In early 2020, the COVID-19 pandemic tested the business continuity preparedness of virtually every organization across the world. Companies everywhere had to abruptly shift to the remote work model, forcing a big percentage of the world’s workforce to work from home. As per a recent report published by Statistics Canada, in January of 2021, over 32% of Canadian employees worked remotely compared to 4% in 2016.
Over a year later, as the world begins to slowly re-open amidst fears of new variants and new waves, it’s evident that remote working is here to stay. In the post-pandemic future, remote working will remain part of the so-called “new normal” for a major proportion of the world’s workforce. Statistics Canada says:
- 41% of Canadian workers would prefer to work at least half of their hours from home after the pandemic
- 39% would prefer to work most of their hours at home.
- Only 20% would like to work most of their hours outside the home.
Remote working is also likely to remain prevalent in the post-pandemic world because of the obvious economic advantages to organizations in the form of reduced costs and lower overheads.
Risks Associated with Remote Working and Need for A Long-term Remote Security Strategy
In early 2020, most organizations had assumed that remote working would be a short-term situation. As a result, they quickly pieced together remote work security strategy solutions with the simple objective of keeping their operations afloat in the short term. Due to this reactive focus on operational continuity, many businesses did not pay much attention to security. More than a year later, many organizations are still operating with the same solutions that are adequate to keep operations running but inadequate to meet the demands of current security challenges.
Many organizations don’t realize that remote workers create a unique set of security risks since they’re operating outside the secure boundaries of the enterprise environment. These risks come from:
- Logging onto unsafe Wi-Fi networks to access sensitive data
- Using personal and often insecure devices for work.
- Using official devices for personal reasons and accessing unsafe websites or content
- Not physically securing official devices in public places.
- Malicious actors, specifically targeting remote workers, through phishing emails or malware attacks.
When an average data breach costs 3.86 million USD (as per an IBM report in 2020), organizations must adopt long-term security strategies centred around a remote workforce. Failure to do so might have disastrous, long-term consequences.
Are VPNs Enough for Remote Security?
Many enterprises just added or bolstered their VPN solutions when they transitioned employees to remote work, assuming that VPN is the best solution to secure remote workers and devices. Unfortunately, VPN alone is not the strongest security solution – as many companies are now discovering.
In an ideal situation, employees access networks only from the office or if they’re logged in through a corporate VPN. But with an increasingly distributed workforce, not every employee connects to the VPN all the time, especially since organizations increasingly rely on cloud-based solutions like Slack and Microsoft Office 365, which employees can access from any location, any device, and at any time. These cloud-based solutions introduce insecure endpoints outside the scope of the organization’s IT ecosystem (also known as “Shadow IT”), which malicious actors then exploit to attack the organization’s assets or steal its data.
Fortunately, there are methods available to manage and mitigate these risks. Enterprises and their IT teams must implement strong remote work security strategies that are network-agnostic, that protect and manage all endpoints, whenever they are in use, and regardless of which network the end-user is connected to. These strategies include:
- Mobile Device Management (MDM)
- Cloud-based patch management
- Endpoint intrusion detection and response
- Endpoint encryption
- Secure email gateways
- Antivirus solutions
- Limiting exposure to management services or protocols to the public internet
In today’s dynamic security landscape, organizations should focus on preventing a breach and assume that a breach will occur at some point. They should implement a Zero Trust Architecture (ZTA) within their IT ecosystem to stay ahead of such events. ZTA assumes that no device and user can be trusted, so they must continuously monitor and validate user and device privileges. Companies should also consider implementing least privilege access controls to deter threat actors and limit their impact if they manage to get through the enterprise network.
They should also consider that employees might be the weakest link in their security. Therefore, they must educate employees about prevalent threats and how they can avoid them. Companies should consider investing more in cloud-based security tools to secure their cloud assets and data.
Packetlabs offers numerous security services, including infrastructure penetration testing, application testing and red team exercises to help you protect your most valuable assets and support your remote work security strategy. Contact us for a free, no-obligation quote.