The COVID-19 pandemic accelerated a steady increase in remote work. Surprisingly, many organizations are discovering that concerns about potential lost productivity were exaggerated, and it’s now believed that one-quarter or more of all workers may become predominantly home-based. One of many consequences of this change is an increase in cybersecurity risks and in the complexity of implementing effective security to protect organizational information and computing infrastructure. As with pre-COVID security threats, well-proven cybersecurity strategies based on user and device authentication remain effective, and they now are more important than ever.
How prevalent is the movement to remote work? Analysis of the U.S. Census Bureau’s American Community Survey shows that telecommuting (which uses technology to eliminate commuting to a workplace) was practiced by about 3.6% of U.S. workers at the end of 2018.
Two to three days of work at home is typical for this category of worker, and appears to be a “sweet spot” that balances remote duties with group activity in a traditional workplace setting. Researchers at Global Workplace Analytics estimate that post-pandemic, between 25-30% of workers may continue as remote workers, a 7X-8X increase over pre-pandemic numbers
In less than a year, a workplace perk once limited to a small percentage of employees is now utilized by a much larger group of workers. The pandemic transformed remote work from a “nice-to-have” option to a necessity. Concurrently, the pace of innovation and workforce adoption of digital tools that support remote work also advanced dramatically. With that rapid adoption, long existing risks associated with digital technology have also grown. The increased risks are prevalent across all work environments: commercial and industrial enterprise computing systems, industrial control systems and government systems.
As always, vigilance by the security professionals tasked with protecting networks from intrusion is the paramount defense, and the basic formula is simple. Cybersecurity is based on defining what needs to be protected and at what points the protection is required. However, the explosive growth of remote work places new strains on the information technology infrastructure of any organization.
Proliferating attack surfaces
A basic defense tactic is to limit the number of potentially vulnerable attack surfaces accessible to a bad actor. With remote work, attack surfaces may be multiplied. A workforce that previously accessed organizational data and code within an organization’s well-protected networks now expects the same level of access from outside of those networks. The obvious counter to this is to require access through encrypted VPN (Virtual Private Network) connections. Yet, a 2020 report from Kaspersky Labs revealed that 53% of workers say they use a VPN to access their employer’s systems when working from home.
Adding to the risk equation, many remote workers use personally-owned devices while “on the job.” Kaspersky’s 2020 report indicates that half of companies that allow employees to use personal devices for network access when working from home have no policies regulating how they may be used. An organization’s well-protected network is potentially compromised by insecure access from computers, smart phones and tablets beyond the control of the IT security team. Remote workers also are likely to share their Internet access point with family and/or friends, introducing still more non-secured devices to a shared connection.