Securing remote workers

Homeworking isn’t dead, argues Jon Abbott at ThreatAware, but hybrid workforces are riddled with security gaps

 

Despite growing calls from companies such as Amazon and JPMorgan Chase for workers to return to the office full time, remote working isn’t going anywhere. The latest figures from the ONS found that 13% of UK workers are based entirely at home, while another 27% use a hybrid model at least some of the time. 

 

However, while many companies still see the benefits of flexible working, they often fail to account for one of the major drawbacks: it only takes one misconfigured, unmanaged or unprotected device to create an open door to cyber attackers. Unless companies have full visibility of the security controls in place across increasingly fragmented IT estates, they are leaving themselves wide open for a serious breach. 

 

With around 40% of the UK workforce spending at least some time logging in from outside the office, organisations must ensure their staff have the same level of cybersecurity regardless of where they are and which device they use.

 

Security gaps companies aren’t addressing 

This month marks five years since COVID transformed the face of remote working, yet an alarming number of companies still rely on policies that have barely been updated since. As such, remote security strategies often do not match the reality of the company’s IT estate. In fact, we find that companies typically discover at least 10% of their total devices lack proper security controls.  

 

This is particularly prevalent when remote work is combined with BYOD (Bring Your Own Device) policies. Company-issued machines can generally be counted on to have similar levels of control and oversight regardless of where they are being used. For personal machines, on the other hand, there is typically much less visibility into what is being accessed, and they may even be completely out of the scope of the security team.

 

Shadow IT is also a more prevalent factor in remote work, as employees are typically more relaxed about installing applications in their own homes than they would be in an office environment.

 

We have found that around 20% of employees frequently access sensitive corporate data from personal devices with little or no security controls. Companies often assume that browser access policies and basic device checks are sufficient, but this isn’t enough in the face of threat actors actively looking for a way into the network. 

 

Even if company-issued machines are well protected by EDR and other security tools, unsecured devices with access to critical data provide attackers with an easy way to bypass other defences. 

 

Why do businesses struggle to enforce policies?

The common blind spots around BYOD devices are unusual when you consider how concerned most industries are about other devices like Internet of Things assets. There’s a growing level of awareness about the risks of allowing rogue IoT devices to access the network, so why permit unprotected personal laptops? 

 

There is typically a combination of budgetary and behavioural factors at play. First, BYOD is an attractive proposition because companies don’t have to buy more devices. This is especially appealing in a remote or hybrid situation where employees could be considered fully self-sufficient – at least on paper.

 

We also find executive pushback to be a common root cause of poor remote security. Senior leaders may prefer to use their personal Macs or other types of devices outside the company’s usual stable, making strict policies unpopular. This often leads to inconsistent enforcement, where temporary exceptions inadvertently become permanent gaps.

 

There also tends to be a false sense of security, with IT teams assuming that implementing limited access policies means there is low risk. However, while this may address certain risks, it doesn’t stand up to more advanced threats like keyloggers and other malware establishing permanence in the machine. 

 

Bringing remote working security up to standard 

Improving remote working security requires the right tools and processes, supported by a cultural shift and strict policy enforcement. In terms of technical capabilities, assessing device security levels needs to be done continuously and in real time. Regular audits are important, but these will still leave windows of opportunity for threat actors. 

 

Organisations must have a continuous view of all their assets, where they’re logged in, by who, what software is installed and what it can access. All of this contributes to a continuous risk assessment. Any vulnerabilities must also be addressed quickly through automated remediation, rather than waiting weeks for the next security review. 

 

Further, it’s important to deliver this visibility through an application-based approach rather than traditional asset tracking. It’s a good idea to move away from agent-based or on-premises scanners, as they do not provide an accurate picture of security risks. 

 

Rather than trying to manually track device activity, focus on how applications are being used and what they are trying to access. Alongside this, it’s essential to verify unique identities, ensuring there are no duplicate records creating an inaccurate impression of risk.

 

You could be doing asset management every hour of every day, but if you’re using the wrong technology, you’re going to be getting the wrong answers. It will also leave critical gaps in tracking ‘stealth’ devices; those that are unmonitored and unmanaged but can still access critical corporate assets.

 

On the cultural side, it must be understood that all devices accessing the corporate network are subject to the same level of security controls. Regardless of the seniority or the user – even if it’s the CEO who prefers to use their personal Mac to login to check emails at home – there should never be any exceptions. 

 

You don’t decide to just occasionally not wear a seatbelt in the car because it’s easier, you put it on every time just in case. It should be the same mentality with device security. When someone makes an exception, it inevitably stays open because they forget to close it. That’s how security gaps appear.

 

Logically, there isn’t really any reason that you would ever want a non-managed device to access corporate data. The risks far outweigh the benefits. So, this needs to be enforced through strict identity and access controls that allow only approved, corporate-managed devices to access the network. This can be achieved through multi factor authentication (MFA) and conditional access policies to verify device health before access is granted. Devices that fail to meet the standards must have their access revoked. 

 

Remote working is here to stay

While we are seeing more calls for the return of full-time on-site working, it’s unlikely that there’ll be seismic shifts in remote work patterns. And even for companies that are pushing for return to office mandates, the problem of visibility and control remains, as many employees will still be logging in from home in the evenings or on certain days. 

 

That means remote security still needs to be a security priority. Whether it’s a hybrid working model or the occasional remote login to manage travel, any level of remote access or BYOD must meet the same strict standards as on-site work. With threat actors on the hunt for any shortcut into the corporate network, any gap is an unacceptable risk.

 

---

 

Jon Abbott is CEO atThreatAware

 

Main image courtesy of iStockPhoto.com and FG Trade