Image: iStock/poike

Cybersecurity tends to be a challenge even under normal circumstances. But the coronavirus pandemic and resulting lockdown have created even greater obstacles for IT and security professionals. With the shift to remote working, you now need to protect and secure all the employees, data, and devices outside the normal physical confines of your business. And in a hybrid scenario with people working both in and outside the office, you have to contend with even more areas susceptible to compromise.

SEE: Security Awareness and Training policy (TechRepublic Premium)

A report published Thursday by business VPN provider NordVPN Teams explores the risks of poor cybersecurity and offers tips on how to better protect your organization in this new remote working climate.

Based on a June survey cited by NordVPN Teams, Gartner found that 82% of business leaders plan to allow their employees to continue to work from home at least in some capacity, while 47% will let their employees to do so permanently. Further, a poll conducted by The Times in the UK discovered that 43 large companies were looking to make their flexible work policies more permanent.

Even organizations that have allowed workers to return to the office have created work-from-home practices and are likely to continue to develop them, NordVPN said. They may hire more remote employees, retain employees who have moved way, or even shift all their staff to remote work permanently.

Though the transition toward remote or hybrid work is a necessary step due to the current pandemic, the move creates more avenues for cybercriminals to exploit. Keenly aware of this shift, attackers are targeting remote workers with phishing campaigns, malware, and other threats. They’re actively looking to compromise remote desktop accounts to gain control of servers and networks. And they’re seeking out personal devices that may escape the organization’s security protection.

“More employees working from home means more devices are connecting remotely, i.e., outside of the secured corporate network,” NordVPN Teams Chief Technology Officer Juta Gurinaviciute said. “As a result, businesses’ control over data is slipping rapidly. This is why it’s so critical to understand what remote workers are doing with that data and rework the new ‘normal’ to make it more effective and secure.”

To achieve the right type of security posture in this new landscape, organizations need to secure remote edge devices and entry points. But they also need to make this protection part of a unified strategy. The goal should be to create a single, integrated security framework to simplify management and expand visibility and control. To do all that, the first step should be to create the right corporate policy.

“Typically, when it comes to securing your teleworkers, the first item on the agenda is developing a corporate policy,” Gurinaviciute said. “This policy should outline what’s acceptable in a remote working environment, how data is handled, what levels of authorization are available, etc. Risk-based decisions can also be made depending on the types of devices employees use for teleworking (for example, company-issued devices, personal laptops, or smartphones). Devices that haven’t been issued specifically by the company should be subject to more stringent controls.”

To further push organizations in the right security direction, NordVPN Teams offers the following specific tips:

  1. Content storage should be allowed in the cloud only. Use cloud-based or web-based storage software that allows for sharing and editing of documents (for example, Cisco Cloudlock).
  2. Enhance endpoint security through two-factor authentication. This adds a second layer of security when logging in to important applications. Multifactor authentication uses OTP (one-time password) technology, certificate-based USB tokens, smart cards, and additional advanced security technologies.
  3. Connections to the company’s network should be performed through a VPN (Virtual Private Network), which uses either SSL (Secure Sockets Layer) or IPsec (Internet Protocol Security) to encrypt communications from the remote worker’s machine. This safeguards both the end user and the corporate environment, ensuring that no one is able to decipher sensitive data traffic.
  4. Adopt a risk management contingency plan. As one example, make sure you can track a laptop or wipe it remotely in case a remote worker loses one with sensitive business information on it.