How to manage cybersecurity when working remotely

The rise of remote work and work from home has brought numerous advantages for employees and employers. There's been an increase in productivity, with employees skipping morning and evening commutes. Employees have found ways to get closer to the work-life balance that fits their lifestyle and outside work responsibilities and interests.

But the move to remote work has also introduced new risks—specifically with cybersecurity breaches. According to the 2022 Verizon Data Breach Investigation Report, there has been a 13% increase in ransomware breaches. That's more than the previous five years combined. Even more concerning, 82% of cybersecurity breaches involved employee-related issues like phishing, social attacks, and human error or misuse. 

We sat down with John Svazic, Founder and Principal Consultant at EliteSec, to learn more about how businesses—and their employees—can protect their customers and data when working remotely. 

Can you tell us a little bit about EliteSec?

EliteSec is a boutique information security company that offers a variety of cybersecurity consultancy options, from penetration testing to helping design and implement security programs. We also provide virtual CISO services. If you don't have an entire security team but would like to have some level of security expertise within the company.

Regarding cybersecurity for remote workers, what is the most important thing they should know or do?

One of the first things I would say is to make sure you use the machine your company gave you. A lot of times, what we see is that people and organizations are using tools in the cloud. Salesforce is in the cloud. Slack is in the cloud. You can just log in as long as you know your username and password. Many people don't like using their company machines, so they use their personal devices since they're more accustomed to them.

What's the issue with employees using personal devices for work?

Some people will say they already have antivirus on their machine. But maybe it is not up to date, or it may not be at the same level as what your employer has given you. That's not to mention whether it is a shared machine. Do your kids use it? Does your spouse use it? Do you have other family members or other people who may use that computer? If you're starting to download confidential information to that machine, all of a sudden, the employer loses control of that—and that can lead to a whole bunch of problems. 

What are some potential issues employers and employees should consider when it comes to company data?

Depending on what type of data it is, privacy regulations may be broken because it's being transferred to the machine outside its control. Or think about the European Union and the General Data Protection Regulation (GDPR). Hopefully, you don't have any financial data because that would also be a big red flag. Employee data is another big red flag, plus things like source code.  A lot of people think they know what they're doing and don't believe they are at risk, But unfortunately those folks are the ones that are often targeted by attackers.

What can employers do to manage this?

From a company perspective, see if you can restrict your employees from using their company-issued machines. VPNs can help, but they aren't a perfect solution, but can help if they require a certificate to be installed. But if you use a lot of SaaS applications, a zero trust solution may be a better deterrent.

One of the most reported attacks is phishing, where someone poses as an employee over email or the phone to get information. Do you recommend that companies implement training programs that test employees to prevent these attacks?

My short answer is yes, I think it's worth doing if it's done properly.  The point of these exercises isn't to shame employees, but to raise awareness.  Also it helps to understand which employees may be a greater risk if they are constantly clicking on the links in these test emails.  Being proactive with additional security features, such as multi-factor authentication, will help mitigate some of the risk. 

What can companies do to reduce the impact of phishing attacks?

It's not necessarily just about ensuring people don't click on links in emails. The reality is someone's going to click it. The better question is—what do you do when they click that link? Make sure you have multi-factor authentication turned on for everything, from email to other cloud-based systems. Consider DNS and/or URL filtering to prevent going to phishing sites.  Employees with sensitive/critical access to data, such as people on your finance team, could increase their own security posture by using physical security keys like a Yubikey or Google Titan security key. 

Are smartphones with company email more prone to attacks? 

Many people are concerned with mobile devices. The reality is mobile phones are very secure compared to an average home PC. When it comes to a mobile device, make sure there's some passcode on it, whether that's a number, a fingerprint, or some other biometric. To help keep mobile devices secure, don't download apps from outside of the official app stores. Read the reviews for the apps you're downloading; don't just trust the star rating.  Also don't jailbreak/root your devices, otherwise you'll be stripping a key part of the phone's built-in security.

You can learn more about EliteSec's offerings at elitesec.io.

Photo by Kristin Wilson on Unsplash