Since the COVID-19 outbreak, there have been countless headlines and viral social media posts exposing some of the worst remote security faux pas, ranging from the financially devastating to the easily avoidable to the outright strange.
More than a year later, many are still struggling to master their mute button — let alone take precautions to protect their digital identities or safeguard work-related information — and attackers have ways of getting even the most security-conscious employees to slip up.
The days of everyone working onsite from company-issued desktop seem like ancient history. According to IDC's Quarterly Personal Computing Devices Tracker report for Q4 2020, the Asia Pacific region excluding Japan (APeJ) sold 65.8 million units of notebook.
Propelled by the shift to remote work and online learning, shipment for notebooks increased by 12.4 percent in 2020 and this growth is expected to further ramp up in 2021.
With remote and hybrid work setup becoming the new norm, traditional network security barriers are dissolving, and organisations must take steps to improve security posture.
Based on the recent Cybersecurity Public Awareness Survey by the Cyber Security Agency (CSA) in Singapore, a lot more must be done to improve cyber hygiene and the overall attitude towards cybersecurity needs to change.
For instance, the majority of the respondents did not install security applications in their devices despite knowing the risks and most participants continued to believe that such incidents would not happen to them. With efforts to better secure assets and data in cyberspace, the Singapore government rolled out guidelines for businesses through a safer cyberspace masterplan in 2020.
Training and educating employees about cybersecurity risks is one of security leaders’ top operational challenges today. As record numbers of people continue to work outside office walls, the need for vigilance and attention to security has never been greater.
Here are a few of the most important remote work faux pas to avoid:
- Using Weak Passwords
Cybersecurity and IT professionals have long stressed the importance of using unique, secure, complex and random passwords, especially when it comes to sensitive materials. Unfortunately, studies have suggested that those warnings are not always taken seriously.
Users tend to use simple, easy-to-remember passwords at the expense of their own security. In fact, according to a CyberArk study, 82 percent of remote workers admit to reusing passwords.
Employees can consider using a personal password manager so that every site has a unique password.
It is also important to use biometric and two-factor authentication on all websites and applications for an added layer of protection.
For IT Teams responsible for managing access on an enterprise-scale, password managers do not offer sufficient protection, and this is where privileged access management can help.
- Working around Corporate Security Policies
During a busy workday, remote workers may be tempted to find workarounds that increase productivity at the expense of security.
According to CyberArk's study, 67 percent of respondents admit to seeking a workaround to corporate security policies, such as sending work documents to their personal email address, sharing passwords or installing unverified applications on their work devices.
For the sake of convenience, many users are storing passwords in their browser allowing passwords to autofill, which poses a serious security risk.
The first place where attackers look in a browser is the password manager. Whether it is personal or corporate, threat actors will try to retrieve whatever credentials that are stored in browsers.
Remote workers may attempt to sidestep company security controls for various reasons, including convenience and ease of use, without fully understanding the downstream consequences if credentials are exposed.
- Sharing Work Devices with Family
Being stuck at home has made it tempting for remote workers to let family members use their work computers for non-work-related activities and the work device often becomes a personal device. For instance, a child may need to use Zoom and sit at his parents' desk to make the call. There is a possibility that the child clicks a link or goes to an unknown website, which exposes the company network to security threats. Thus, it is critical to draw a line and separate work devices from personal use.
Sharing a work device with others is never a good idea. However, if using a home internet connection for work-related tasks is unavoidable, employees can take a few simple precautions to keep work and personal data separate and secure.
Create a guest WiFi network to separate the standard home network for work-related activities. Generally, the guest network isolates all the devices, so they cannot communicate with one another. This effectively puts a firewall around the network by allowing only outgoing communication.
Set up a separate, password-protected user account with restricted access for web browsing and day-to-day related activities.
- Giving Vendors and Contractors Too Much Access
Most employers depend on vendors and contractors and external contributors often require a certain degree of access in providing their services.
In this scenario, it is critical for IT security teams to follow the principle of least privilege — limiting each users’ access to only what is needed, for only as long as it is needed. The approach requires every identity - human or machine to be authenticated and authorised before access is granted.
When thinking about remote workforce, third-party vendors, which might have different access and security controls, need to be managed, monitored and controlled just like regular employees.
Organisations should require their vendors and contractors to adhere to the same security practices and standards as the rest of their workforce.
- Hitting ‘Remind Me Tomorrow’ on Software Updates
New software updates are designed to reduce security risks, and one of the best ways to keep devices secure is to keep them up to date. Software updates require nothing more than accepting the updates when prompted. They are so effective at keeping devices safe that attackers could initiate updates themselves. In fact, attackers often do so to prevent others from infiltrating the same network once they have gained access.
Once they have identified the network's security flaw they will secure the system so only they have access to the entry point. They will go through network devices — like home routers, where many people have default passwords — and if the firmware is out of date, they remote back in and patch it up to the proper level so nobody else can hack it.
Ultimately, software, browsers and operating systems must always be up to date to protect the IT infrastructure and assets.
Small Steps to Mitigate Big Risks
While it is impossible to remain entirely secure, there are small steps individual remote workers can take to reduce the risks in this new working environment.
Focusing on managing passwords properly, granting the least privilege, implementing multi-factor authentication (MFA) and separating work and personal devices, at a minimum, is a good start.
Teck Wee Lim is Regional Director, ASEAN, at CyberArk