At the time of writing, COVID-19, aka the Coronavirus, was sending shock waves across the world. As well as affecting well over 110,000 people, so far, the virus has impacted businesses across the globe. Conferences have been canceled or postponed and major events shut down. One of the ways that governments are attempting to contain and delay the impact of the virus, is to quarantine infected areas. Businesses have made their own attempts to prevent infection by encouraging remote working.
To this end, many large tech companies have asked employees to work remotely: Google and Facebook allowed workers in the San Francisco Bay area and Ireland the option of remote working due to COVID-19. Banks, like JPMorgan and HSBC, are also offering a remote work option to ensure that employees stay safe.
Remote working was already an increasingly attractive option for many before the Coronavirus happened. A recent poll on attitudes towards remote working found that 99% of respondents would welcome the opportunity to work remotely at least part-time. Some have even said remote working, because of COVID-19, may be a turning point in how we approach work.
However, any change in working practices brings new considerations. In the finance sector, high value data compounds the security risks of home working. Here, We look at the type of risks that remote working presents and some ways to mitigate those risks.
Why Remote Working Opens Up Security Gaps
Wherever we choose to work remotely, be that a sofa at home, a home office or even a local cafe, we broaden our network connections. This is both in the digital sense, in terms of home-work connectivity and in the literal sense. Here are some of the ways that security gaps widen when we work remotely:
Out of sight out of mind
When bank staff work within the four walls of the office, we have a certain level of control over their use of technology. However, ‘Shadow IT’ is something that has entered the language of IT professionals the world over. Shadow IT describes how IT departments are losing control over tech spend, with individuals regularly using their own devices and apps to do company work. Cloud services are the most prevalent form of Shadow IT according to Cisco. Remote workers are exacerbating the Shadow IT situation as they need to collaborate across cloud infrastructures. This will likely increase the use of Shadow IT apps. The issue with this is these applications likely fall outside of the visibility of corporate security policies. Cisco research into Shadow IT has found that the ease of use of cloud-based apps for remote and collaborative working increases the cyber-attack surface.
Shadow IT does not have to be a bad thing. It can help improve productivity: A study by Entrust Datacard found that 97% of employees showed improved productivity if they were allowed to use preferred technology. Also, a remote workforce may depend, at least to some extent, on using their own apps. However, to maintain closer security controls you should ensure that security policies extend to cover employees’ own devices and apps.
Out of control storage
Part of working with devices and Shadow IT cloud apps is that the choice of data storage may be difficult to control. Remote working can result in a communication bubble or even closed communications. This can impact the lifecycle of data and where it ends up. Cloud storage is the obvious choice to ensure that data is placed in a known area that can be protected. However, enforcing the use of chosen storage is more challenging. Teams need to understand the importance of collaboration and how to work together using centralized cloud repositories.
Malicious employees are typically difficult to detect even within the confines of an office.
Restrictions on data sharing from devices can be potentially circumvented by malicious employees. In the privacy of their own home, a user could remove the hard drive from a work device and either mount it in another one or use specialist software to make copies. The result could be the theft of Intellectual Property (IP) or exposure of personal data.
Infiltration, Sniffing, and Eavesdropping
Once outside the corporate firewall, the traffic that is exchanged when emailing, texting, and generally sharing data, is at risk. Even home routers that are seemingly secure, are at risk of cyber-attacks. Research by Cisco-Talos, found that the malware, VPNFilter, targeted over half a million small office and home routers. Once infected, the routers were open to packet sniffing resulting in the theft of data and login credentials.
The use of smartphones for work is also a cause for concern. A 2019 study by Checkpoint, found a 50% increase in malware infecting smartphones. Infected apps include banking trojans that steal bank login credentials. Trend Micro found 85 fake apps on Google Play. The apps were infected with adware and installed over 8 million times. Malicious apps could result in stolen corporate login credentials too, especially if cybercriminals actively take advantage of the remote work situation re COVID-19.
If remote workers decide to work outside the home, perhaps in a local cafe, they may also be at risk of data communications being intercepted via Man-in-the-Middle (MitM) attacks. Fraudsters can also create ‘rogue hotspots’ under their control. These hotspot connections use social engineering to trick you into connecting via a malicious Wi-Fi account; often the rogue hotspot using the name of the cafe or mall you are working in or near.
Lost and found
Lost devices can result in sensitive data leaks. An example is AmberCare Corp., an employee losing 2,284 patient records when a laptop went missing. According to a report into mobile device theft and loss, around 69% are simply misplaced with 31% being stolen from cars, homes, etc. However, any loss of a device containing sensitive data should be a concern. Remote workers should have strategies in place to minimize this loss.
Data Security Compliance and Remote Working
Remote working can place a high burden on data security compliance. All of the risks that remote working brings to a company can impact your compliance with data protection and privacy regulations. Regulations such as the EU’s General Data Protection Regulation (GDPR) don’t stop just because someone is working from home to avoid COVID-19. Organizations must ensure they include remote work environments in any policies that cover data protection and privacy regulations. Data Privacy Impact Assessments (DPIA) should also extend to include remote workers. Strategies to manage remote working and regulatory compliance should include awareness of privacy as well as technological measures to protect data.
5 Tips to Secure Remote Working
As well as washing your hands to protect yourself against the virus, you can also follow a number of key tips to keep your remote work environment safe.
Tip 1: Security policy for remote working
Begin with a security policy that covers remote working. The effects of COVID-19 will hopefully not last too long. However, remote working looks set to be around for a while yet. If you offer employees a chance to work outside the office, it might result in more home workers in your company going forward. Remote working must be part of your overall strategic approach to security across your enterprise.
Tip 2: Security awareness training
Having a security policy that takes remote workers into consideration is one thing, but enforcing it is another. A recent report from Proofpoint found that 99% of cyber-attacks require human intervention. You should look at ways to minimize risks like MitM attacks and malware-infected apps. Much of this will come down to educating employees about the risks, such as using free Wi-Fi connections. Security awareness training is an important aspect of knowing that employees can be trusted to do the right thing outside of office controls.
Tip 3: Keep an inventory of hardware
One way to avoid hardware tampering or at least keep track of device changes is to keep an inventory of devices. Keep a record of the serial numbers of all the hardware installed on the device to ensure that devices are not tampered with.
Tip 4: Technology solutions
A number of technology solutions should be considered to help secure remote working. Some food for thought:
- A virtual desktop infrastructure can be useful to protect against malicious insiders removing hardware or replacing software
- A virtual private network (VPN) could help to protect users when they are not using a secure connection
- Hard disk encryption for laptops
- Anti-malware on all devices
- A software patch strategy that takes remote worker devices into account
Tip 5: Use a principle of least privilege across your cloud infrastructure
Tightening up access control measures can be a good way to minimize cyber-attack risk. Make sure that resource access is on a need to know basis. In addition, harden authentication in line with tighter access controls by using multi-factor authentication.
Finding the Positive in COVID-19 Remote Working
COVID-19 may be a worldwide health concern but we shouldn't let it become a security issue too. In certain areas, remote working may become the norm, at least for a while, if not for the foreseeable future. The financial sector has to deal with high value, sensitive data, that is put at greater risk in uncontrolled environments such as home working. However, if you know what type of security risks come with remote working you can put in place steps to prevent those risks from becoming a cybersecurity incident.
Mohammad AlKayed - Senior Information Security Engineer | EastNets®
In his function as the Senior Information Security Engineer, and head of the EastNets Security department, Mohammad is responsible for developing EastNets security strategy, operations and services. He has the responsibility of complete oversight of EastNets information security function including EastNets assets globally. As the head of the security team Mohammad is actively involved in the design and deployment of EastNets security solutions to meet EastNets vision and quality standards and address EastNets customer needs. Mohammad has rich practical experience in security intelligence and operations, risk management, digital forensics, and incident response, as a result of leading major regional projects with telecommunication companies, governmental agencies, and financial institutions in the specialized area of cyber-security and information security.