Assessing Security Risks of a Remote Workforce

Last month, a cyberattack crippled nearly 200,000 computers across more than 150 countries.  The ransomware attack took over computers, encrypted their data and then demanded payments from users to release the information. Organizations from private companies to governments and individuals were impacted.  Had it not been for the intervention of a British cybersecurity researcher who was able to shut down the attack, the impact could have been far worse.  This latest cyberattack has many organizations reviewing their security protocols, updating their antivirus software, and ensuring their security measures are in place.

Although the latest global cyberattack had nothing specifically to do with remote workers, organizations assessing their vulnerability to cyberattacks are bound to raise commonly asked questions about the security of remote workers.  Is your organization more at risk by having remote workers?  How can the risk be mitigated?

Many leaders immediately consider IT solutions when thinking about security.  Volumes could be (and has been) written about various technology solutions to keep remote workers safe.  Using VPN, secure app tokens, anti-virus software, thin clients, and cloud-based solutions seem almost common place in most organizations to keep data protected and intruders out.  However, technology still can’t trump the human factor when it comes to protecting your business.  Leaders must ensure they are giving equal attention to people, policies, and processes.

Before deploying any solution, leaders should assess their business.  Specifically, what kind of data and information does the organization handle that may be sensitive and need to be protected?  Many businesses handle Personal Identifiable Information (PII) or Protected Health Information (PHI) which may be governed by state or federal regulations.  Other organizations may handle confidential or proprietary data that is sensitive within their industry.  Prioritizing what needs to be protected can help shape security policies and determine what the IT needs are.

Leaders should also have a grasp on their remote workers.  How many remote workers does your organization have versus those that work in the office daily but still access the company network while at home or on the road?  Often it is the latter group that can cause security issues if they are not trained or the company fails to put protocols in place that affect anyone not in working in the office.  For example, many businesses have good solutions for fulltime remote workers, i.e. providing the employee with a thin client versus a standard laptop, but don’t have similar measures for office workers, i.e. allowing the office worker to take their laptop while traveling that may contain PII on its hard drive.

Next, leaders should review how employees access the network. Do home-based employees plug directly into their modem or home wi-fi network (and therefore directly into their ISP) or are the using a something like a firewall appliance to add a level of security? Does the organization have policies in place to cover mobile workers who may be accessing the network from a coffee shop or hotel room?  Physical security is also important for mobile workers, as thieves may try to gain access by stealing a device or get information stored on the device.  Because of this, leaders should consider where information is stored, keeping sensitive information off of local devices and in the cloud or at least within shared drives behind the company firewall.

Related to how employees access the network is what devices they use to do it.  Bring Your Own Device (BYOD) has been a huge convenience for employees but causes many headaches for IT leaders.  In many cases, users have multiple devices and IT departments have to grant role-based access based on varied user and device pairs.  IT leaders can recommend limitations to the number of devices but at a minimum, every device should be traceable and the organization should have visibility to each device and user and what information is accessed.

Once leaders assess, understand, and determine necessary measures, awareness, and training is needed on an ongoing basis.  A simple, careless action, even if it is unintentional, on the behalf of one employee can wreak havoc on the company network.  Leaders need to continually communicate and even audit employees to ensure compliance and evaluate risks.  Formalizing a remote work program creates better visibility to policies and procedures that provide guidance to remote workers and further mitigates risk by ensuring legal, regulatory, and security requirements are communicated and monitored.  In this area, an outside, objective third party can often help provide assistance. Flexwork Global partners with companies to review policies and procedures to formalize remote work programs in ways that minimize cybersecurity risks.

Leave a Reply

Your email address will not be published. Required fields are marked *