Understanding Organizational Related Challenges of a Hybrid Workforce
The past two years have brought about new and unique security challenges for all organizations due to closed offices and remote teams. Now in 2022, many organizations are adopting a hybrid work model where employees have the option to work from home or in-office. As organizations make this transition, it is important to remember all that has been learned about managing the security of a remote workforce. There are unique challenges to maintaining the security of corporate assets and information when staff is remote and being prepared to deal with them is critical to minimizing security risks.
Device and Software Related Challenges
Using Work-Issued Devices for Personal Use
When working remotely, employees are given a lot of responsibility, including time management and following (or not following) security policies and best practices. Maintaining separation of work and personal activity regarding device use is critical and poses an onslaught of security risks when gone unmanaged. For example, employees may access unapproved content on their work-issued devices containing malware, leading to compromised company data. Additionally, bad actors on the same network could take over the device when connecting a work device to public Wi-Fi without a VPN in use. On the flip side, using personal devices for work activity also poses a risk to an organization as confidential data could be copied onto the personal device outside the organization’s control, risking exposure of company data. In a home office environment, detection controls may not be as effective when something containing malware is accessed. Additionally, malware can spread beyond the now infected work device to other devices on the home Wi-Fi network and even to other corporate devices once the user connects the infected device to company servers/tools. A recent survey by antivirus vendor Malwarebytes asked employees how they used their work devices. The survey found that 53% sent or received personal emails, 52% read news articles, 38% shopped online, 25% accessed social media accounts, and 22% downloaded or installed external software.
No matter where employees call the office, there are always potential risks when an employee uses a personal device instead of their work-provisioned device to access company information. So does working from home or in an office expose an organization to greater risk?
Beyond Identity surveyed over 1,000 employees currently using technology for work to gain insight into the different aspects of work-issued devices in remote, hybrid, and in-office settings. The survey found that employees used their work-issued devices for personal activities less often when working from home. Access to personal devices is more readily available in a home office environment. Therefore, people may be more likely to use their personal devices for personal activity and work devices for work activity. In an office environment, employees don’t often or perhaps are not allowed to bring a personal laptop or device, so they end up using their work laptop during a lunch break or normal business hours to send emails, scroll through social media, and check flight prices. The risk here is clicking on something malicious and infecting that work-issued device. Whether working from a home office or within an office environment, security risks exist in both environments and in many of the same ways when using work-issued devices for personal use and vice versa.
Offboarding Remote Employees
Offboarding employees in a remote work environment presents organizations with two significant challenges: how to get work-provided devices back and how to control proprietary information from leaking onto personal devices. In larger organizations, the offboarding process generally includes wiping devices, a streamlined process for hardware returns, and an exit interview. When the process is followed, everything typically runs quickly and painlessly. However, there is limited control over what an employee does with any information presented to them daily in remote work. Some of these risks overlap in an in-office environment, but the lack of management oversight in a home office setting means a heightened exposure to risk.
Video Conferencing Tools
Working from home means hosting and attending many virtual meetings to replace in-person meetings. Webcam covers, sticky notes, and electrical tape all make good options for shielding a web camera from bad actors. However, with the increasing amount of complex malware, there is always a risk of something malicious sent via email that activates audio or video on an unexpecting laptop, unbeknownst to the user.
One of the most significant potential security risks to video conferencing would be the ability of a hacker to join video calls without being visible. While joining a video call without a trace is not currently possible, and the potential for eavesdropping or accidental video conferencing is still relatively small, it still merits precautions. For example, hackers could join insecure meetings under the name of an employee listed on the company website, duplicate a name already on the call, or use a made-up phone number to look like an attendee had joined via desktop and called in via phone.
Add security controls on work conference calls like enabling waiting rooms, setting meeting passwords, and locking the virtual room once all members have joined. Also, ensure only those intended for the call have joined by using unique meeting IDs for every meeting instead of personal meeting IDs which may be compromised.
The security around file sharing applications varies greatly depending on the application itself, but there are secure cloud-based solutions out there that many organizations use. When configured with the proper controls in place, the risk of exposure is minimal, but mistakes and oversights do happen. For example, even if an organization has a secure data exchange application that a central IT person manages, if just anyone can set individual folder or file level permissions, that could allow anyone on the internet to view that file, regardless of their organizational membership.
For remote staff, file sharing may be more common when tackling day-to-day tasks in collaboration with fellow employees from separate locations, which inherently presents more risk. For example, if employees do not check to ensure they share information with the right people, confidential information may leak outside their control. Another risk is having work files sent to personal emails as a work-around to use tools not permitted on work-issued devices.
Any time files are shared, there’s potential for exposure. One way to reduce risk is to use an encryption tool via email instead of sharing a link. It’s also best practice to establish oversight into how and with whom files are shared. There is always some concern for exposure, even in most secure applications, but maintaining controls and periodic audits will help mitigate that risk.
Shadow IT: When The Quickest Answer Isn’t Necessarily The Right Answer
One in four employees working outside of the office has asked their family and friends for help resolving device-related issues instead of asking their IT support team. Why? There are several reasons, but people generally engage in shadow IT when a work-mandated process breaks their personal workflow. Most people engaging in shadow IT are not nefarious but looking for a quick solution to maintaining an efficient workflow. However, they may not always think about their decisions from a security standpoint. Without thinking about the consequences, security risk increases, but specifically, its most significant issue is loss of control and visibility. While unapproved options may be convenient and undoubtedly helpful, organizations lose visibility and control over the data in their environment. In addition, unapproved software may not work the way it is supposed to with other company-supported software or may have vulnerabilities that introduce additional security risks to the organization.
An example of shadow IT in action is an organization implementing a mandatory screensaver timeout which requires employees to lock their computers after 15 minutes of inactivity. If employees regularly take 20-minute coffee breaks, they may become frustrated at returning to a locked device and seek ways around this mandate. Out of frustration, employees begin installing a mouse jiggler which ensures the screen never goes idle so that the lock screen is never enabled. This is shadow IT. Shadow IT is often caused by a pain point where people don’t have control over certain aspects of their system but still want to be able to use it in a way that works for them.
Many organizations, especially more mature and structured ones, do have some helpdesk support software that allows them to remote into an employee’s device to see what is going on and help quickly resolve technical issues. Many organizations also take advantage of screen sharing, where employees can revert the control to their IT support team in a meeting-style environment. When trying to mitigate employees seeking outside sources for technical assistance or resolution, it is essential to understand why this is happening in the first place. At the heart of this issue is expediency to get back to work as quickly as possible. Suppose an employee believes that they will have to jump through too many hoops to contact their IT support team to get their issue resolved or addressed or acknowledged. In that case, they will probably turn to someone or something more accessible to help them. The risk comes into play when the end goal shifts to seeking out the quickest answer instead of the correct answer.
To help mitigate shadow IT, ensure IT processes are clearly communicated across the organization. Additionally, having IT set controls and locking down work-issued devices ensures that employees cannot install unapproved software. Employees should also have an easy-to-understand process around who they need to contact and how to get tools if things aren’t working for them. Lastly, balance realistic expectations and timelines for the IT team while also assuring employees that they will receive timely technical assistance to get back to doing their work efficiently.
Distractions and Disruptions
Regardless of the work environment, distractions are bound to occur. Not surprisingly, we are more likely to make mistakes when distracted, including operating less diligently to incoming social engineering attacks. Perimeter control can be challenging to establish and maintain in a home office. Anyone could come through a home office, and whether they are begging for a walk outside or asking for help finding their ballet shoes, it will likely become a distraction from work. However, working in a physical office space may find the same distraction and security risk, just in different ways. For example, foot traffic in and around a physical office location is likely far more significant than working from home. A home office limits the potential exposure of company information and computer access simply by being less accessible to a large pool of people, thus reducing the risk of someone seeing confidential information on a desk or an unlocked computer screen. Ultimately, more important than where an office is, is how the dedicated workspace environment is configured to minimize distractions, optimize productivity, and ensure security.
Expanded Work Environments
With a work-issued laptop, many employees can perform their jobs anywhere. But, what are the security implications of this level of freedom? Shoulder-surfers in public places to network connections, the risk of working from anywhere is that employees may not be maintaining a work environment like they would in-home office or corporate office space. Therefore, it is essential to enhance physical and device security.
Be Aware of Network Connections
- Is the network trustworthy?
- Does the network require a password, and is that password posted publicly?
- Does the network require individual authentication (i.e., hotel room and last name).
- Always connect to a work-provided or reputable VPN (do not trust unreputable or free VPNs).
- Limit access to sensitive data, websites, and documents when connecting to any public Wi-Fi.
Be Aware of Physical Perimeters
- Check who is around that may be able to see your screen or written notes.
- Sit against a wall so no one can view your screen from behind you.
- Don’t take confidential business calls in public settings.
- Add a security filter to your laptop screen to limit screen visibility by others.
The physical security of a work device containing sensitive information is constrained by the security characteristics and features of the working space that the employee is using. In an office building, to access the facility, employees would typically be issued RFID badges to access the facility or be required to check in with the front desk. There are always some layers of physical controls and administrative controls that add a layer of protection to hardware in general. Physical control layers from the office building are taken out of the equation in a home-office setting. Most people won’t have badge access set up in their home office. Bio screen locks, encryption, VPNs, and password protection are excellent best practices, but there will always be some inherent risk of having work devices in a home environment that are less secure than in an office space.
Employees may also need to work outside their homes in a public place such as a coffee shop, hotel lobby, or airport gate when working remotely. Even when using a VPN that connects back to an office, connecting to public Wi-Fi increases the risk of exposure because that environment is outside the scope of control, so limit this exposure whenever possible. If employees must connect to public Wi-Fi, they should always use a work-provided VPN and avoid accessing or downloading high-value information such as bank accounts or client data. The risk here is that anyone on the same Wi-Fi network can see the work device and capture network traffic. They could even potentially set up rogue access points which redirect traffic without the knowledge of the device user. Defend against these threats by making sure “connect automatically” is not enabled when connecting to public Wi-Fi networks, and always use an employer-provided VPN to help reduce this risk.
Ensure employees are aware of the procedure they should be following when working at home to keep information secure through regular communication and annual training. These include physical device security (how to store devices), cyber security (when to use VPNs, how to ensure antivirus protections are in place), and information security (how to keep client/company information secure). In addition, ensure good IT management of devices being shipped out to employees’ homes to help maintain control of corporate data.
Schedule a Free Consultation
RedTeam Security is ready to help strengthen your organization’s network security through Network Penetration Testing. Get a clear understanding of risk level, identify network security flaws, and use our comprehensive reporting to remediate security vulnerabilities. Schedule a consultation today to speak with a security expert at RedTeam Security.