What are the risks, what can you do?
Security and remote working can be a headache for digital nomads, and their clients or employers. If you’re a remote worker and have multiple clients, sometimes in different locations around the world, you may need to use different security applications for each of them. You will probably have to comply with multiple policies and regulations and may feel anxious about accessing and inadvertently compromising a client’s network. And, on the other hand, it is understandable if you are wary of giving up some of your own privacy to your employer.
It’s not just remote workers themselves who are at risk. Permanent employees who occasionally do work at home can face (and cause) security issues when remotely interfacing with an organization’s network.
Employers have similar problems with security and remote working. Studies show that most companies think mobile workers increase their security risks. An iPass survey –“2018 Mobile Security Report” (paywall) – found that the majority of CIOs (52 percent in the US) suspected their mobile workers had been hacked in the last 12 months. 67 percent of respondents believed most wifi-related security incidents occurred at cafes and coffee shops, and nearly half of the CIOs surveyed said Bring Your Own Device (BYOD) initiatives had increased security risks.
Risks of mobile work (Source: iPass)
Despite organizations’ reservations about security, more and more employees are embracing the remote working lifestyle. According to a survey conducted by FlexJobs and Global Workplace Analytics – “The 2017 State of Telecommuting in the US Employee Workforce Report” (paywall) – the number of telecommuting workers had increased 115 percent since 2005 to 3.9 million US employees who work from home at least half the time. This is nearly three percent of the total US workforce.
A Gallup survey – “State of the American Workplace” – found that from 2012 to 2016, the number of employees working remotely rose from 39 percent to 43 percent, and employees working remotely spent more time doing so.
Breakdown of time employees spend working remotely (Source: Gallup)
Considering these trends, the problem of security for remote workers will undoubtedly grow apace, unless organizations and remote workers work together to proactively tackle the issue.
In this article, we will explore the risks organizations and employees face when it comes to security and remote working, and how to mitigate these risks. We will look at some security solutions and best practices that both companies and remote workers can employ to protect themselves. We also suggest some tools that can mitigate the potential threat of unknown vulnerabilities.
See also: Cyber security statistics
Security and remote working – statistics and concerns
To start, we’ll examine the current landscape, including the major threats facing remote workers and organizations.
Security risks posed by remote workers to organizations
Surveys focusing on security for remote workers indicate organizations are aware of the risks of using freelancers and contractors but have problems enforcing viable security policies and procedures. Both organizations and remote workers suggest that software complexities complicate security and can even be a barrier to productive remote working.
We’ll explain these below, but some of the major security risks posed by remote workers to organizations are:
- Inability to enforce security
- Lack of commitment to security best practices
- Risky behavior on the part of remote workers
Let’s look at some of the numbers and facts behind these issues.
Inability to enforce security and remote working
According to a 2018 Apricorn survey, 95 percent of UK businesses were still struggling with remote working and security. Some of the key findings were:
- A third of organizations claim to have experienced a data loss or breach as a direct result of mobile working.
- Over half of the companies surveyed said that the biggest concern with mobile workers is the complexity of the technologies and software they used, and the inability to secure them effectively.
- Only around half of the employers enforce data encryption on remote workers’ devices.
- Rules banning the use of removable devices are difficult to enforce.
Lack of commitment to security best practices
A 2018 Imation Corp survey of 1,000 UK and German remote workers found that the vast majority were not concerned about losing confidential business data. Here’s what was discovered:
- One-third admitted they had lost devices in a public place.
- 25 percent admitted breaking security policies to work remotely.
- Less than six out of 10 respondents said their organization had a remote working policy.
- 44 percent of respondents said that data was never encrypted when taken out of the office.
- More than 40 percent suggested they did not have the right tools to work remotely.
- Three in 10 remote workers admitted they did not protect their data with passwords.
Breakdown of how remote workers store files outside the office (Source: IronKey)
Security and remote working – risky behavior
A 2008 Cisco survey, conducted by InsightExpress, a US-based market research firm, found that remote workers (55 percent of respondents) were more negligent about security and less vigilant in practicing secure online behavior due to believing that the internet was becoming more secure. 56 percent of employers were concerned about this. Some risky behaviors remote workers admitted to included:
- Opening emails and attachments from unknown or suspicious sources. 27 percent of US workers reported this activity.
- Using work computers and devices for personal use. This is a growing trend around the world, even while workers admitted it was unacceptable behavior.
- Allowing non-employees to borrow work computers and devices for personal use. 39 percent of remote workers in China acknowledged that they did.
- Hijacking wireless internet connections from neighbors. 12 percent of remote workers admitted to this risky and unethical behavior.
- Accessing work files with personal, non-IT-protected devices. 76 percent of remote workers in China confessed they had done this.
Remote workers’ risky behavior regarding online shopping (Source: Cisco)
Security risks for remote workers
Breakdown of how security-conscious remote workers around the world say they are, despite the security risks they face (Source: Cisco)
Remote workers often do not have the same support or infrastructure that permanent or onsite employees enjoy from an organization. We’ll detail these below, but some of the main security risks for remote workers are:
- Online vulnerabilities
- Utilizing new tools
- Vulnerability of personal data
- Social and business networking
Let’s look at each of these in detail.
The main risk for workers is the vulnerability of their data when sharing it online. In a conventional office, workers communicate in onsite meetings and brainstorm at the water cooler, while in the freelance world, most contact between employees and workers is online.
Working over public wifi exposes data to opportunistic cyber eavesdroppers who can spy on transferred data and steal private logins and passwords, among other things.
Be wifi-aware – turn off sharing on your Mac and Windows devices (Source: Comparitech)
Utilizing new tools
Remote workers use a variety of software and hardware that is often different to the equipment standardized at the firms they are working for. This means there are no set policies and procedures for securing equipment for either party. It also means that workers must often use tools with which they are unfamiliar, decreasing their productivity.
Vulnerability of personal data
People who work from home usually use the same software and hardware to manage their personal and work lives. Losing a laptop, for instance, could result in the loss of sensitive information for multiple clients as well as for the remote worker.
What’s more, organizations may find it difficult to trust that remote workers are keeping software updated. While the company could implement patches and updates remotely, the remote worker may feel their privacy and independence is being threatened.
4. Social and business networking
Security for remote workers can easily be compromised on social media. When a freelancer shares their employment status and details about their projects, they are ripe for targeting by hackers who assume their personal computers are more easily breached than those of an organization.
Security and remote working – how to manage risks
Awareness is the first step in managing security for remote workers. However, below are some tips and suggestions for best practices.
Security and remote workers
Steps remote workers can take include the following:
- Ensure work data and personal information are separated, preferably on different machines.
- Never send or open sensitive data over public wifi. Don’t trust unsecured wifi or Bluetooth, and switch them off when not in use.
- Always connect to a Virtual Private Network (VPN) so that internet traffic is encrypted, especially if connected to a public wifi network. Connect to the VPN before connecting to wifi; even the couple of seconds it takes to log into a VPN is a potential window of opportunity for cyber criminals.
- It is tempting for workers at home to use the same passwords and logins, and to select the Remember me checkbox for their online mail, storage, and other cloud applications. A regular “housekeeping” day to change passwords should be routine. Protect passwords and pins the same way you would when using an ATM.
- Make use of iOS’s Find My Device or similar features on laptops and phones to give yourself a fighting chance of retrieving a lost or stolen device.
- Save data using secure cloud-based services rather than keep everything on a laptop.
- After completing a project, ensure a client’s data has been properly erased after encrypting it and backing it up to a secure location. Never use external devices to store sensitive data unless it is encrypted.
- Ensure all software is up-to-date.
- Utilize security software and tools, such as anti-virus applications, firewalls, web filtering software, and device encryption.
- General security awareness can help to secure your devices when in public. For example, never leaving your computer unattended at a coffee shop or while meeting with a client.
Features like Find My Device can help with security. (Source: iOS)
Security for organizations that employ remote workers
From an organizational standpoint, there are plenty of best practices for security and remote working here too:
- Create clear remote working policies and procedures that cover the use of devices like USBs and those used in BYOD initiatives.
- Provide workers with approved tools that are effective from the workers’ point of view, but are also easy to secure.
- Encourage remote workers to work together on security policies, for example, bans on personal web browsing and emailing on work computers.
- Enforce data encryption on all devices, including those owned by the worker. Only allow approved devices to connect to company networks.
- Make use of network monitoring software to identify potential threats and anomalies in network access.
- Use a VPN to secure all the web traffic flowing through your network by encrypting it and routing it via an intermediary server.
- Keep software updated and install security patches automatically.
- Create cybersecurity travel policies for employees. The Federal Communications Commission (FCC) has security guidelines for international travellers.
- Enforce two-factor authentication to control access to the company system.
- Only allow remote workers access to the data they need, and automatically revoke access when they finish the job.
Find a VPN that meets your business requirements (Source: Comparitech)
Security tools for employers and remote workers
We’ve mentioned some of the tools available above, but here we’ll go into more detail.
Security tools for employers of remote workers
For remote workers and those employing them, there are a plethora of free and premium tools available to help boost security.
Mobile device management
For organizations, Mobile Device Management (MDM) and Mobile Application Management (MAM) platforms can help to secure remote workers’ data and enforce the company’s security policies. Tools can remotely force data encryption, run malware scans, wipe data on stolen devices, and more. Cloud-based MDMs offer permission-based security to regulate remote access while letting employees use their own devices in the office or remotely.
Utilize security tools like MDM software (Source: Miradore)
When shopping for MDM software, some of the security features to look out for include:
- Remote data wiping
- Single sign-on
- Remote monitoring
- Software tracking
- Remote encryption
- Password enforcement
- Data encryption enforcement
- Device tracking
- Device inventory
- Locate phone
- Jailbreak detection
For more information, you can read our guide to choosing the best MDM solution for your organization.
Remote worker surveillance tools
Do you know what a remote employee based on the other side of the world is really doing with their time? Monitoring tools can give you insight about an employee’s competence and standard of work. Even if you find they are not watching YouTube half the day, it may be cause for concern that it is taking them so long to complete tasks. Or you may find that they are not spending enough time collaborating with your onsite staff.
We’ve compiled a guide to employee monitoring and surveillance, including the legalities involved.
Security tools for small businesses
If you are a small business that employs remote workers or freelancers who work from home, but cannot afford enterprise-level MDM software, there are plenty of free applications to secure your office network.
- Centrally manage passwords: Facebook founder Mark Zuckerberg was once left red-faced when hackers publicly shared his password on the internet: “dadada.” A password manager is the answer.
- Invest in a VPN: You will need to do a bit of research to find the best VPN for your needs. A VPN does not have to cost an arm and a leg. There are even some decent free VPNs available if you’re really in a pinch.
- Secure your data: Learn how to secure your data. Comparitech’s small business guide to security covers everything from access control to protection from loss.
Use a password manager to secure devices and applications (Source: Comparitech)
Security best practices for your work-from-home computer
It doesn’t have to cost you a huge amount to work from home securely. In fact, you can set your computer and other devices up like Fort Knox for the cost of a few downloads, or the price of a takeout meal. Here are some tips:
- Encrypt your devices: Encryption is absolutely essential for sensitive data.
- Secure your browser: You can get tips from US-Cert on how to surf safely.
- Invest in a VPN: Comparitech has rounded up the best VPNs for 2018.
- Backup: Invest in a backup solution for your clients’ data. Securely storing data is essential, but on occasion, things go wrong. In 2012, the popular and usually reliable Dropbox online storage solution was hacked and over 68 million users’ email addresses and passwords were leaked.
- Use clients’ resources: If you feel unsure about being able to guarantee the safety of a client’s sensitive data, ask them if you can have access to their security resources.
- Two-factor authentication: Use it everywhere, especially if you utilize online applications like BaseCamp or Dropbox.
- Security awareness: Be wary of social media and what you share about your clients. For example, posting an update about what you are working on and for whom may not be a smart move. A hacker could find it worthwhile to “friend” you and attempt to phish for information.
- Pre-empt potential exploits: A Web Application Firewall (WAF) or vulnerability-focused Intrusion Prevention System (ISP) may help to identify exploit variants and proactively search for the same network vulnerabilities that attackers are looking for.
- Use effective anti-virus protection: You can download free antivirus software for Mac and Windows.
Always use anti-virus protection (Source: Comparitech)
What does the future hold for remote worker security?
On a positive note, there is good news, depending on how you look at it: a report by Online Trust Alliance – the “Cyber Incident & Breach Trends Report” – found that 93 percent of security breaches in 2017 could have been prevented.
When it comes to remote workers, one of the major things that needs to be done is to create policies and procedures that explicitly cover security for remote workers and those who bring their own devices to work.
An important factor in that is the policies need to be adaptable. A Trust Wave whitepaper, Keep calm and bring your own device, warns that addressing the mobile security problem with the same processes used for laptops and PCs will not work for BYODs. “For example, if a device is infected or there is a data leak concern, as a security measure, if an organization wipes an entire device along with the employee’s personal photos and other data, the company could potentially be liable for damages — or at minimum, have a disgruntled employee.”
Technology enables employees, whatever their employment status, to work from home in some form. Some might check work emails on their phone after hours, get in a few hours of catch-up work over the weekend, or share a document with a colleague who is away on vacation.
The key to managing security for remote workers is to institute enforceable security measures right now, even if it costs a bit of money up front. After all, cyber criminals are not going to give up any time soon.