Due to COVID-19, organizations across the world have advised their workforce to work from home. That means, nowadays, there are hundreds of millions of people performing remote work. Though it may be an occasional part of their routine for some people, many others had to make adjustments to remote work without any planning.
However, it is not just the workforce that is required to make adjustments, but organizations also have to make adjustments. The highly impacted sector due to this change is cybersecurity. The reason being: though the remote work brings multiple benefits to the organizations and their employees, it may pose serious security threats to the information security of the organizations. After all, the workforce will be accessing sensitive information, connecting to corporate networks, and working with the clients — all being done remotely. The risks become worse if the organizations encourage BYOD, i.e., the employees work on their equipment, at home.
In such situations, the regular cybersecurity risk assessments will become less effective since they usually assume employees working with the organizations’ infrastructure.
Why Should You Care About Cyber Risk Assessment?
In the remote working environment, everyone works from their home PC or laptop, and precious business data might be exposed to many endpoints. And so, continuous remote work focused cybersecurity risk assessments are now important more than ever. These can enable organizations to understand, manage, and mitigate cybersecurity risks. That means, it helps to identify potential gaps and risks in their information systems and help organization crave out clear strategies to implement and verify an effective cybersecurity framework.
Risk assessment helps corporate executives and security teams to understand their infrastructure and create and install a resilient cybersecurity framework for their infrastructure, which is readily available and highly effective against the increasing number of risks. Though cyber risk assessments are nothing new and organizations include them as an important part of their data protection and risk management strategy, the rise of remote work requires significant changes.
That is the reason there is a need for remote work focused cybersecurity risk assessment. It has become increasingly important due to the global pandemic — COVID-19 — since it has forced millions of people to work from home, creating numerous cyber challenges and security risks for organizations worldwide.
COVID-19 Calls for Remote Work Security Protocols
Remote work security assessment — or remote work cyber risk assessment — is an adaptation of cybersecurity risk assessment for all the employees that are working remotely. It enables organizations to test and validate their information security systems, i.e., confirm their security infrastructure effective and how efficient they are while getting work done remotely.
According to David Ferbrache, Global Head of Cyber Futures, KPMG in the UK, “COVID-19 has driven radical change in businesses. At the heart of this is a complex and fast-changing web of digital infrastructure. As IT teams scramble to implement changes within weeks that before might have taken years, security teams need to be an enabler, not a roadblock to change. Help roll out those solutions, but make sure security advice and secure configurations are in place to help manage access, functionality, and data loss prevention controls.”David Ferbrache
That said, cybersecurity risk assessment is one of the industry-proven methods of validating an organization’s security posture. That is why, nowadays, remote work security assessment proves to be a critical tool in an organization’s security toolset.
The Changes Required in Cybersecurity due to Remote Work
The overall notable change in the cybersecurity risk assessment for remote work involves including the environment in-question i.e. the employees’ local network. The traditional cybersecurity risk assessment mostly deals with the corporate environment — corporate networks along with the organization’s hardware and software and employees. The change requires the organization to include the employees’ home environments too, i.e., their home broadband or Wi-Fi networks, hardware and software, data backups and storage, and other hardware systems.
The second focus is to address the human factor. Though the human factor is included in the traditional cybersecurity risk assessment as well, the risks with the human factor drastically outweigh for remote work.
The reason being the employees’ usual safeguards against cyber threats are low while working from home. They may work on their personal computers, accidentally share their work information by unknowing exposing work stations to non-employees, utilize unsecured networks, or open phishing emails.
Moreover, the information system can be compromised using some poor data retention mechanisms, unencrypted flash drives or backup media, or unsecured networks or other data channels for transmitting critical information. Also, it is necessary to test the employees’ cybersecurity awareness before allowing them to work remotely.
The security teams can launch controlled phishing campaigns that convince the employees to open dangerous links, enter user credentials, or download potentially dangerous attachments. And if required, the employees should be provided cybersecurity training to help understand a possible cyber attack.
Finally, the employees and their home environments must be thoroughly assessed while determining potential risks and their likely impact of cyber attacks on the organization. The quantum of the likely impact must be evaluated so that organizations can implement and monitor security controls accordingly.
For instance, if the risk involves employees sharing their work devices with their family members (non-employees or outsiders), the organization should create a policy that employees must not share their work computers (especially their work accounts) with non-employees. If the risk is posed through the usage of unauthorized or unencrypted flash drives, a security solution should be installed across the organization for blocking any unknown and/or unencrypted devices connected to a computer.
A mandate for the same should be made across all levels of the organization. Apart from this, the risk might also involve employees using unsecured networks that are highly prone to cyberattacks. A corporate VPN with encryption must be installed across the organization and all the corporate resources should be made available only on the VPN, making all employees use the encrypted channel (VPN) while working — even remotely, thereby mitigating the known risks.
What are your thoughts on remote work and cybersecurity in the COVID-19 era? Let us know in the comments below or on Twitter, or Facebook. You can also comment on our MeWe page by joining the MeWe social network.