3 Threats to Your Remote Workers’ Data
It’s common now for employees to work remotely – so much so that many of the traditional workplace operations have been altered, seemingly forever. Now, most teams converse through Slack, Microsoft Teams or other real-time chat and collaborating applications. Skype, Google Meet or FaceTime are used for meetings, and people work on documents simultaneously via Google Docs or Office 365. Instead of walking by your coworker’s cubicle, you need to check his online status.
Just look at the numbers to see how these operational changes have taken place across the corporate landscape: Fifty-two percent of global employees now work remotely at least one day per week and 85 percent of U.S. companies allow workers to be remote, according to Owl Labs’ 2018 Global State of Remote Work.
It is not surprising that younger workers, as part of a generational shift that thrives on independence and flexibility in their employment situation, desire to work on their own terms. But the result is that companies are being forced to change their policies so that all employees can take advantage of working remotely. Even for senior employees, who have traditionally commuted to work, this is a boon, because it allows for greater work-life harmony, with more time spent with family or on personal endeavors, and an easier transition out of the office in the years leading up to retirement.
This trend helps the bottom line, especially for startups and businesses that require skilled workers who may not be locally available. Companies can save money on real estate by having smaller offices in some cities that result in lower lease costs, or by outsourcing to collaborative workspaces like WeWork. Some managers are even offering remote working as part of the hiring incentive package along with other HR benefits.
Even a Stanford professor found, as reported by Inc.com, that remote workers are more efficient, are more engaged and reported higher job satisfaction.
Of course, as remote working brings benefits to businesses, it also brings risks – specifically, risks to corporate data management. Those risks can be mitigated by stronger IT security policies and practices and by a strong emphasis on cyber security employee awareness and education. Below are three important – but by no means exhaustive – areas to consider to better protect your corporate data:
Open and Public Wi-Fi Networks
Remote employees enjoy the flexibility of working from many different geographies and locations – including away from a home office. They may be on laptops in cafés, in a coworking space, on buses, trains and even at the beach or a wilderness campsite. Because of this flexibility in location, remote workers are constantly accessing corporate resources via public networks where security has not been vetted, and thus should not be trusted.
To protect the organization, there are several precautions that should be taken to ensure that corporate data stays safe even when using a public network (e.g., public Wi-Fi or a community tethering device):
- Use a virtual private network (VPN): A VPN secures traffic within an encrypted session and thus protects information flowing over a public network. Indeed, using a VPN is a best practice in general and should even be used at an employee’s home office when accessing critical corporate information. Usage of a VPN should be outlined in the company’s IT policy, and the installation, management and oversight performed by the internal IT and/or security team as VPN configuration is critical to ensuring a high degree of protection – especially when used over a public network. Ensure your team members understand how and when to properly use the VPN before they access any unknown network.
- Skip the public Wi-Fi and use a puck: It’s best to avoid jumping onto an open or public network and instead rely on your own pocket to carry you to the internet. Personal Wi-Fi hotspots (e.g., Wi-Fi pucks) are easy to obtain, as all the major carriers and many of the mobile virtual network operators offer them. They are inexpensive and use strong security. Plus, Wi-Fi pucks are small – even the size of a USB key – and give you access (sometimes for several devices of your choosing) to the internet via the provider’s mobile cell network. When using a public Wi-Fi without a personal hotspot device, remote workers run high risks of becoming caught in a web-traffic snoop (e.g., malicious actors using tools such as the Pineapple Tetra).
- Access control and multi-factor authentication (MFA): All companies should limit access to digital corporate resources using the concept of “least privilege.” That means that employees are granted access only to the files and systems that are essential to their roles and responsibilities. For example, some users may need read-only access to certain reports, but not editor- or administrator-level access. Along with following the principles of least privilege, all remote users (really, all users) should use multi-factor authentication (MFA) to connect to corporate resources. Tools such as authenticator apps or workflows that allow employees to receive temporary access codes via text messaging greatly decrease the chance for malicious actors to gain access to your data.
Single Device for Both Work and Personal Use
Few people are willing to lug two laptops or phones so they can use one for work and the other for personal needs. That means employees are mixing the use of their devices, so company and personal email, photos, app content and calls (e.g., Skype or FaceTime) are managed on the same device. The convenience of using a single device for both work and personal needs is too great for the trend to be fleeting and for workers to revert to using two or more separate devices. And in general, this instant access has enhanced the workplace, vastly increasing efficiencies and allowing coworkers to stay in contact whenever necessary. So it behooves companies to find ways to allow the use of a single device.
However, that means that when employees go to personal events such as concerts or weekend road trips, company data also goes along. If company data is in locations and situations where it is unprotected, that data is ripe for access by bad actors – especially if stored on a personal device, which would likely have less security measures enabled than a company-issued device.
To balance the convenience of using a single device for personal and professional needs, companies can rely on mobile device management (MDM) solutions. Modern MDM platforms and software protocols, such as Microsoft InTune and EAS respectfully, can help safeguard employee devices and protect against data loss. Those MDM solutions should consider the following:
- Configure MDM based on roles balanced by personal needs: The principle of least privilege applies here too – employees should have access to only those corporate resources necessary to fulfill their job duties. MDM software can also be configured so unnecessary or company-blacklisted apps, such as applications with known vulnerabilities, cannot be installed on the device.
- Establish standard security policies: As a condition to access corporate resources via personal devices, organizations can require security measures such as device encryption, password complexity and security timeouts. Furthermore, employees should sign a contract agreeing to such standards upon being hired and before being granted access.
- Establish that the company can remotely access, control and wipe the device: Create a policy stating the company controls all company data, and note that an employee’s device can be wiped at the company’s discretion if the device is lost or stolen. Modern MDM platforms can be programmed to only wipe corporate data, so the employee needn’t worry about losing personal data in case the company data is wiped/removed.
The best defense against malicious attacks and data loss is an educated workforce. Thus, all employees, regardless of position or level of responsibility at the company should be trained on safe cybersecurity practices. Employees should be able to recognize suspicious activity and alert someone who can handle the threat. Training should be part of the new employee onboarding process and repeated at least yearly. Plus, information about system vulnerabilities or other areas of security concern should be distributed to your team as soon as they become known.
A strong corporate information security program should encompass:
- Understanding internal and external threats
- Educating about new hacks against new or existing technologies
- Incorporating strong passwords and MFA, why they’re important and how they help
- Being smart and using common sense while online
- Keeping security top-of-mind through ongoing training
Companies may very well find themselves needing to adjust quickly to the remote worker phenomenon, and stronger security measures and employee education will help ensure both individual and company data stay safe.
Alon Israely, Esq., CISSP, has been a part of the founding of several successful companies in the legal technology space including the premier services firm, BIA and most recently as a co-founder and CEO of TotalDiscovery, an industry-leading SaaS application for managing legal holds and discovery obligations. Today, Alon works with BIA and other legal services companies to consult with corporations and law firms on critical issues related to information security and data privacy. With over 20 years of experience in a variety of advanced computing-related technologies and areas, and as a member of the Sedona Conference and several digital forensics organizations, Alon stays on the cutting edge of new technologies and helps continue to lead the industry in driving secure, legally defensible methods and practices used by enterprises and the government to securely manage the complex requirements of document preservation and discovery.