The COVID-19 pandemic has dramatically impacted “business as usual.” Organizations that had traditionally eschewed telework programs were forced to suddenly convert to a mostly or wholly remote workforce, often without adequate time to prepare.
After months of telework, many companies have acknowledged the benefits of allowing employees to work from home for part or all of the workweek. However, when transitioning to permanent support for telework, companies must adapt cybersecurity policies to address the new threats and risks associated with a remote workforce.
Identifying the Unique Threats of Remote Work
Employees working from the corporate office expose an organization to a number of different cybersecurity risks. Teleworkers, because they are doing the same job in or out of the office, share many of these risks.
However, remote workers’ unique situation also exposes an organization to increased risk. Some security considerations for a remote workforce include:
- Use of Personal Devices: During COVID-19, many employees worked from personal devices when companies lacked the resources to supply each employee with a company-owned computer. These personal devices are likely not running the corporate antivirus and other security solutions, increasing their potential for infection.
- Patching and Configuration Issues: Historically, remote workers’ machines are slower to have security updates applied and more likely to violate company security policies. With remote work becoming more widespread, this problem − and its impacts on enterprise cybersecurity − is likely to grow.
- Increased Exposure to Cyber Threats: Remote employees are working from less-secure networks and, due to a lack of VPN scalability, likely to be connecting directly to the public Internet. Any traffic that does not pass through the corporate network lacks the protection of the company’s cybersecurity defenses, increasing employee exposure to cyber threats.
- Delayed Incident Response: The cost and damage caused by a cyberattack depends heavily on the speed and effectiveness of incident response. With a remote workforce, incident responders will not be able to respond to incidents in person and may be reliant on untrained employees to take critical actions.
These are only some of the new and amplified risks introduced by widespread remote work. Identifying these new threats is an essential first step to updating the corporate cybersecurity strategy.
Updating Cybersecurity Policies for a Remote Workforce
Based upon a complete assessment of the risks posed by remote work, it is possible to develop strategies for minimizing and mitigating these risks. Some important considerations include:
- Controlling Remote Access: Remote workers are more likely to be compromised by cybercriminals. Implementing a zero-trust security policy for the enterprise network minimizes the damage that can be caused by a compromised remote machine.
- Managing Regulatory Compliance: Cybersecurity and data access management requirements, like those in PCI DSS, apply regardless of where employees are working. The corporate security policy should ensure that remote workers are compliant with applicable regulations.
- Ensuring Business Resiliency: For a remote workforce, VPN infrastructure (or other remote access solutions) are now critical infrastructure. It is essential to ensure that these systems are resilient and protected against cyberattacks.
- Increased Cybersecurity Awareness Training: Remote workers are less protected against phishing and other cyber threats. Training employees to recognize and respond appropriately to cyber threats is essential to minimizing organizational cybersecurity risk.
How MorganFranklin Consulting, a Vaco Company, Can Help
Adapting an organization’s cybersecurity strategy for the world of widespread remote work is a multi-stage process. Companies need to identify the new risks posed by widespread telework, develop strategies for addressing them, and implement the required procedures and technology.
We can assist with every stage of this process. Our advisors are experienced at risk assessment and have extensive experience with industry best practices and the tools and techniques available to remediate these risks.