Why Remote Employees Are Your Biggest IT Security Threat
In a few of our previous posts, we’ve talked about “internal IT security threats.” These are the network security threats that originate from your own organization—the proverbial “inside man” (or woman, as the case may be). Some of these threats arise from the willful malfeasance of employees (meaning they do it on purpose), while others happen on accident because the employee made a mistake.
However, as a threat to your business’ IT security, workers in your office pale in comparison to remote employees. Why are remote/telecommuting employees such a severe IT security threat? And, what can you do to mitigate this threat?
IT Security Threats and Vulnerabilities That Mobile Workers Bring
Employees working remotely, and especially on mobile devices such as smartphones and tablets, bring with them some unique IT security threats and vulnerabilities that co-located workers typically don’t, such as:
- Mobile Malware. Workers operating from a mobile device bring an increased risk of malware. In fact, according to the iPass mobile security report for 2018, “16 million users were hit with mobile malware in the third quarter of 2017.” These malware programs can use a worker’s mobile device as a launching point for infecting your network once the employee connects with it.
- Unsecured Public Wi-Fi. Many remote workers attempt to connect with the internet (and with their business’ apps and network) using unsecured public Wi-Fi routers at cafés, malls, and other public gathering places. This opens up your network to attacks from malicious actors who use unsecured public Wi-Fi to hijack data being sent on that network.
- Lack of Control Over User Devices. Remote workers frequently use their personal devices for work rather than a company-supplied device. This often means that the company has no control over what security measures the employee uses on their device—creating potential vulnerabilities if such devices are stolen or compromised.
These extra risks are in addition to all of the IT security threats that co-located workers already bring to the office (improper browsing activities, falling victim to phishing attacks, sending sensitive info to the wrong recipients, etc.).
For these reasons, remote workers are the biggest network security threat to your organization. Now, the real question is this: “What are you going to do about remote worker IT security threats?”
Protecting Your Business from Remote Employee IT Security Threats
So, how can you protect your business from the IT security threats and vulnerabilities that a mobile workforce creates? One idea is to avoid working remotely entirely, but that isn’t necessarily realistic or practical in today’s modern work environment. There will always be a need for people to work remotely from time to time to meet deadlines or because they can’t physically make the commute to work.
Here are a few other potential solutions to the issues created by remote workforces accessing the company network:
Banning Public Wi-Fi Use
Since public Wi-Fi hotspots are so susceptible to attack by malicious users, why not ban their use outright?
Well, the answer is that it isn’t necessarily practical. When an employee is working remotely, they may not be able to access their own home Wi-Fi, and mobile hotspots can get very costly, very quickly.
So, publically-available Wi-Fi hotspots are often the only affordable option that remote workers have access to. Banning them outright is not going to be practical for remote employees who are working abroad.
Virtual Private Networks (VPNs)
Instead of banning public Wi-Fi use outright, it may be better to require employees to use a virtual private network, or VPN, when working remotely. VPNs help keep remote connections to your business’ network secure by encrypting communications and using secure gateways to partition your network from being directly accessed.
However, the act of connecting with a secondary gateway to reach specific resources can slow down a worker’s internet browsing speed, impacting their productivity and making some workers not want to go through the trouble.
To get the best benefit out of VPN, it’s important to make sure that every employee understands why VPNs are necessary when working remotely. This helps to encourage employees to use VPNs so as to minimize the IT security threat that working remotely poses.
Mobile Device Management Technology and Apps
Another solution to the security challenges that remote workers face is the use of mobile device management (MDM) technologies that can help users partition the work-related data, software, and apps on a mobile device or computer from the non-work data and apps.
Such applications help to restrict what information on a personal device the employer can access, modify, or delete remotely. They can also help provide a small degree of separation between sensitive work data on a device and the user’s personal data if the device is compromised (though not usually a very strong layer of protection).
Add Multi-Factor Authentication
Multi-factor authentication (or multifactor authentication, MFA) involves the use of multiple identity-confirmation criteria when a user attempts to log into an organization’s resources. MFA usually includes at least two of the following:
- Something you are—typically biometrics data (face recognition, thumbprints, retinal scan, etc.).
- Something you know—such as a password or key phrase, answer to a security question, etc.
- Something you have—examples include authentication tokens, security tags, keys, one-time use passcodes sent via text messages, etc.
Using multi-factor authentication tools for accessing company apps and resources helps improve network user account security by making it so that attackers can’t simply guess or steal a password to gain access to sensitive resources.
Creating BYOD Policies
Bring your own device (BYOD) policies help to establish clear rules and guidelines for if (and how) employees can use their personal devices for work. BYOD policies can include rules for:
- What kind of devices employees can or cannot use for work tasks.
- Whether or not employees are required to use virtual private networks.
- Establishing whether the employer has the ability and authority to remotely wipe data from the device if it is lost/stolen/compromised.
- What costs the employer is responsible for when it comes to purchasing software/apps for the personal device.
- What data the employee can or cannot modify/delete from personal devices for compliance with electronic discovery requests.
Some of the solutions listed above may be great for your organization, while others may be somewhat impractical. And, what works for another company might not work for yours.
If you need help countering the IT security threats posed by having a remote workforce, contact the experts at Compuquip Cybersecurity! We can walk you through some options for VPNs, help you create a BYOD policy, and examine your current network security architecture to help you close critical security gaps.