Managing employee security risks during lockdown

A man working on a laptop
(Image credit: Shutterstock)

It almost goes without saying that security must be an essential part of any IT strategy. Every business needs to keep it firmly in mind, as well as keep up with the latest threats and the technologies emerging to combat them. The price for failing to do so can be extremely high - you could suffer the loss of sensitive data, damage to your reputation and legal penalties for failing to perform due diligence.


The essential cyber security toolkit for SMBs

Practical tips for cyber security training


Nevertheless, it’s easy to think of security threats as a purely external force in the form of malicious actors prowling your defences looking for opportunities to hack into your network. But the reality, the security risks are just as likely to lurk internally, as your own employees are as capable of compromising your defences as any cyber criminal.

There are many ways in which employees can inadvertently leave your network vulnerable, and these have only been exacerbated by the effects of the ongoing COVID-19 pandemic on our working practices. The various lockdowns have created a new remote-working model (one that is likely to long outlive the pandemic) that has heightened risk areas that were previously only minor concerns, as well as introducing entirely new ones that businesses need to be aware of.

In through the out door

The use of cloud-based collaboration and communication services like Microsoft Teams and Slack has exploded since the first lockdown as businesses scrambled to keep their remote staff connected through virtual platforms. But although these services can bring huge benefits to businesses, there are also risks attached to their use.

One of the biggest advantages of these services is that they provide a centralised, easily accessible record of all of your organisation’s communications and information and, while this improves efficiency, it’s also a double-edged sword. Any attacker that gains access to this system potentially has access to an alarming amount of sensitive information, as well as a whole host of options for further network traversal and privilege escalation tactics.

Access credentials for shared services are often posted by staff in open channels, as are links to potentially sensitive files and folders, not to mention confidential information about internal operations or upcoming deals. This can all be used by an attacker to access more valuable areas of the network, whether their goal is to deploy ransomware, exfiltrate confidential documents, or spy on your staff. These systems are generally complemented by cloud storage platforms, which provide a further treasure trove of data for intruders to exploit.

There are a number of ways to combat this; the most obvious one is to enforce policies against sharing credentials or sensitive documents on public channels, but this is hard to police. As any security team knows, convenience usually wins out over proper procedure. Therefore, it’s wise to supplement this with strong password controls and multi-factor authentication for all user accounts, ensuring attackers can’t simply brute-force their way in. A nice side benefit of this is that it also helps mitigate the risk of password reuse, which can be endemic in larger organisations that don’t keep a close eye on their password hygiene.

Cloud storage platforms also incorporate a number of access control mechanisms, such as role-based permissions; these allow you to define which specific people can access certain files and folders, and what level of control they’re allowed to have over them. Some platforms will go even further than that, with features like the ability to grant time-limited access to files.

“Risk assessments would reveal the level of access to a firm’s digital and physical assets each person has,” notes Red Sift’s head of cyber governance Rois Ni Thuama. “No one person should have the keys to the kingdom and making sure that access is restricted on a need-to-have basis goes a long way to mitigate the potential fallout. This works just as well irrespective of whether the threat arose from a deliberate act or a mistake . You do not want to give the bad actor free rein to move laterally across an entire organization.”

Left to their own devices

Implementing strong access controls, password hygiene and multi-factor authentication are all good practice in any circumstance, but they’re especially important when all of your staff are relying on cloud-based apps and logging in from locations and devices which may not be as secure and well-protected as when they’re in the office. For a variety of reasons, many workers are now using personal devices to access corporate platforms, and these devices in themselves could be posing a serious risk.

If an employee is using a personal device for work and hasn’t alerted IT teams to this fact, they likely won’t have any monitoring or protection running on the device. This means it can’t be tracked for threat analysis purposes, and it may also be introducing security holes via unpatched software or even malware that the user has unwittingly picked up. Furthermore, if they’re working from a cafe or coffee shop, they might be using unsecured Wi-Fi, which puts them, and any information they’re working with, at risk from snoopers.

“Of course, the most important way to mitigate risk is user education and awareness,” says Ian Thornton-Trump, CISO of threat intelligence firm Cyjax, “but a strong contender for second is extend your perimeter defences and licenses for your organisation’s fancy antivirus or EDR solution to those users at home – especially if they’re not working on corporate assets.”

Traditional perimeter defence is going to be less helpful in this scenario and, if you’re dealing with a significant number of employees that use personal devices for remote work, you should consider deploying endpoint security tools to give your IT team a centralised way to monitor, patch and protect your employees’ devices in a relatively unobtrusive fashion. Knowing exactly what devices are on your network – and what condition they’re in – is a vital part of protecting it, and shouldn’t be neglected just because staff are working from home.

“Anyone who’s thinking there’s a security perimeter is tragically out of date with our current times,” says Thornton-Trump. “Most businesses have no defined perimeter anymore as highly sensitive data is found all over the place – in S3 buckets, in hosted email solutions and in the hands of ERP, CRM and financial system SaaS vendors.”

Workers aren’t the only ones who are having to adapt to new ways of working, however; cyber criminals are also switching up their tactics to capitalise on the new situation. Many hackers are attempting to exploit the trends we’ve already discussed through tactics like password compromise, spear phishing, and others, and IT teams should be on the lookout for changes in attack patterns as adversaries adapt. Phishing attacks, in particular, will remain an easy attack method throughout the lockdowns (and beyond), and staff should be trained (or retrained) on warning signs which may indicate a bogus email.


How to improve cyber security for remote working

13 recommendations for security from any location


COVID-19 has necessitated a huge change in the way we work, and now that the genie of remote working is out of the bottle, it’s extremely unlikely that businesses will go back entirely to how they operated before. This change doesn’t have to make your business less secure, however. Many of the potential risks that can be introduced when organisations move to a remote model can be mitigated through careful use of security best practices, including inventory management, password monitoring and multi-factor authentication.

The process of moving into the ‘new normal’ – whatever that looks like – will involve an adjustment period for all of us. However, if IT teams remain alert to the changes and continue to implement industry-standard recommendations, we can emerge into the new world with our security intact.

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.