Over 75 million employees may be working from home before the global pandemic is over. Many employees are now getting used to the “new norm.” In fact, studies predict that 73% of all departments will have employees working from home by 2028. One of the most critical challenges tech leaders are facing is how to ensure their teams are working collaboratively without exposing the company and individual employees to high-stake virtual security vulnerabilities.
What can take Fortune 500 companies over a year to achieve, tech leaders have had to tackle in just a matter of weeks. CISOs and IT teams are now having to assess their cybersecurity preparedness on a massive scale. We sat down with some of today's top security experts from our Tech in Motion community to learn what they are doing to prepare and protect their teams. Here is what they recommend to be the most effective steps to securing your remote workforce.
Assess and Address Security Vulnerabilities
First, it is a fair assumption that most remote employees are operating on a company-provided device. That is an excellent advantage and beneficial starting point. Second, because most applications are now cloud-based, companies can deploy their productivity tools to their remote work users without much altering. However, if these two factors are not actively in place or being utilized, this is an essential initiative to begin.
Once the fundamental vulnerabilities have been assessed, tech leaders need to identify what could be missing from their infrastructure to ensure security. Craig Jones, Director of Global Security Operations at Sophos suggests starting with what your company is doing to make sure your infrastructure is fully patched. This means, you should scan your infrastructure while also managing your end user devices. These two elements should be connected to ensure a fully patched infrastructure. Chris Kirsch, Product Marketing at security company, Veracode, added looking at your security holistically and identify vulnerabilities at every stage. This includes your company’s VPN security, device usage, data warehousing and mobility and cloud-based productivity applications.
Even the largest and most secure companies have had to adopt new tools to address new security risks that became apparent as companies migrated their employees to a remote environment. If funds are available, consider allocating them to building out a comprehensive security team dedicated to managing these risks. Additional funds could be used to purchase tools created to added layers of security to email exchanges to prevent phishing attempts, Malware attacks, etc.
Manage Increased Phishing Attempts & Malware
Phishing is the number one factor in security breaches, and the amount of fear-based phishing attempts has skyrocketed since the global pandemic began. In-fact, phishing attempts have increased by 350% in 2020. If someone can spoof your employee’s authentication, your company's infrastructure and data is at greater risk. The unfortunate reality is that companies need to be particularly strategic about what could be seized in a phishing attempt. However, with the proper permissions and access controls in place, the attacker will be able to access the employee has access to, but no files higher than those permission levels.
To prevent successful phishing, first, add layers of security to your company’s email flow. Mike Lemire, CISO at Quickbase discusses how email phishing can wreak havoc within your company’s security, especially during a time when your workforce is working from home. Mike suggests investing in a built - in email filtering platform, like Mindcast, to simply reduce the volume of emails that are sent from external parties. Some platforms can also help identify targeted spear phishing – emails that seem to come from company executive, asking the employee to share confidential company information and employee data. In the event of a successful phishing attempt, you could implement Multi-Factor Authentication or Conditional Access to prevent unauthorized access.
Experts suggest assuming some phishing emails will get through even if you have a filtering platform in place. So, your second layer of email security should be to protect the endpoint. Put systems in place to not allow Malware to be executed (unknown file). For example, if an employee receives an email directing them to download a time sensitive file, the unknown file error should block the download. Another example of an added layer of endpoint protection is to not allow users to be redirected to external pages that might request the employee to enter personal information into a third-party site.
Even with your vulnerabilities identified and your layers of anti-phishing protection in place, there is always room for human error. Training your employees on these potential scenarios of cyberattacks is critical to bringing your security strategy full-circle.
Build a Security Culture from the Ground Up
Bobby Singh, CISO & CTO at Toronto Stock Exchange (TMX) emphasizes that while the majority of CISOs are working to secure their workforces on a corporate level, security education for all employees is a significant measure that at times is overlooked. Providing employees with individual security best practices to mitigate vulnerabilities that may slip through the cracks is essential.
The panel of experts all agreed on the particular importance of a security culture during the current climate. This could be as simple as sending examples of phishing emails and highlighting what key words and phrases to look out for. For example, during COVID-19, trigger phishers might use phrases like “layoff, pay reduction, or COVID cases within the company”. Provide instructions outlining what and how each step should be executed if a phishing email is received.
"A step to not be forgotten, is remote employee training", says Craig. Any new employee that is currently on-boarding should receive a comprehensive security training detailing vulnerabilities while working from home. Continue to send phishing test emails to your employees to be sure all are being reported to the IT team. Your IT team can then interpret patterns to identify whether employees are identifying threats as well as which types of phishing attempts are more difficult to identify.
Building trust and confidence in today’s workforce requires exemplifying how successful and secure teams can be while working remote. Executives have an opportunity to lead the evolving remote work culture by showcasing the company’s innovation and evolution through the current climate. Fold these success stories into your security trainings to lay a trusting and productive foundation.