The year 2021 has arrived, and organizations of all types and sizes are continuing their efforts to adapt their workforce to the new work reality imposed by the Covid-19 pandemic. People, who were previously working using corporate devices and infrastructure within its security perimeters, have been forced to quickly change their approach, now working from their homes and accessing the same resources as before lockdowns. And according to Cisco research published in the Future of Secure Remote Work report, even with the introduction of a vaccine against the coronavirus, IT decision-makers believe that a significant part of this workforce will continue to operate remotely, thereby accelerating the move to Cloud-based models and their projects linked to digital transformation.
Many companies, however, did not have the adequate infrastructure to support a huge number of people working from their homes, let alone to ensure that sensitive data was not exposed. The change introduced by the pandemic has created a strong demand for digital solutions, bringing an important mission for the Information Security teams: not only to protect the company, its employees, and customers but also to guarantee business continuity. A Promon survey of 2,000 remote workers provides some worrying data: almost two-thirds of them had not received any cybersecurity training in the past 12 months. Besides, 77% of them are not concerned with data security while working from their homes. It is worth remembering that data protection laws provide for heavy sanctions in case of data leaks. If the personal data of Brazilians are leaked, for example, a company is subject to fines that can reach 2% of revenues or 50 million reais.
In this context, the Covid-19 pandemic also brought new attack vectors to this entire remote workforce. With so many people using insecure devices and networks to perform their daily activities, malicious attackers saw an opportunity to exploit security gaps introduced by this form of work. Also according to the Cisco report, 61% of decision-makers have reported an increase of 25% or more in cyber threats since the pandemic began in March 2020. And for those who think cybersecurity is something that concerns only global organizations, this increase in threats is also reported by small (55%) and medium-sized (70%) companies. But what aspects should Information Security leaders consider in order to guarantee the security of data transmitted via unprotected devices and networks?
Virtual Private Network, or VPN – as a basic tool in the kit of those who want to guarantee data security, VPNs are old known to IT teams. In addition to the function of avoiding geographical restrictions, the use of these tools also improves privacy on the internet. Also, a VPN allows you to encrypt all internet traffic through devices;
Wi-Fi, or Wireless Connections – most Wi-Fi networks are secure in some way. However, when outside their workspaces, employees should be aware that using public wireless networks is one of the preferred targets for malicious agents to spy on internet traffic and collect sensitive data
Home Routers – many people do not change the passwords for their home routers when they are installed, which increases the risk of falling victim to a cyberattack. To prevent any malicious attacker from having access to the home network and thus gaining improper access to critical data, the first step includes changing the router’s password. Also, it is interesting to encourage employees and third parties to check and install device firmware updates.
Passwords – In these times, it is more important than ever that your passwords are properly protected. Unfortunately, many people use the same password for multiple-service access credentials, both personal and corporate. This means that if a malicious attacker has access to a compromised password, it will be much easier to gain access to other services, including corporate accounts. Therefore, it is recommended to use a PAM solution to manage these privileged credentials.
Multi-Factor Authentication – often, strong passwords are not enough to protect systems from unauthorized access. If a criminal has access to a credential compromised in a data leak, it is not difficult to compromise other user accounts. Thus, by using multi-factor authentication, such as confirmation via an OTP (One-Time Password) generated by an application or SMS, it is possible to add an extra layer of protection to user accounts;
Backups – all user files must be configured to be backed up, preferably in a cloud-based environment. If there is a cyberattack through malware, such as ransomware, and the data is not properly saved, it is not possible to recover it without paying a ransom, which can directly affect the victim’s activities and even the business continuity;
Phishing – in addition to investing in cybersecurity solutions, it is also necessary to train employees appropriately to learn how to deal with phishing attempts or other social engineering-based attacks by malicious attackers to gain improper access to systems. One way to address this problem is to alert employees how to detect suspicious emails from unknown senders, especially if it involves any user action, such as clicking a link or opening an attachment. Even messages received from trusted senders must be considered and verified before they are opened.
As remote work becomes more and more common, companies of all sizes need to implement infrastructure in addition to the appropriate policies to minimize their exposure to cybersecurity risks. The list we presented here is a good start to give an idea of what should be considered in order to create an adequate policy to ensure the protection of the remote workforce. In this way, it is possible to reduce the risks of cyberattacks and avoid heavy penalties from data protection laws, which can affect the trust of employees, partners, suppliers, and even business continuity.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Senhasegura strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.