Many businesses switched to remote work during the COVID 19 pandemic.. Many businesses have decided to continue operating at least partially in this manner. Statistics show that 16% of businesses are 100% remote and 62% of employees aged 22 to 65 say they work remotely at least occasionally. By the end of 2022, the amount of professional jobs that are remote is expected to reach 25%.
There are pros and cons to remote work. Outside of the cybersecurity field, hardly anyone’s first thought on the subject is about how secure it is. Even though it may not be in the forefront of everyone’s mind, it is a very real factor that should be considered when a business decides to stay remote. This article is meant to provide a clear and concise breakdown of some of the biggest cybersecurity issues that arise due to remote working. However, should a company decide to stay remote, we also offer easy steps any company can take to make remote work secure .
Security Risks:
The rise of ransomware attacks
One of the most observable threats facing remote workers is the large increase in ransomware attacks over the past two years. Between 2019 and 2020 ransomware attacks grew by 62% globally and 158%n North America. The rapid growth in ransomware attacks continued in 2021 with a further 134% increase year over year. To make matters worse, the attacks have not only grown in number, but also in effectiveness. The average remediation cost for a company which had suffered a ransomware attack was $761,000 in 2019. This number more than doubled in 2020 to $1.85 million.
Not all of these ransomware attacks are due to remote work. Ransomware attacks were happening years before COVID 19. However, the increase in attacks since the switch to remote work shows that attackers are finding it exceptionally lucrative. And while all ransomware attacks are not caused by remote work, remote workers have made it easier for hackers. Israel Barak, the CISO at security firm Cybereason, says “The transition that we’re seeing to working from home has contributed dramatically to the rise in successful ransomware attacks. There are a lot more open doors to access networks now that employees are working remotely.”
These “open doors to access networks” are critical in understanding the issue at hand. Remote workers are removed from the safety of a central secure network. They have their own routers, devices, and networks. John Hammond, a cybersecurity researcher at the security firm Huntress, says “when you are working from home, you are not behind the castle walls any more. You are working with your own devices, away from the safe perimeter of corporate networks.”
What Happens After the Coalmine Canary Dies?
The cyber insurance industry has seen a lot of growth since 2016. During the last five years the take up rates in which businesses are electing to get cyber insurance remained relatively linear. Here is the percentage of eligible companies who decided to get insurance policies from the largest insurance broker between 2016 and 2021.
What did not remain linear during this time is the price of insurance premiums. Between 2019-2021 these premiums have skyrocketed with no sign of slowing. The driving force behind this can be attributed to increased risk. This risk stems in no small part from an increase in ransomware attacks, as well companies who have poor security looking for coverage.
A sharp increase in premiums can be seen in the latter half of 2019, right when companies were beginning to switch to remote work. To try to cull the rise of premiums, some insurance companies have stopped covering ransomware attacks altogether. Others have started to limit companies who can purchase their insurance to those who have a certain standard of security already implemented in their business.
Increased average time to identify and contain a data breach
An IBM report compared companies that had over 50% of their company working remotely vs those that had under 50%. On average, those with over half their company working remotely took 235 days to identify a breach and 81 days to contain it for a total remediation timeframe of 316 days. For those with less than half of their employees working remotely, it took 212 days to identify a breach and 75 days to contain it – a total of 287 days, or about 10% less time than those with more remote workers.
Source: https://www.ibm.com/security/data-breach
Hackers can smell blood in the water
It’s easy to place blame on a company that does not take proper security measures. It’s also easy to think, “better them than me”. But one thing to consider is that companies who are not adapting properly to security risks have impacts on all other businesses. Imagine an ecosystem, where if all companies’ security systems are strong, there are little issues. Attacks become less profitable. Insurance companies adjust to the minimized risk by lowering premiums. But when there exists many companies who don’t have strong security, the ecosystem is disrupted. Attackers smell weakness in the water and swarm.
With ransomware, a kind of negative feedback loop is created. Remote work opens up many opportunities for ransomware attacks to infiltrate a company. And because of this, nefarious groups begin to utilize ransomware attacks more often. As long as the attacks prove to be profitable, which they do, and security does not react to this threat accordingly, the volume of ransomware attacks will continue.
The rise in cyber insurance premiums is another area which is brought on in part by companies not having good security practices. Insurance policies are beginning to adapt to this, but in the meantime many companies can be priced out of getting insurance.
That being said, taking preventative security measures when switching to remote work does not have to be done out of an altruistic effort to protect other businesses. It is something companies should do to protect their own. These measures are both easy to implement, and inexpensive compared to the costs of cyber attacks, yet many businesses do not have them in place.
Preventative Measures:
Create a workforce culture that promotes security
Outside of the world of cybersecurity, not many people understand the severity of risks associated with a cyberattack. Companies therefore need to be the ones to create a work culture that values and promotes strong security practices. While most people might not understand the severity of cyber risks, this does not mean they aren’t open to and looking for guidance. Remote employees collectively feel less safe from threats (63%) than office employees (51%). Employees working from home are often, literally and metaphorically, left to their own devices. If they feel less safe, there is a good chance they are.
Educating employees on the real dangers of cyberattacks is an important step to making them take security seriously. To do this, it is important to give them clear and concise information. One option is to send cybersecurity newsletters and updates to employees. It is important to find a balance between bogging them down with these, and keeping them up to date on new security trends as threats evolve. Sending newsletters once a quarter could be a good compromise to this.
Even with proper education some attacks can get through. It is important to encourage employees to come forward if they expect they were targeted by a ransomware attack. Employees can feel intimidated and not want to confess if they feel they exposed the company to risks. If they feel they will be blamed, or even held fiscally liable, for the damages of an attack, they may think twice before notifying anyone. Early detection is crucial to stopping a potentially damaging cyber attack.
One example where stressing safe security practices to employees is important is in the use of personal devices for work. Sometimes employees use their personal devices because they don’t know better, and sometimes they do this because their employer encourages it. Bring your own device (BYOD) policies do have their advantages, but if this is utilized it is imperative companies make sure these devices are using proper security measures. This includes using an approved and secure VPN, as well as password protections.
In other cases, employers may supply IT issued devices, but remote employees decide (against company direction) to still use their personal device. This is the most dangerous scenario, as their devices will not be set up with proper security. While they may think it is more convenient to send a quick email from their phone, they likely are not thinking of the serious consequences that can come from this. This is where a security focused work culture is critical. By laying out facts to employees about the danger of personal device use for work purposes, they will think twice the next time they think of using their personal phone or laptop for work.
Offer employee training
Just as employees should be educated on cyber risks, they should also be trained on the best practices to prevent attacks. Not every company offers employee training and when they do it is often not effective. An example of important training employees should receive is how to detect phishing emails. 91% of cyberattacks begin with a spear phishing email. 94% of targeted emails use malicious file attachments. If employees can be trained to look out for suspicious attachments and links, the rates of cyberattacks for remote workers can decrease.
Training and educating work hand in hand. If companies can educate workers to not use their work email on personal devices (or use work devices for non-work related tasks), they will receive much less spam mail than they would otherwise. It is easier to spot a suspicious email among only work-related emails than it is to spot a suspicious email in a sea of emails sent by subscription services, or otherwise from non-work related sites which have collected your data and shared your email.
Another piece of training remote workers should receive is safe password security practices. This includes using a password manager (that uses advanced encryption), and having employees use multifactor authentication. Both can seem challenging to learn to less tech savvy employees. Unless shown how to do it and being required to do so, employees are more likely to assume they are safe using passwords as they always have. To highlight this point, a survey showed one third of employees stored their passwords on unsecure web browsers.
A company can provide their own training should they desire, but they can also find third party vendors who specialize in this. These vendors tend to focus on how to avoid ransomware and malware, both of which are big threats to remote workers. Whether or not a company decides to use a vendor, the large number of vendors available, as well as what they focus on training, are good indicators that employee training is becoming more and more important.
No matter how a company trains their employees, offering “live fire” practices to simulate cyber attacks are a good way to test how well that training worked, and how prepared your employees are. A survey of 1,200 employees who received employee training showed that 61% of them still failed a basic test. This large failure rate is why it is important to check for employee comprehension before assuming they are ready to work remotely in a safe manner.
Making sure your company gives employees access to up-to-date security technology
Employees can receive the best training and education in the world, but it will not matter if their company does not offer them the technology they need to stay secure. A secure VPN is critical for remote employees to operate safely. A headline-making example of poor security measures in a company is the Colonial Pipeline cyberattack. Hackers were able to get into the network due to a single compromised password. It was discovered that the VPN account did not use multifactor authentication, one of the easiest to implement prevention methods available. This caused many problems, including Colonial Pipeline needing to pay a $4.4 million ransom.
Cloud based firewalls are another technology that allow remote workers to have secure internet connections. The switch to remote work accelerated the rate at which companies moved to the cloud. A company may assume that if they are using the cloud, they no longer need a firewall. These firewalls protect data from reaching the public and allow remote workers to work safely from all over the world.
Conclusion
Remote working during the pandemic created many cybersecurity problems for companies. This way of working looks as though it is going to become more commonplace even after things start to get back to “normal”. As it stands, many companies are not adjusting to the threats remote work creates adequately. Should a company still decide to offer remote work as an option, additional cybersecurity measures should be put into place.
PeerWise is developing a remote work cybersecurity survey and we’ll be sending the results to respondents. If you would like to be sent that questionnaire, please send an email to kperez@getpeerwise.com.
Sources:
https://www.washingtonpost.com/business/2022/01/15/remote-work-omicron/
https://www.theguardian.com/technology/2021/jun/17/ransomware-working-from-home-russia
https://www.gao.gov/products/gao-21-477
https://www.cybersecuritydive.com/news/colonial-Joseph-Blount-ransomware-legacy-vpn/601523/
https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Leave a Reply