By Mark McCreary
With over eight months of businesses and employees struggling with the challenges of working remotely, and us all coming to the reality that remote working is here to stay on some level, it is a good time to assess what we have learned. It is also important to have an understanding of the risks that we are facing in remote working environments.
Never has there been a time where cyber criminals were more active, sophisticated, or successful. Many companies do not have the security infrastructure to protect their workforce while working remotely, and it is more likely than not that users themselves are more at risk when working remotely versus working in the office.
I have worked with dozens of clients with data security issues since the beginning of the pandemic, and there have been some common themes observed that should be instructional to any business or employee. These are those observations.
- Working from devices. There is little doubt that working from smartphones causes us to be much more likely to become victims of scams or otherwise make mistakes that we simply would not make on a personal computer. Identifying the actual email address is much more difficult on a mobile device than a computer screen. We should be much more careful when on personal devices, making sure to scroll to the top of the email and closely read the email address.
- Scams. As noted above, the increase in network attacks, ransomware, scams, spear phishing, and ransomware is unprecedented. With employees having transitioned to at-home working, some working both remotely and in the office, we all have become extremely vulnerable. By far, the biggest increase we have seen is phishing scams leading to business email compromises and ransomware incidents.
- Distractions. The distractions in our work-at-home space brings its own challenges. In addition to working from cellular phones and Zoom video calls, we are also dealing with young children, surly teenagers, and college students unwillingly forced to return from college. Spouses are sharing workspaces, dogs are barking at Amazon deliveries, and cleaning out kitchen cupboards suddenly seems like a great way to spend workday hours. These distractions lead to us falling for scams that would have been easily identified as a scam just a few months ago.
- Training stops. Most businesses ceased training efforts when the workforce transitioned to remote working. Despite us knowing the importance of having constant reminders to employees of the dangers they face, training has been lost in the shuffle for some businesses, while others have determined training to be too difficult to be done remotely or too low of a priority.
- Using work devices for personal purposes. Those businesses that issued laptops and PCs to employees for remote working have seen employees using those devices for personal use. Unfortunately, that personal usage increases the opportunities for compromise and danger to the business network. That is a risk that generally did not previously exist.
- Patching ceases. Many businesses have become very good at keeping systems patched against known vulnerabilities, but many businesses suspended this practice for technological or practice purposes when remote working started. Not patching systems makes a device, network, and employee very vulnerable and more susceptible to attack and compromise. Even personal devices in a BYOD program must be patched regularly.
- Departing staff. Attrition does not stop during a pandemic. Plans to ensure that sensitive data of the company is retrieved before the employee departs may be in place, but they may be out of step because employees have been working at home for the past eight months. It is possible that departing employee has a significant amount of company data about which you are unaware and you cannot retrieve.
- Data incidents not reported. It is generally easier to discover a data incident that occurs when an employee is working from the office, and much more difficult if the same employee is working remotely. While working remotely we have consistently seen employees fail to report suspected or known data incidents. We have also seen the IT systems in place are not designed to detect incidents from a remote working environment. Employees may feel it is easier to hide a data loss, or that it will be less likely that a data incident would be discovered, in either case leading to bad decisions by employees.
- Bad connections lead to working offline. If the employee does not have an adequate Internet connection (especially with everyone home), or the resources provided by the business are not reliable or easy to use, eventually that employee is going to start working in ways that are not as secure as the company-provided solution. The employee may start sending work emails to her personal email account, or downloading to a local or external drive, even a personal file share service like Dropbox. This unauthorized manner of working creates duplicate copies of company data, none of which are traceable or under the company’s control. It is likely that data will not be deleted for years if ever. All of that data is subject to loss and further disclosure if there is a compromise of the personal email account or file share account, or a compromise, sale, or theft of the personal computer.
- Limited IT staff. As companies are furloughing, terminating, and reducing the hours of information technology staff, it becomes more difficult for the remaining staff to keep systems safe, provide assistance to users, and plan for future security upgrades. Inherently, staff cannot focus the same attention on assisting users, maintaining upgrades, and securing environments as they could with a full staff.
Mark G. McCreary, CIPP/US, is a partner at Fox Rothschild LLP and co-chair of the firm’s Privacy & Data Security Practice. He can be reached at firstname.lastname@example.org.