Among the millions of people worldwide who have been working outside the office for months, or even more than a year, there are those who have not adopted some of the most basic cybersecurity measures, potentially putting their digital identities or work-related information at risk.
And if that isn't enough, attackers are becoming increasingly sophisticated, developing ways of even fooling some of the most security-conscious employees. The need for vigilance and attention to security has never been greater, according to cybersecurity company CyberArk.
"We don’t have the same corporate hygiene at home, and we’re actually expanding the footprint of our corporate network from an attack perspective, because there aren’t as many security controls around it," said Bryan Murphy, director of consulting services at CyberArk and leader of its remediation services team.
So what can remote workers do to reduce risks in this working environment? According to CyberArk, a few of the most important security mistakes to avoid are as follows:
Using Weak Passwords
Cybersecurity and IT professionals have long stressed the importance of using unique, secure, complex and random passwords, especially when it comes to sensitive materials. Unfortunately, studies suggest that those warnings aren’t always taken seriously. Users tend to use simple, easy-to-remember passwords at the expense of their own security. In fact, according to a CyberArk study, 82% of remote workers admit to reusing passwords.
"If you use the internet, consider using a personal password manager so that every site has a unique password – that’s first and foremost," said team leader Murphy, who added that it's also important to use biometric and two-factor authentication on all websites and applications for an added layer of protection.
Of course, if you’re responsible for managing access on the scale of a business, password managers are not enough to protect you. That’s where privileged access management can help.
Taking Risky Security Policy Workarounds
Cybersecurity practices can sometimes feel overburdensome, and over the course of a busy workday, remote workers may be tempted to find workarounds that increase productivity at the expense of security.
According to the same CyberArk study, 67% of respondents admit to seeking a workaround to corporate security policies, such as sending work documents to their personal email address, sharing passwords or installing unverified applications on their work devices.
One major risk many take for the sake of convenience is storing passwords in their browser, but Murphy warned that allowing passwords to autofill is risky.
"The password manager in your browser is a common place where attackers look for credentials — whether personal or corporate, it doesn’t matter — they look there all the time," he said. "There’s a configuration setting in Chrome or Safari, for example, the 'don’t save passwords' option, and generally in corporate environments they automatically turn that on so it never lets you do it, but at home people just do it for convenience."
Remote workers may attempt to sidestep these controls for various reasons, including convenience and ease of use, without fully understanding the downstream consequences if credentials are exposed. While taking shortcuts may seem harmless, these security protocols are in place for a reason – and ignoring them can have real consequences.
Sharing Devices with Family
Being stuck at home has made it tempting for remote workers to let family members use their work computer for non-work-related activities.
"Because it’s so chaotic right now, the work device becomes the personal device — like, my children need to use Zoom so just sit at my desk and do it," said Murphy. "It’s not that there’s a vulnerability or a flaw within Zoom, but using an unfamiliar device could open up the possibility that your child clicks a link or goes to an unknown website. So it all comes back to separation of work and personal use, and we’re blurring that line too often."
Letting a family member use your employer-issued devices can expose the entire corporate network to significant risk and general confusion.
Sharing a work device with others is never a good idea, and if you want to use your home internet connection for work related tasks Murphy recommended taking a few simple precautions to keep work and personal data separate and secure. First, he suggested creating a guest WiFi network separate from the standard home network for work-related activities. "Generally, the guest network isolates all the devices, so they can’t communicate with one another," he said. "That effectively puts a firewall around it so you can only communicate out, not in."
Murphy also recommended creating a separate, password protected user account with restricted access for web browsing and day-to-day related activities.
Ignoring Common Attack Signs and Symptoms
When an attack is being perpetrated or attempted there are a number of common signs and symptoms that can act as an early warning signal. Employers should strive to educate their remote workers on what to look out for and how to identify a potential breach.
"When you start to see the browser getting modified, and you didn’t do it, that’s a red flag for sure," said Murphy. "Pop-ups are a big one, or your default browser is changed, or you have a bunch of things open in your browser you didn’t open yourself."
Other signs and symptoms include loss of control of the keyboard or mouse, applications or files appearing that weren’t intentionally downloaded, and sudden unexplained system slowdowns. Don’t ignore these symptoms — if you feel there are unauthorized changes to your system, follow your company procedures. End user awareness is key — say something, even if it appears minor. After all, it could be an early warning sign of something much bigger.
Giving Vendors and Contractors Too Much Access
Most employers depend on vendors and contractors, and those external contributors often require a certain degree of access in order to provide their services.
It’s important for IT security teams to follow the principle of least privilege — limiting each users’ access to only what is needed, for only as long as it is needed. And this doesn’t just apply to third parties — Zero Trust approaches require every identity (human or machine) to be authenticated and authorized before access is granted.
"When you think about that remote workforce, it’s not enough to say we have to protect our people, it’s also the third-party vendors that might have different access and security controls and need to be managed, monitored and controlled just like regular employees," said Murphy.
Organizations should require vendors and contractors to adhere to the same security practices and standards as the rest of their workforce, he noted.
Hitting "Remind Me Tomorrow" on Software Updates
Considering new software updates are designed to reduce security risks, one of the best ways to keep devices secure is to keep them up to date. These updates, which require nothing more than accepting when prompted, are so effective at keeping devices safe that Murphy says he’s seen attackers initiate updates themselves. He explains that they often do so in order to prevent others from attacking the same network once they’ve gained access.
"When they find the flaw they’ll secure the system so only they have access to the flaw," he said. "They’ll go through your network devices — like your home router, where many people have default passwords — and if the firmware is out of date, they remote back in and patch it up to the proper level so nobody else can hack it."