Since the COVID-19 outbreak there have been countless headlines and viral social media posts exposing some of the worst remote security faux pas, ranging from the financially devastating to the easily avoidable to the outright strange. More than a year later, some people are still struggling to master their mute button — let alone take precautions to protect their digital identities or safeguard work-related information — and attackers have ways of getting even the most security-conscious employees to slip up.
At the height of the pandemic 42% of the American labor force worked from home, according to a study conducted by Stanford Research, and one in four will continue to do so through 2021, according to a December 2020 Upwork study. While many will return to the office once it is safe to do so, the UpWork study found that nearly 23% of workers are expected to be remote in five years — or nearly double the pre-pandemic percentage.
The days of everyone working onsite from company-issued PCs seem like ancient history. This January, Fortune reported that sales of laptop and desktop computers exceeded 302 million units in 2020 — the highest they’ve been in six years. Many of those devices are now connected to company networks. They’re also being used by remote learners, virtual gamers, and online shoppers; and attackers are taking advantage.
In fact, a recent study commissioned by Microsoft Ireland found that 26% of remote workers had personally experienced a cyber attack. The study also found that 36% of employers were forced to pivot to a remote work setting quickly as a result of the pandemic, and are still working to implement the security, privacy and workplace procedures that are necessary to secure this new environment.
“We don’t have the same corporate hygiene at home, and we’re actually expanding the footprint of our corporate network from an attack perspective, because there aren’t as many security controls around it,” explains Bryan Murphy, director of consulting services at CyberArk and leader of our remediation services team.
Training and educating employees about cybersecurity risks is one of security leaders’ top operational challenges today, and as record numbers of people continue to work outside office walls, the need for vigilance and attention to security has never been greater. Here are a few of the most important remote work faux pas to avoid:
1. Using Weak Passwords
Cybersecurity and IT professionals have long stressed the importance of using unique, secure, complex and random passwords, especially when it comes to sensitive materials. Unfortunately, studies suggest that those warnings aren’t always taken seriously. Users tend to use simple, easy-to-remember passwords at the expense of their own security. In fact, according to a CyberArk study, 82% of remote workers admit to reusing passwords.
“If you use the internet, consider using a personal password manager so that every site has a unique password – that’s first and foremost,” says Murphy, who himself has more than 600 unique and complicated passwords stored in his password manager.
Murphy explains that it’s also important to use biometric and two-factor authentication on all websites and applications for an added layer of protection.
2. Taking Risky Security Policy Workarounds
Cybersecurity practices can sometimes feel overburdensome, and over the course of a busy workday, remote workers may be tempted to find workarounds that increase productivity at the expense of security.
According to the same CyberArk study, 67% of respondents admit to seeking a workaround to corporate security policies, such as sending work documents to their personal email address, sharing passwords or installing unverified applications on their work devices.
One major risk many take for the sake of convenience is storing passwords in their browser, but Murphy warns that allowing passwords to autofill is risky.
“The password manager in your browser is a common place where attackers look for credentials — whether personal or corporate, it doesn’t matter — they look there all the time,” he says. “There’s a configuration setting in Chrome or Safari, for example, the ‘don’t save passwords’ option, and generally in corporate environments they automatically turn that on so it never lets you do it, but at home people just do it for convenience.”
Remote workers may attempt to sidestep these controls for various reasons, including convenience and ease of use, without fully understanding the downstream consequences if credentials are exposed. While taking shortcuts may seem harmless, these security protocols are in place for a reason – and ignoring them can have real consequences.
3. Sharing Devices with Family
Being stuck at home has made it tempting for remote workers to let family members use their work computer for non-work-related activities.
“Because it’s so chaotic right now, the work device becomes the personal device — like, my children need to use Zoom so just sit at my desk and do it,” says Murphy. “It’s not that there’s a vulnerability or a flaw within Zoom, but using an unfamiliar device could open up the possibility that your child clicks a link or goes to an unknown website. So it all comes back to separation of work and personal use, and we’re blurring that line too often.”
Letting a family member use your employer-issued devices can expose the entire corporate network to significant risk and general confusion. Case in point? One unlucky lawyer discovered the perils of lending work computers to others, and accidentally showed up to virtual court session as a cat in a widely shared viral video.
Sharing a work device with others is never a good idea, and if you want to use your home internet connection for work related tasks Murphy recommends taking a few simple precautions to keep work and personal data separate and secure. First, he suggests creating a guest WiFi network separate from the standard home network for work-related activities. “Generally, the guest network isolates all the devices, so they can’t communicate with one another,” he says. “That effectively puts a firewall around it so you can only communicate out, not in.”
Murphy also recommends creating a separate, password protected user account with restricted access for web browsing and day-to-day related activities.
4. Ignoring Common Attack Signs and Symptoms
When an attack is being perpetrated or attempted there are a number of common signs and symptoms that can act as an early warning signal. Employers should strive to educate their remote workers on what to look out for and how to identify a potential breach.
“When you start to see the browser getting modified, and you didn’t do it, that’s a red flag for sure,” says Murphy. “Pop-ups are a big one, or your default browser is changed, or you have a bunch of things open in your browser you didn’t open yourself.”
Other signs and symptoms include loss of control of the keyboard or mouse, applications or files appearing that weren’t intentionally downloaded, and sudden unexplained system slowdowns. Don’t ignore these symptoms — if you feel there are unauthorized changes to your system, follow your company procedures. End user awareness is key — say something, even if it appears minor. After all, it could be an early warning sign of something much bigger.
5. Giving Vendors and Contractors Too Much Access
Most employers depend on vendors and contractors, and those external contributors often require a certain degree of access in order to provide their services.
It’s important for IT security teams to follow the principle of least privilege — limiting each users’ access to only what is needed, for only as long as it is needed. And this doesn’t just apply to third parties — Zero Trust approaches require every identity (human or machine) to be authenticated and authorized before access is granted.
“When you think about that remote workforce, it’s not enough to say we have to protect our people, it’s also the third-party vendors that might have different access and security controls and need to be managed, monitored and controlled just like regular employees,” says Murphy.
Organizations should require vendors and contractors to adhere to the same security practices and standards as the rest of their workforce, he notes.
6. Hitting “Remind Me Tomorrow” on Software Updates
Considering new software updates are designed to reduce security risks, one of the best ways to keep devices secure is to keep them up to date. These updates, which require nothing more than accepting when prompted, are so effective at keeping devices safe that Murphy says he’s seen attackers initiate updates themselves. He explains that they often do so in order to prevent others from attacking the same network once they’ve gained access.
“When they find the flaw they’ll secure the system so only they have access to the flaw,” he says. “They’ll go through your network devices — like your home router, where many people have default passwords — and if the firmware is out of date, they remote back in and patch it up to the proper level so nobody else can hack it.”
So, don’t be like Billy — keep your software, browsers and operating system up to date.
Small Steps to Mitigate Big Risks
While it’s impossible to remain entirely secure, there are a lot of small steps individual remote workers can take to reduce the risks in this new working environment. “There’s a million other things you can do — but with anything, if we give you too much or it’s too complicated, you’re probably not going to do anything at all,” Murphy says. “Focusing on least privilege, implementing multi-factor authentication and separating work and personal devices, at a minimum, is a really good start.”