compliant across all geographies where they operate.
5. Third-party access to data and equipment
Homes, cafés, hotels and other possible remote working locations are all frequented by individuals who are not authorized to access the data of the remote worker’s employer. Visible screens, audible calls, unlocked and unattended devices or passwords written on pieces of paper could all therefore be sources of cybersecurity breaches. Sharing working devices with family members may also be an insecure practice.
Cybersecurity best practices for remote workers
Taking on board expert cybersecurity recommendations for remote working and observing best practice among remote workers themselves can help to mitigate cybersecurity risks. Key areas to consider include:
- Corporate policy: Strong remote cybersecurity begins with a clear and robust company cybersecurity policy which integrates remote working requirements and risks. This should be developed in consultation with cybersecurity experts and employees to ensure that it is fit for purpose and compatible with standard working practices, equipment and systems. Employees should familiarize themselves with the policy and commit to working within its parameters.
- IT hardware and software: Cybersecurity is likely to be stronger when all employees, including remote staff, work on company issued devices which are compatible with cybersecurity needs, updated with the latest anti-malware software, and checked to ensure functionality is maintained in tandem with use of firewalls and VPNs. In firms with lower cybersecurity needs, guidance on secure use of personal devices may be sufficient.
- Internet connection: Best practice is for remote workers to always connect to the internet using a hardware or software VPN. If enforcement of this rule proves difficult, business leaders should consult staff to find out why. If VPN use is causing slow working speeds, dropped connectivity and reduced productivity, IT leads should review the equipment, software and specific VPNs provided in order to remove any blockage.
- Data storage: Secured cloud storage provides a simple, accessible and safe information management solution for many companies. Having data in the cloud reduces the chances of remote workers needing or wanting to download sensitive material onto local drives or personal devices, creating possible sources of future cybersecurity breaches. Highly sensitive or confidential material may be stored separately on dedicated servers with different remote access rules.
- Unknown devices and dongles: Unknown USB sticks, drives and devices can be a source of computer viruses, tracking apps and other malware. From a single laptop, a cybersecurity breach can quickly spread into full IT systems. Remote workers should never connect suspicious devices to their work devices.
- Training: Cybersecurity training should be mandatory for all employees, including remote workers, and refreshed regularly to include emerging cybersecurity challenges.
- Systems maintenance: Company IT leads should carry out regular cybersecurity monitoring and maintenance across corporate systems. They should be alert for signs of unauthorized remote systems access, suspicious software installation or unusual data download and upload patterns. User access should always be removed once an employee leaves the company or role.
- Third-party awareness: Remote workers should be mindful of the potential for their screen display or work calls to be observed by third parties, especially when working in public places such as cafés, hotels or airports. Companies handling confidential or sensitive data may want to institute additional rules on permitted remote working locations, or device sharing with family members, with these risks in mind.
Work from home security checklist [Summary of the best practices above]
A checklist can be a useful tool to guide business leaders and remote workers through the complexity of working securely from home or in other remote locations. In developing their own tailored corporate checklist, business leaders should consider questions including but not limited to the following:
- 1. Does the company have a clear and robust cybersecurity policy and simple guidelines which integrate both on-site and remote needs and risks?
- 2. Does company on-boarding for remote workers include cybersecurity training covering core areas such as password protection, multi-factor authentication and carrying out regular software updates?
- 3. Is the company using the latest and most appropriate firewall, VPN and anti-malware solutions for their needs?
- 4. Do employees have secure access to the best tools for working remotely?
- 5. Are account lockouts in place to disable systems access after multiple failed authentication attempts or suspicious activity?
- 6. Are remote and on-site systems access regularly monitored to identify any unauthorized activity? Are permissions regularly updates to reflect joiners / leavers?
- 7. Are the company’s servers or cloud storage areas appropriately secured (e.g. not publicly accessible; only visible to users with the correct permissions)? Is confidential or sensitive information clearly marked and stored with any additional protections necessary?
A final word…
Horizons has extensive experience helping international companies address the challenges and risks of the fast-paced modern business environment, including around cybersecurity. From informal advice, or use of our integrated HR and payroll solution, to remote recruitment and staff management across whole organizations, Horizons can help your company grow and succeed while remaining fully compliant in new and existing markets. Call us today for a tailored quote.
Frequently Asked Questions
How do you maintain cybersecurity for remote workers?
If any of your employees work remotely then this needs to be reflected fully in your company’s cybersecurity policies and practices, including around risk management and compliance with relevant data protection regimes. The equipment, training and systems required for secure remote working are not necessarily the same as those for an entirely office-based workforce.
What are the cybersecurity risks of working remotely?
When working remotely, staff may be using personal devices connected to domestic and/or unsecured internet. This means that they are unlikely to be working with the full range of firewalls, anti-virus software and other tools which can help to prevent cybersecurity attacks and breaches. While employers can provide virtual private network (VPN) access to keep data secure, it is hard to enforce VPN use across a remote network.