Don’t expect the task of securing your office network to become easier anytime soon. Security analysts predict an escalation in ransomware and malware attacks on office networks in coming months. A similar increase in the number of attacks is expected on computers of work from home (WFH) employees as well.
At the same time, trends suggest that work from home is here to stay. Employees might have to work remotely in 2022 too. This trend of WFH employees also means that a lot of personal devices, laptops, phones and Internet of Things (IoT) devices would continue to connect to your office networks. And, these home-office connections could spell trouble for small businesses.
How work from home exposes your office network to criminals
As is evident by the surge in cyberattacks, the mass migration of employees from office to work-from-home has strained the information security capabilities severely and across the board. Unfortunately, every industry is experiencing a surge in criminal activity on office networks.
No one had expected that so many machines would be forced out of office networks, which are secure by design, and would reconnect using unsecure home internet. This unprecedented migration has mushroomed an attack surface, for which no IT technician had prepared for. A task that is sure to become more difficult in 2021.
Consider the following changes that are taking place in the business sphere.
- The migration of business IT infrastructure to cloud storage, discarding the traditional in-house setup.
- A forced switch-over to new device management procedures, as more devices now operate remotely and out of office.
- Surge in the use of personal machines, including mobile devices, which are used by family members as well.
And, here’s the problem. IT staff no longer has direct control over how data flows across the organization, and they have lost control over how workers use their devices.
Has everyone installed the patches?
- Difficult to monitor
Who’s using the machine?
- Difficult to predict
What happens to the equipment during non-office hours?
- Nobody knows
Getting answers to the above questions, might be easy for large businesses; but small businesses cannot afford the expenses involved.
Why is it difficult to manage a remote workforce?
Here’s the catch. If a computer isn’t connected to your network, you have no way to control how it’s being used. Once a WFH employee switches off his computer, the IT staff loses their visibility over the machine. Moreover, your staff can no longer ensure that all necessary patches and software updates are installed without delay.
Employees’ online behavior is difficult to control when they are away from the office, especially when the machine is using home internet.
In addition, a distributed workforce connecting to your network using home internet creates a larger attack surface for criminals to attack than was available earlier. Add to it the dangers of a machine being used for gaming, shopping, and accessing social media websites.
Migration of IT infrastructure to cloud presents a similar challenge. Firstly, it increases your dependency on third-party servers. Secondly, if your business uses Apps for workforce management, your data might be getting stored on multiple clouds. Thirdly, the use of cloud Apps also creates a new attack surface for criminal activity.
Unfortunately, this trend is here to stay. Businesses are actively switching to Apps that operate on a public cloud.
Admittedly, the above issues may not trouble big businesses that can afford dedicated IT staff, but the same cannot be said for small businesses. Such companies need to prepare their employees to shoulder the burden of securing their own devices.
So, what can you do to secure your business from criminals who are continuously developing their capabilities to exploit your vulnerabilities?
Limit the access to your network
An important technique to protect your network is to limit the people who can access it from outside. First, you need to set strong password restrictions. Prohibit access to your network, including files over public cloud, without a password. A stronger option would be to use multi-factor authentication.
Apply this rule strictly to administrative access. Only those with need to access should get administrative rights.
About the questions of access to stored data, use the concept of ‘least privileged access.’ Limit user access to work related folders and files only.
Remote desktop applications
Another pinch point is the use of remote desktop applications to access the office network. These applications allow workers to access their office computers from home.
The most famous tool is the Windows remote desktop solution. Although it’s much more secure on Windows 10, still its use on a computer that’s open to the Internet can be dangerous. That’s because criminals actively search for such connections, and if they find your computer using the service, your network is sure to get attacked.
Thus, if your team needs to use a remote desktop connection, then ensure that they are on a Virtual Private Network. As an additional precaution, enable multi-factor authentication for the connection.
Since we are discussing multi factor authentication, here are the other applications and services for which you need to enable the feature.
- Cloud based applications, including HR platforms, online storage, and instant-messaging
- Cloud email services, such as Gmail and Office 365
- VPN tools
- Administrative access
- Banking services
As most services provide two-factor authentication by default; so, discuss with your vendor about how you can enable it for your business purposes.
Security of work from home devices
Next, you need to ensure that your WFH employees follow basic security practices at home. This is because, criminals have begun attacking devices used by WFH workers, including, computers, phones, and routers. For instance, Trend Micro observed more than 2.9 billion attacks on home networks last year.
So, it’s important that you ensure that your employees’ home office doesn’t become a gateway into your office network.
WFH Policies and procedures
Firstly, and most importantly, rewrite your information security policies. If you don’t have a security policy that covers work-from-home employees yet, then develop it, and distribute it. And ensure that your employees understand the policy. A better way would be to develop it into a security awareness training, and ensure that every person on your team takes it.
About the topics that the policy needs to cover, they should cover the use of routers, VPN, IoT devices, mobile phones, and use of Apps for work purposes.
In addition, you must cover important security risks as well. This includes the risk of using unpatched routers, not changing default passwords, using office-computers for personal tasks, and allowing family members to connect USB drives to the computer.
Similarly, you need to put in place a strong password policy. The policy should cover practices, such as creating strong passwords, changing them regularly, and having a unique password for different services. Also, ensure that employees don’t reuse passwords. This is because, password-guessing attacks use passwords stolen from the web.
Virtual local area network (VLAN)
Secondly, you need to advise your WFH employees on protecting office networks from attacks via personal devices. Trend Micro recommends segmenting home networks. The setup isolates company computers from home computers and IoT devices. Here’s an article on VLAN that might help you with the setup.
Using Public Wi-Fi
Thirdly, advise your employees against using public Wi-Fi for connecting to office networks. Public Wi-Fi is not secure. The connection could be under monitoring by criminals. So, its use for office work should be a big NO. Still, if a person must use public Wi-Fi, then, they need to ensure that their VPN is on, and that the security person is aware of the instance.
Use of office computers for personal use
Similarly, encourage employees to not to use office computers for personal purposes. However, some employees might be in a position, in which they cannot avoid sharing computers with their family members. Under such a condition, the employee should create multiple login accounts on the device.
Run software updates
Another vital protection against hackers is updating software and installing patches. It’s important! Unlike office setups in which the security team runs updates over the entire network, in case of a WFH workforce, the updates won’t run automatically. Similarly, an employee may be using public cloud Apps on his or her computer. It’s essential that all software and Apps over the employee computer are up to date.
Lastly, you need to become careful about phishing attacks. COVID-19 themed attacks have spiked in recent months. Criminals are using the pandemic to lure workers into revealing sensitive information, including credentials of Apps and software used for work. This includes an increase in the number of sophisticated attacks, such as spear phishing and social engineering as well.
Unfortunately, it’s difficult to filter out such emails altogether from the office-inbox. In addition, criminals have begun targeting employees’ personal email services too. Criminals use multiple ways to lure employees into revealing sensitive information. Moreover, these attacks act as a launch pad for BEC and ransomware attacks on businesses. Thus, security awareness training to avoid such lures has gained an added urgency.
You need to ensure that your employees learn about social engineering attacks. These scams may be hard to detect, but with due diligence, employees can learn to avoid the baits.
Simultaneously, you should consider running phishing simulations. Run by experienced IT security teams, these simulations try to identify workers who are prone to such scams.
In a nutshell, do not take the security of your office network lightly. First, monitor your network for suspicious activities via RDP connections. Second, only permit verified accounts to connect to your network. You may want to look into IP whitelisting for the purpose. And most importantly, keep backups. We suggest you to use the 3-2-1 rule of backups; that is, create at least three copies, store the copies in two different locations, and store one offline.
With this in mind, revisit your information security policies immediately. You may need to revise them. For instance, your access control, remote access, and BYOD policies would not work in a setup in which data is stored over public clouds, and employees access your network using mobile phones. Similarly, you might need to revisit your data retention policies as well.