Teleworkers share many of the same cyber threats and risks as their in-office counterparts. Ideally, they are working from devices compliant with company policy, protected by the corporate cybersecurity deployment, and using company-approved software. Any cybersecurity risks overlooked or accepted by corporate policy are shared by on-site and remote employees alike.
However, teleworkers also experience cybersecurity risks that are unique to their situation. For example, teleworkers are often working from personal Wi-Fi networks that are not configured, managed, or secured by the corporate IT team. This introduces new potential attack vectors, such as the use of ARP spoofing to perform a Man in the Middle (MitM) attack, that are virtually unknown on the corporate network.
Telework has become increasingly common and accepted in the wake of the COVID-19 pandemic. Organizations considering permanent telework programs should consider the additional risk that teleworkers bring to their network environments.
The Rise of Telework
The COVID-19 and the need to transition most or all of an organization’s workforce to remote work within a few weeks caught many organizations unprepared. Less than half of companies supported remote work prior to the COVID-19 pandemic. As a result, these organizations often lacked the corporate-owned devices and network infrastructure, such as virtual private network (VPN) support, required to securely support such a large teleworking contingent.
In the immediate wake of the forced shift to remote work, many organizations focused their efforts on ensuring that their employees were able to continue daily business while working from home. This included allowing employees to work from personal devices and shifting employees to more scalable solutions for secure connectivity, such as split-tunnel VPNs.
Teleworkers are Often Less Secure
This focus on returning to “business as usual” often sacrificed security for usability. Employees working from home are vulnerable to a greater range of cyber threats and risks than those working from the office. Additionally, these employees are accustomed to being protected by the organization’s cyber defenses, which may not be protecting them in their remote workplaces.
- Untrusted Networks and Insecure Connectivity
When working from on-site offices, employees are protected by the organization’s perimeter defenses. These solutions are deployed at the network boundary and inspect all traffic entering or leaving the corporate network. For on-site employees, this limits the number and types of cyber threats that they encounter.
Teleworkers are using unsecured home networks for business purposes. Since these networks are not configured by the organization’s IT team, they likely are not compliant with corporate security policy and are more vulnerable to malware infections and attacks. As a result, cyber threats like ARP spoofing or Wi-Fi secured with weak passwords, which are virtually unknown on the corporate network, are more common in employees’ home offices.
To protect against eavesdroppers and MitM attacks, teleworkers are often required to use VPNs to connect to the corporate network. However, many organizations have limited VPN infrastructure, forcing the use of split-tunnel VPNs to help them scale to meet demand. However, these split-tunnel VPNs, which only carry traffic bound for the corporate network, mean that an employee’s connection to the public Internet is not protected by corporate firewalls, antivirus, and other cybersecurity solutions. This leaves them vulnerable to infections and attacks that can then spread to the corporate network via their VPN connection.
- Use of Personal Devices for Business Purposes
When forced to switch to telework, many organizations lacked the number of company-owned laptops that would be required to support a fully remote workforce. As a result, many employees worked from home using personally owned devices, which created new cybersecurity and privacy risks for the organization.
Corporate-owned devices used for telework historically have lagged behind on-site devices for installation of security updates. In fact, only 42% of remote machines receive security patches within three days of the update becoming available, compared to 48% of on-site computers. This issue is likely to only be exacerbated during the COVID-related mass telework. Personal devices used by employees during unexpected remote work are unlikely to meet corporate security standards, receive regular patches, or have corporate anti-malware solutions installed.
With remote work, an organization’s existing processes for patch management may be unusable or unscalable. As a result, organizations are likely to experience a much higher rate of cybersecurity incidents due to exploitation of known but unpatched vulnerabilities. The use of personal devices for work purposes also raises issues of personal and corporate privacy. Organizations wishing to monitor employee devices for security purposes may accidentally and inappropriately capture information regarding personal use of these devices.
Additionally, businesses relying upon employees’ use of personal devices for work purposes can expose the organization’s sensitive data to unauthorized users. Personal devices may be used for both business and personal reasons and by other members of the employee’s family. This potential for non-employees to access business data may mean that an organization risks non-compliance with data protection laws such as the Health Insurance Portability and Accessibility Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS).
Preparing for a Secure, Remote Future
As many organizations consider an extended or permanent transition to remote work, it is essential to consider the new cybersecurity risks that teleworkers introduce to the enterprise. Working from home can mean that employees are performing business activities and processing sensitive business data on networks and devices that do not meet company security policy or regulatory requirements.
Large-scale, sustainable, and secure telework is possible for most organizations. However, it requires careful consideration of the new cybersecurity threats and risks associated with remote work and the cybersecurity solutions and controls that must be put in place to mitigate them.