While the number of Canadian employees working fully or partially from home (WFH) due to disruptions caused by the COVID-19 pandemic has slowly declined from its April 2020 peak of 40 percent, remote work is still likely part of the new future of business. As Mark McGraw of The Institute for Corporate Productivity explains, “companies are going to see that some, maybe many, of the jobs they’ve always thought had to be done onsite could be done just about anywhere and could be done just as well.” “While remote work isn’t new,” as Elisabeth Joyce from research firm Gartner notes, “the degree of remote work moving forward” will change how people define work and shape their work habits.
Any projected trend towards more WFH opportunities come with challenges, of course. One of the most important of these challenges is how to ensure that IT security standards and protocols are maintained across a remote workforce that might be lacking the necessary tools and experience required to do so. As a recent IBM study showed, “more than 80%” of WHF employees surveyed “either rarely worked from home or not at all prior to the pandemic, and, in turn, more than half are now doing so with no new security policies to help guide them.”
A sample of key findings from the study underscore the potential risks involved when expanding a WFH workforce:
- 53 percent of WFH employees are using their personal laptops for work
- 45 percent have not received any new training around WFH security
- 61 percent report that their employer has not provided tools to secure those devices properly
- 50 percent do not know of any new company policies related to customer data handling, password management, or similar security practices.
The bottom line: “Business activities that were once conducted in protected office environments, and monitored under specific policies, have quickly transitioned to new, and potentially less secure territory.”
Remote Workers at Risk
Given the rise of less secure cyber-territories that accompanied the rise of WFH employees, it should be no surprise that hackers and cyber-thieves have shifted focus from targeting corporate devices and applications to probing access via consumer-grade routers and common devices usually attached to home networks.
But network attacks are not the primary concern in WFH environments. The top three areas of concern for WFH security are:
- Malicious emails (90 percent of known malware is delivered via email)
- Risky and "non-compliant" employee behavior (70 percent of security breaches feature a social engineering component like phishing)
- Increasing software vulnerabilities.
FortiGuard Labs reported an average of 600 new phishing campaigns every day during the spring of 2020. And though many were short-lived event-based attacks that exploited the initial panic around COVID-19, phishing continues to prove problematic in a WFH culture.
Acknowledging that WFH security is, at the best of times, a complicated issue for both WFH employees and organizations to deal with effectively, here are some guidelines to help your staff and business stay safe regardless of where the work is done.
IT Security for WFH Employees
Experts acknowledge the unlikelihood that WFH employees will ever reach the level of security that they are accustomed to when working in corporate offices. But there are several things they can do to up their WFH security game:
Education and training. Learn to spot the most obvious signs of an attack. This action might mean updating your knowledge through an organizational training program or taking advantage of any number of free online courses designed specifically for remote workers. At least, it means understanding the basic anatomy of a phishing email, most commonly:
- A sense of urgency or obvious emphasis on scare tactics
- Imitating a known brand either through a logo or brand name
- Use of an obviously fake email addresse
- Asks you to open a Zip file
- An abundance of punctuation and grammar mistakes, impersonal tone, or errors in things like copyright, location, or product/service descriptions.
Harden passwords. In 2019, compromised passwords caused almost 80 percent of security breaches, yet 65 percent of people still reuse passwords across multiple sites, and 13 percent use the same password for all accounts and devices. Fundamental first steps would be to:
- Use different passwords for different accounts
- Make those passwords harder to guess
- Move to multi-factor authentication (MFA) whenever possible.
In a data-rich sector like healthcare, avoid using home or personal computers as often as possible. The responsibility for data integrity and security lies with the organization and its recognized Information Managers. Accordingly, the use of home or personal computers in this data-heavy sector is an exceptionally high risk, given the variety of technologies that might be in play in a WFH environment. Some personal computers might be end-of-life with no upgrades or security patches available. Others might not have been updated for some time, and still others might already be compromised prior to connection with the organizational network.
The most effective practice is for the organization to provide all WFH employees with computers that are fully managed by the organization or its appointed Information Manager. This practice ensures that security is handled in accordance with regulatory requirements and best practices. It also ensures that all security patches are in place and that all users have the secure access tools they need to do their jobs.
An alternative is to allow WFH employees access to organizational resources secured via a secure remote session client. These clients allow work to be done in a safe, encrypted environment while blocking access to home computer drives and any security issues that might lurk there. Another option is to have approved third-party management software like SolidTech's SolidCare installed on every WFH computer to ensure compliance around such fundamental issues as regular updates and patching, use of approved endpoint security, and perimeter firewall defence.
Develop and implement a telecommuting policy or updated employee contract that details the risks, best practices, and responsibilities for all WFH employees who might use home devices to accession organizational networks and resources.
More broadly, organizations should test and adjust their incident-response (IR), business continuity (BC), and Disaster Recovery (DR) plans to cover the new risk levels associated with the increase in number and frequency of WFH situations.
WHF IT Security for Microsoft
Microsoft allows organizations to enhance IT security and improve WFH employees' productivity but connecting through a business manager called Azure Active Directory. Based on a "never trust, always verify" principle, Azure AD provides first-line defence against IT security breaches and cyberattacks. The process is relatively straightforward once the Azure AD Connect tool is installed on the Domain Controller machine:
- Ensure each WFH employee secures an Azure AD identity or migrate organizational Microsoft account identities to Azure using organizational email addresses
- Select and add WFH employees to your organization as Azure AD users
- Connect your organization to Azure AD
- Set either a password or personal access token for each WFH user and ensure that settings are adjusted to sync all users and devices.
From this point, an organization can manage access and permissions and set security protocols, all remotely.
WFH IT Security for Apple Products
From an organizational perspective, take advantage of the identity and access management systems available through the two major players: Apple and Microsoft.
For WFH staff using personal Apple devices, including iPad, iPhone, and Mac computers, some fundamentals can be managed relatively easily:
- Provide all WFH staff with instructions for User Enrollment, a program that allows WFH employees to access Mobile Device Management (MDM) settings
- Ensure that all Apple devices are updated to the latest available version of macOS and iPadOS to ensure compatibility with MDM settings and core applications
- Have each WFH employee create a Managed Apple ID in Apple Business Manager
- If you have not done so already, connect Apple Business Manager with Microsoft Azure Active Directory so that you can turn on federated authentication, which allows employees to set up their Managed Apple ID using existing company credentials.
With a Managed Apple ID in place for each WFH employee, an organization can begin to button-down IT security remotely by:
- Deploying all core applications that WFH employees might need to get their work done
- Configuring network restrictions to allow connections from home or public Wi-Fi networks
- Configuring VPN to connect to critical corporate services, if required
- Securing all WFH devices with built-in security tools and MDM.
MDM also allows organizations to adjust accessibility and security for video and messaging, productivity, and project management applications.
Final Thoughts
The pandemic will eventually release its hold on businesses worldwide, but work from home is not going away. And neither are cyber-criminals who look to feast on those WFH employees that are untrained and vulnerable. But with a few proactive and strategic changes to the way their remote business works, organizations of all sizes can take positive steps forward into the new future of business.