October is Cybersecurity Awareness Month! All month long, we’ll be exploring cybersecurity-related topics to help you (and your data) stay safe online.
Click to learn more about author Matt Shealy.
As organizations continue to adopt remote work, more opportunities are created for both companies and employees. However, the shift to remote work also creates additional challenges for IT teams. By allowing more people access to your networks from a distributed workforce, you are also significantly increasing the number of attack surfaces and putting data security at risk.
Remote and hybrid work arrangements are here to stay. A Gartner survey of business executives revealed plans to permanently move another 5% of the workforce to remote work post-COVID. One out of four CFOs says they plan to move at least 20% of their on-site employees to remote positions permanently. Yet others expect to increase the number of hybrid workers that split their time between in-office and remote work.
For IT leaders, this requires a different way to approach IT infrastructure to provide the access required by remote teams and secure data assets.
Enhanced Cloud Data Security for Remote Workers
Remote work, coupled with BYOD (bring your own device), has opened up new threat vectors. The first line of defense becomes enabling end-to-end encryption of all data flowing into or out of the network by deploying a virtual private network (VPN). A software-defined wide area network (SD-WAN) with an integrated Next-Generation Firewall (NGFW) will also help detect and prevent unauthorized access.
Mobile devices further complicate data security. More than half of CISOs say mobile devices are their biggest cybersecurity concern. Many IT teams have turned to mobile device management software as a way to manage, monitor, and secure the increasing volume of mobile devices accessing the network.
Threat actors are finding it easier to compromise employee mobile devices rather than attack company networks directly. By gaining access to a mobile device, user credentials can be acquired, which provides an easier pathway into company networks.
Mobile threats in 2021 include:
- Phishing: The most common form of cyberattacks, phishing uses email and text messaging to embed malicious links or sends users to spoofed websites to try to steal their passwords.
- Wi-Fi: Whether an employee is using public Wi-Fi in the local coffee shop or accessing Wi-Fi from their home router, there are increasing risks.
- Malware: A growing threat is malware for mobile devices. While this hasn’t been a concern over the years, cybercriminals have ramped up the delivery of malicious software specifically targeting mobile devices.
Securing Your Remote Infrastructure
IT teams need to make sure they have a strong cybersecurity policy in place for remote work.
By creating a set of rules and guidelines for remote employees, you can document what is required and what is allowed. Depending on your company needs, for example, you might:
- Prohibit workers from connecting using a public Wi-Fi network
- Require multi-factor authentication (MFA) for every connection
- Require company anti-virus software deployed on devices used for work, including personal devices
- Require VPN use
- Use MDM software to segregate company data and personal data on devices
- Insist on strong passwords
- Require password resets every 30 days
- Restrict shadow IT without prior authorization
You will also need to educate employees on best practices for security. When employees are working at home, they may be more relaxed about security. However, your network security is only as strong as the weakest link. Malware on a teenager’s laptop connected to a home Wi-Fi network can infect other devices and find its way into your infrastructure.
Since 90% of all data breaches are caused by human error, education is crucial. Remote teams need to understand the increased need for data security when working away from the office and outside the tight controls of IT networks.
The Center for Internet Security (CIS) has developed benchmarks and control protocols to help guide your policies and education. CIS hosts an active community of more than 12,000 professionals that provide consensus-developed security configuration recommendations.
Data Security Assessments
Whether you decide to undergo full-blown penetration testing and probe for weak spots or do periodic reviews of network policies, conducting regular reviews of your data security position is essential.
Networks have become increasingly complex with the use of multi-cloud and hybrid cloud solutions, private and public internet, third-party providers, edge devices, and remote connections. You need to identify potential attack vectors and constantly work to close them.
Data security should be approached as an ongoing process requiring monitoring and optimization rather than a one-time fix.
IT teams need to fully embrace zero-trust IT by employing the principle of least privilege. Many networks are still wide open for employees. By limiting access to only those resources remote employees truly need and segregating traffic, IT teams can better control the IT environment.
Zero-trust generally employs these protocols:
- Identity and Access Management (IAM)
- Role-Based Access Control (RBAC)
- Network Access Control (NAC)
Hybrid and completely remote work are the new normal for business, which has led to data security challenges. Use the strategies and tech in this article to create a comprehensive cloud data infrastructure that combats the growing cyber threats.