Remote work has become increasingly popular in recent years thanks to advances in technology that have made it easier for people to work from anywhere. When the pandemic hit in 2020, many organizations and their employees realized the benefits of offering remote work.
While there are many benefits to working remotely, it also presents unique security challenges that organizations must address in order to protect their data and networks. Overall, a remote work environment has an increased attack surface. Organizations must ensure the security of remote access to sensitive information, protecting against cyber threats such as malware and phishing attacks, and maintaining the physical security of remote employees’ devices.
Let’s take a look at some top cybersecurity risks for remote work.
1. Phishing Scams
In 2020, attackers took advantage of the global pandemic anxiety and sense of urgency around COVID-19 and launched phishing and social engineering campaigns that proved to be highly successful.
Phishing emails were seen leveraging the COVID-19 vaccine rollouts to steal credentials and to distribute malware. The emails provided a link to fill out a form to receive the COVID-19 vaccine – once a user clicks, they’re redirected to a phishing landing page that asks for their email address and password.
Even as the urgency around COVID-19 dissipates, phishing campaigns are continuing to be more successful in a remote environment. Not only are remote workers more dependent on email for communication, but they are often more prone to making mistakes when it comes to cybersecurity hygiene. In an office setting, for example, employees could more easily check to see if a colleague had sent a questionable email by strolling over to his or her desk. That, combined with the fact that remote employees work outside the highly controlled company network — often on personal devices — can make phishing attempts more successful.
What You Should Do: This highlights the importance of end user training, which should include the how to spot a phishing email and the process for reporting security incidents to the IT team.
Remote and hybrid workplaces naturally lend themselves to the bring your own device (BYOD) trend, as employees appreciate the flexibility of accessing work-related software and files on their personal devices. Plus, BYOD can improve productivity and even save money for organizations. A study from Cisco compared organizations with company-issued cell phones to BYOD companies offering cell phone service stipends and found that the BYOD companies saved between $300 and $1300 per year per employee.
However, BYOD can introduce security risks. Rather than use a controlled corporate network, employees often use their unsecured home Wi-Fi networks — or even public Wi-Fi — which can be susceptible to man-in-the-middle attacks. IT teams may have difficulty overseeing the locations from which remote workers are logging in, making it easier for international cybercriminals to launch cyberattacks.
When a workplace doesn’t officially support BYOD, it often leads to instances of shadow IT, in which employees use or install software — whether on personal or company devices — out of convenience but without permission from IT teams. This can bring up animosity between end users and IT teams, as well as create security gaps due to a lack of IT visibility and control.
What You Should Do: A BYOD security policy can support employees that want to use their own devices while maintaining some control from IT. A detailed policy should include security best practices and answer questions such as:
- What happens when an employee leaves the company?
- What requirements should employees meet to ensure they’re creating strong passwords?
- What apps and assets are employees allowed to access from their personal devices?
- What are the minimum security controls required for devices?
The rise of remote work directly correlates to a spike in ransomware attacks; in 2020, ransomware increased by 311%. Today, ransomware continues to hit organizations across different industries – including healthcare, manufacturing and education, using different techniques designed to carefully evade most security software.
A remote environment is a perfect target for ransomware for a few reasons. IT and security teams have lower visibility, making it more difficult to detect signs of an attack. Since employees tend to use smartphones for both their personal and work lives, threat actors can more easily access credentials by targeting employees through social media platforms, SMS, and third-party messaging apps.
What You Should Do: Be aware of the signs of a ransomware attack so you can detect and respond to those suspicious behaviors. Threat actors use a variety of tools like Cobalt Strike and Mimikatz to steal credentials and move laterally through an environment. They also use native Windows tools like PowerShell, Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP) for lateral movement.
4. Unsecured Access To Corporate Networks
For a fully remote workforce, IT teams turned to virtual private networks (VPNs) to support secure remote connectivity to organizations’ networks and resources. However, that means access security is sometimes overlooked in the process.
Identity providers offer multi-factor authentication (MFA) to add a second layer of security to logins to stop attackers from gaining access to networks and data using stolen VPN credentials.
Meanwhile, endpoint security for remote workers’ devices is a common concern for IT teams as their workforce increasingly uses unmanaged, personal laptops, phones, tablets, etc. to connect to networks as they work from home. The lack of visibility and control over the security posture of those devices can introduce risk to corporate networks in the form of malware, unpatched software, rooted devices and more.
What You Should Do: Endpoint detection and response (EDR) solutions can help you gain visibility into indicators of a compromise across devices in order to take action and/or notify users of device security issues.
5. Identity-Based Risks
Organizations continue to struggle with the risks presented by stolen usernames and passwords. Attackers use techniques like password spraying, phishing, brute-force attacks and more to gain access to systems, inboxes, applications and more with malicious intent.
Password spraying is when attackers try out a large amount of usernames with a single password, which helps them avoid triggering password lockouts and helps attackers uncover weak passwords targeting specific user accounts.
The move to a remote workforce has translated to a rapid adoption and shift to using cloud-hosted infrastructure and productivity applications like Microsoft Office 365 or Google’s G Suite. Microsoft Active Directory (AD) is a point of weakness for organizations, with service account access to authenticate to Office 365 and Azure Active Directory. Many accounts lack proper security, with poor password policies and no MFA.
What You Should Do: Implement strong passwords and multi-factor authentication, and consider a detection and response platform that actively monitors for Microsoft 365 threats. (You can get started with Blumira’s Free Edition to monitor Microsoft 365 threats at no cost!)
Software that enables remote work can be susceptible to vulnerabilities. VPNs can be targets for VPN hijacking, man-in-the-middle attacks, malware, DNS leaks, and more. Pulse Connect Secure, a popular SSL VPN solution, had a zero-day vulnerability in 2021 that enabled threat actors to steal credentials and provide backdoor access to compromised networks. As of December 2022, over 4,000 vulnerable Pulse Connect Secure hosts are still exposed to the internet.
Most organizations have Microsoft environments, which makes Windows an attractive target for attackers. Microsoft Exchange Servers have been particularly vulnerable; in 2021, a China-based attacker group called Hafnium targeted over 400,000 unpatched on-premises servers by exploiting multiple zero-day vulnerabilities to access email accounts, and then installed malware — gaining access to over 30,000 organizations in the United States.
What You Should Do: Once a patch is available, prioritize installing it as soon as you can. Stay on top of emerging vulnerabilities by watching out for vendor emails and keeping abreast of security news.
7. Unsecured File Sharing
Remote organizations rely heavily on file sharing, but sharing company data can be risky without the proper security controls. A study from OpenText revealed that over half (56%) of employees in the U.S. use personal file sharing systems for work-related matters — regardless of whether or not they’re allowed to.
What You Should Do: Cloud-based file sharing can keep company data off of workers’ devices, and encryption can protect sensitive data. In addition to encrypting files on a network or server, it’s also important to encrypt files that are transferred from one person to another.
Best Practices To Mitigate Remote Work Security Risks
Prevent, detect and respond to these types of attacks with a few key best practices:
- Implement MFA everywhere – Prevent identity-based attacks like phishing, brute-force, and the risk of attackers gaining access to your systems and data using only stolen credentials by implementing two-factor authentication across every account, especially VPNs for secure remote access.
- Detect early, prevent ransomware infection – Detecting risks and threats early and often can enable you to respond faster to indicators of an attack that could lead to ransomware infection.
- Monitor your environment – Integrate a detection and response platform (like Blumira) broadly across cloud applications, identity providers, endpoint security, Windows servers, productivity applications, etc. to detect exploited vulnerabilities, privilege escalation, password spraying, anomalous logins, the use of hacker tools and more.