Why Working from Home Can Increase Cybersecurity Threats
Risk and Reward
If the COVID-19 pandemic has taught businesses anything, it’s that employees, in many cases, can do their jobs from home — which can, in theory, lead to cost savings. But also expenses — the type of expense that, if ignored, can lead to much bigger losses.
We’re talking about data security. And what remote workers need depends, in many cases, on how long they plan on staying home, said Sean Hogan, president and CEO of Hogan Communications in Easthampton.
“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease,” he told BusinessWest. “But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”
And a sometimes messy one. In a shared workplace, Hogan noted, “you might have great security, firewalls, routers, you have security installed, you make sure all the security is updated, you constantly have the latest patches and revisions.”
But working from home poses all kinds of issues with the unknown, the most pressing being, what programs are running on home devices, whether those devices are loaded with viruses, and whether they can infect the company’s servers when they connect remotely.
“We’re trying to control security at someone’s own bandwidth at the house, where three, four, or five people may be trying to jump on at the same time,” he added. “It’s not shaped at all; it doesn’t prioritize any applications or traffic. Now, there are ways to do that — we can install SD-WAN software that allows us to monitor the connection and prioritize traffic like Zoom, Microsoft Teams, or GoToMeeting. That way, you don’t have everyone breaking up and having issues.”
“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease. But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”
But that doesn’t solve the issues of security holes in the home wi-fi — which have weaker protocols, allowing hackers easier access to the network’s traffic — as well as the human element that makes workers vulnerable to phishing scams, which are the top cause of data breaches, and insecure passwords, which allow hackers easy access to multiple accounts in a short period of time.
“The Internet has become the Wild West over the last 10 years,” said Jeremiah Beaudry, president of Bloo Solutions in Chicopee, starting with scam e-mails — from phishing attacks to realistic-looking but nefarious sites that try to wrench passwords and data from users and install malware on their computers.
“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client,’” he noted. “You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”
That combination of possibly flawed technology and human errors make the home office a particular concern in the world of cybersecurity.
“Nobody has the exact answers right now for how to make the most secure connection at a remote office,” Hogan said, adding that going to the cloud has been an effective measure for many businesses, while others have taken the more drastic step of setting up physical firewalls at remote sites for key employees — say, for the CEO or CFO. “We’ll lock them down if they’re actually connecting to files and servers that are really confidential.”
Possible solutions are plenty, he said — but it all begins with knowing exactly what equipment remote employees are dealing with, and what threats they pose.
COVID-19 isn’t the only fast-spreading infection going around, Hogan said. In fact, “45% of home computers are infected with malware. That’s an eye opener for many people. It’s a huge issue, and removing it is a huge challenge.”
One problem is the human element — specifically, how users invite threats in by not recognizing them when they pop up. Take the broad realm of phishing — the setting in which people receive such pitches can actually make a difference in how they respond, Beaudry said.
“It’s harder to sift through it when working from home; it’s not natural. You’re out of your element when you’re sitting at our desk in your pajamas, as opposed to being in your office at work. You may not be reading your e-mail as carefully as you normally would. You may not be on alert.”
A big piece of the puzzle is end-user awareness, he said. “You want to have your employees educated about what’s out there, so they know how to spot forgeries.”
Alex Willis, BlackBerry’s vice president of Sales Engineering and ISV Partners, recently told Forbes that companies trust their employees to do the right thing, and workers are generally honest, but trust can be a dangerous thing.
“The problem with just trusting people is that employees don’t always do this on purpose,” Willis said. “Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.”
Again, it’s that issue of the unknown, Beaudry told BusinessWest. “You don’t know what they have going on with their home networks. We didn’t set up the home connection, we don’t know what they have, and everyone has different people on it. Some are borrowing it from their apartment complex or sharing it with the neighbors, and they expect the internet to work perfectly. It’s not going to.”
In an office, on the other hand, everyone is using the same network, running at the same speed, with the same level of security and firewall protection. “Then, when they go home, there are so many variables.”
The best-case scenario is to give employer-owned devices to employees so they can remotely manage information.
“You can put antivirus on an employer-owned device; when they’re using their own devices, you don’t know what they’re doing to protect it,” Beaudry added. “And if the employee is laid off or fired, you would have the ability to control any employer-owned data.”
At the very least, he said, companies should encrypt the traffic between their network and individual users’ home computers.
“We put monitoring agents on remote clients that monitor for any viruses or malware and will update their antivirus and malware protection in some cases,” Hogan added.
None of this completely addresses the speed and efficiency issues of home devices. “Usually, in a home office, they pay for their own bandwidth, and the business can’t say, ‘we don’t want your kid playing Fortnite,’” Hogan said. “That’s the challenge.”
“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client.’ You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”
“Some clients will pay for a second, business-only connection for remote workers, he added. “But that’s pretty extreme; not many are doing that.”
More popular — and effective — is the move to a virtual environment. Working in the cloud, he noted, means not worrying about the hub-and-spoke relationship between physical servers and computers that’s the biggest weak point for security. “Most of my clients have eliminated that weakness.”
For some clients, the cybersecurity issue is especially critical — take medical businesses, for whom privacy is paramount in the HIPAA era. “That changes the game completely,” Hogan said, noting that one resource for companies handling sensitive data is a SOC, or security operations center.
“Clients who really value security can sign up with a SOC team that responds in case of a breach,” he explained. “It’s a lot of monitoring, detecting, and responding.”
Delcie Bean, CEO of Paragus IT, said any investment in platform migration and remote work has to be accompanied by investment in strong security tools — and education.
“The legacy tools and technologies used to secure networks for the past 10 years need not apply for this next wave of mobile workers,” he told BusinessWest. “Security of the future will be a lot more about multi-factor authentication, deep encryption, and will involve a lot more end-user training as well as testing than the command-and-control style approach of the past.”
Hogan agreed. “Password management is so massive,” he said, noting that people resist simple protections like multi-factor authentication, or even just using complicated passwords, or different passwords for different sites.
“We are also dark-web monitoring pretty consistently,” he added. “The dark web has been on fire lately — a lot of breaches.” Once data fall into those hands, the damage is done, he added, “but the important thing is to know what got breached, and if you can tell what credentials are out there, so you can change them.”
The bottom line, Beaudry said, is to make sure employees use unique passwords and encrypt connections remotely, and not using tools that are potentially vulnerable.
“And there’s a long list of tools known to be exploited by hackers, so it’s good to check with an IT professional before using any remote desktop method,” he added. “Some methods require you to open firewall ports that can leave you vulnerable to ransomware and all sorts of awful data breaches. The main thing is to make sure your firewall is locked down and no unnecessary ports are open, and you have backups of all data.”
That’s a lot to consider when moving into an era of expanded remote work — some of which comes at a cost. But the cost of ignoring it is much higher.
Joseph Bednar can be reached at [email protected]