News

Work from home, the new reality

December 17, 2020

As many countries are dealing with the re-opening and, in some cases, re-closing of their borders in the wake of the COVID-19 pandemic, the concept of remote-work or Work from Home (WFH) is garnering more interest from organisations. Faced with the new reality, both employees and entrepreneurs are resorting to WFH or telecommuting to push their way through 2021 and beyond.

According to a Global Workplace Analytics survey carried out among 3,000 employees working remotely during the pandemic, it was noted that 73% are very successful when working from home, 86% say they feel “fully productive” working from their home office and 76% want to continue working from home at least 2.5 days per week, on average. A separate study conducted by Owl Labs showed that employees prefer remote working as they spend less time commuting to and from work, and the work-life balance has made them more productive and focussed as shown in the graph below:

Survey on reasons why employees prefer to work remotely

New reality means new challenges for Cybersecurity

Adopting WFH encapsulates some challenges as it exposes companies to greater risk when it comes to cybersecurity – they are more susceptible to phishing and malware attacks, thus exposing their business to multiple cyber threats.

The following are the different cybersecurity threats/challenges that companies are currently facing:

  • The surface of attack has greatly increased with more users connecting to the network from outside the company – the network is no more closed. Also, there has been increased cybercriminal activity, as evidenced by a 131% growth in virus attacks and about 600 new phishing attempts every day when the pandemic started [Source: Threat Post].
  • Cyber Attacks are also evolving in size and sophistication. In the beginning, the number of phishing attacks were directly related to COVID-19 (including ones purporting to be from the Centres for Disease Control & Prevention). Later, these attacks centred on stimulus packages and unemployment insurance, before evolving into subjects like vaccines and the stock market. They are not only using email for these attempts but also online ads, mobile apps and other tactics.
  • Most companies have stringent security testing to make sure that their corporate network is secure and the required security expertise, systems and tools to check for and protect from suspicious network traffic. Conversely, many home networks are set up by the end-users themselves, using the router supplied by their Internet Service Provider without any advanced security system. This means that the home network is typically not securely configured as it does not encompass the safeguards available on corporate networks.

So, how can we mitigate those risks?

Proposed Solutions

It is of utmost importance for companies adopting WFH to implement solutions based on people, process and technology  in order to protect them from the increasing cyber risks and threats.

Process

From a governance perspective, companies should create a remote working policy. This will assist them in guiding staff through the challenges of working remotely, reducing the risks and ensuring the impact on productivity in minimised.

With the shift to an expanded Work from Home environment, the risk surface has radically increased for most companies. These changing circumstances justify a reassessment of the cyber security risks in order to prepare the IT and response teams for reprioritising their efforts to keep company data safe. A comprehensive risk assessment exercise should, therefore, be conducted to re-evaluate the company risk profile based on its work force moving to a WFH environment.

Devices issued by the company are generally set up to be very secure and when staff work remotely using company computers, the risk is lower than using their own devices, as long as all security settings remain in place and software continues to be updated regularly. Work devices incorporate strict security settings, good antivirus and safe software that is approved and pre-installed.

Finally, it is critical for the company to update and test its incident response procedure and playbooks. Companies need to specify know how to react if an employee working from home has a laptop that is infected with a malware such as ransomware – what should the employee do? Should he/she shutdown the laptop? Or wait for someone from the IT department to collect and examine the device?

All these are possible scenarios and responses must be defined beforehand and detailed procedural steps have to be clearly spelled out in the manuals to mitigate the consequences of attacks.

People

Ongoing security awareness training must be conducted to keep employees updated about the security risks they are exposed to and help them understand how these risks can impact business continuity and ultimately the company brand image.

Below are a few topic suggestions for the security awareness sessions:

  • Using a private home network as opposed to a guest network;
  • New types of Social Engineering like phishing and vishing;
  • Best practices for email and web behaviour; and
  • Home network device security.

Lastly, testing the effectiveness of awareness is very important, and the undermentioned processes tend to buttress same. Listed below are a few suggestions for reinforcing security awareness:

  • Perform phishing simulations;
  • Monitor the number of reported anomalies from users; and
  • Test awareness of guidelines for safe web browsing.

Technology

In terms of technology solutions, different controls can be implemented based on the following scenarios:

  1. Employees using their own devices to access the business environment.
  2. Employees using corporate devices to access the business environment.
  3. Employee using their own or corporate devices to access the company Cloud environment.

For scenario 1 (i.e. employees using their own devices to access the business environment), the suggested solution is to implement a Virtual Desktop Environment. The latter will accommodate for an increasing number of remote workers. The user gets a desktop designed as per his/her individual profile with access to only required applications. Also, this system should have Multi-Factor Authentication (MFA) enabled.

This implementation represents numerous advantages such as:

  • User access is tightly controlled;
  • Propagation of malware is more difficult; and
  • It is easier to contain incidents.

For scenario 2 (i.e. employees using corporate devices to access the business environment), the suggested controls are as follows:

  • Access given only through Virtual Private Network [VPN] with MFA enabled;
  • Install Mobile Device Management [MDM] on corporate devices with stringent policies enabled;
  • Controlled Internet access through web security;
  • Remote patching [or Virtual Patching] to be done for the devices;
  • Remote log monitoring to be carried out;
  • Conditional access to be enabled; and
  • Data Loss Prevention [DLP] to be enforced.

For scenario 3 (i.e. employees using their own or corporate devices to access the company Cloud environment), the suggested controls are as follows:

  • Have MFA enabled on the Cloud system;
  • Have conditional access enabled;
  • Have Cloud App security [preferably with sandboxing] enabled to scan for malware;
  • Have DLP enabled;
  • Harden the Cloud environment as per best practices; and
  • Enable advance threat protection for email access.

It is important for companies to actively manage their cybersecurity when working remotely. While there are big changes affecting businesses at the moment, security should never be compromised and may, in fact, need more attention as we bed down our new ways of working. These tough times are making us stronger as we close the gaps and vulnerabilities in our company security; which is ultimately a good thing.

Even if organisations have created more flexible remote-work policies to better accommodate the needs of their employees in the short-term, they must ensure that their teleworking strategies are robust and can support secure remote connectivity in the long-term. In fact, remote-work may be a bigger part of the corporate strategies of the future that was previously anticipated.

[To read more by Bank One on the theme of work from home, click here to access their Head of HR Priscilla Mutty‘s perspective under a blog titled ‘Adjusting to the new working environment’]