Protecting remote workers amid COVID-19
The COVID-19 crisis is leading to a crash course in remote working for many businesses and their staff.
Forty seven percent of workers in Australia and New Zealand have no previous remote working experience, according to research firm Leesman.
A Gallup US survey found that 43% of Americans occasionally work from home while in the European Union 15% of workers are able to work from home.
With sales of technology products spiking as people rush to set up home offices for the first time, businesses need to be aware of the vulnerabilities represented by all these new, unsecured devices.
The defences which business have in place against cyber-attacks in the office have no effect when remote workers use personal or shared computers in the home, leaving business information at risk.
Cybercrime is escalating amid the pandemic – phishing scams are adapting to take advantage of people's anxieties - emails and messages contain links pretending to be from authorities, but which instead compromise computers with ransomware and other malware.
Risks to business from the use of personal or shared computers - with a high number of malware infections - are compounded by the fact that they are connected to vulnerable Wi-Fi shared with unknown devices at home.
(In Australia alone, over one in 10 computers and around one in 20 mobile devices are infected with malware, according to Comparitech research).
How can businesses protect remote workers?
1. Maintain responsive tech support
Many people, unused to remote-based work, will need a lot of hand-holding. Initially, you should be prepared to ramp up helpdesk and support – sysadmins are reporting situations such as "a billion calls about how to use VPN and logon to remote desktop".
Extend support coverage to evenings and early mornings as many staff may need to work out of hours if they're caring for children when schools are closed.
Be aware that remote support is also another potential attack vector. Work from home users may be caught by scams associated with the opportunity, or they might leave their computers unprotected after a legitimate remote support session has ended.
2. Ensure users update their OS
Windows, MacOS, Android, iOS and Linux all support automatic updates. Make sure you've published and shared clear guidance to users about how to enable automatic updates on their devices.
3. Get users to install security software
Real-time malware scanning on all devices is critical. Security software should be set to automatically update at least once per day so that devices are protected against the latest threats. This may mean buying new anti-virus tools for the different kinds of devices that your remote workers are now using
4. Set up a secure VPN
If your business relies on files and applications that are hosted on your own internal servers, you should ensure nobody can connect to them from home, unless a VPN is enabled for all traffic on the device.
Pay for and provide a trustworthy VPN solution to your work from home staff who need remote access to your network. Ensure split-tunnelling is disabled so that your data is not put at risk by unencrypted connections running on the same network.
5. Ensure home routers are secure
Routers are a common vulnerability in the home. Work from home users won't even know if their router has been hacked, as everything looks normal even when all their traffic is compromised. Most service provider-supplied routers are reasonably secure, but you should recommend that your remote worker has updated the default, easy to guess passwords that they often ship with. If they use a cheap unbranded router encourage them to upgrade.
6. Have multi-factor authentication
If your work from home user needs to log into business services – payroll, collaboration, file sharing – ensure they all require multi-factor authentication (MFA). Then, if user credentials are stolen, there's less damage a hacker can do to the entire system. Also encourage people to enable MFA on their mobile devices if they haven't already done so. Yubikey or Google Authenticator (Authy) are two good tools to help customers manage their MFA needs.
7. Make work tools available
To reduce the chances of staff installing unofficial or unsafe tools, provide work from home users with access to company required software. This may mean buying more licenses for additional devices being used – some vendors are giving away extra licenses and offering longer free trial periods. For staff whose home computer isn't compatible with these tools, permitting unofficial tools represents an attack vector. Consider purchasing suitable laptops – this may be cheaper and safer for your business in the long run.
Ultimately employee education remains very important. Remote working is a necessity to help businesses survive one of the most difficult economic and social crises the modern world has ever faced. The approach needs to be one of enabling staff to be as productive as possible, but also as protected as possible.