8 Security Threats for Remote Workstations--and How You Can Mitigate Your Risks
The Covid-19 pandemic has created unique challenges for companies with regards to network security. Cybercriminals are taking advantage of the sudden and drastic increase in telecommuting to gain access to company networks.
It’s no surprise that we’re seeing increased scams and phishing attempts targeting telecommuters, whose home networks are typically not as secure as corporate offices. Experts are expecting this to accelerate. Some of the factors:
- Remote workstations pose specific risks and require additional security measures, staff training, and work-from-home protocols in order to keep the corporate network secure.
- Due to the urgency of the situation, most companies have not had the time and resources to set up secure workstations and protocols for their employees.
- For a variety of reasons, employees working remotely are more vulnerable to falling prey to phishing emails and other scams, potentially giving cybercriminals direct access to the corporate network.
These and other factors, authorities warn, are creating the perfect storm for cybercriminals.
What do employers need to do to secure their employees’ remote workstations and protect company data?
In order to fully secure your company network, you need the services of a qualified IT security technician to perform more advanced security measures. However, that may not be feasible for you at this time. The measures below will help mitigate the risks inherent with remote workstations.
#1 Company Device
When possible, a company-issued laptop is the safest workstation: It’s a known entity and uses the company’s application suite and anti-virus. Be aware, however, that as soon as that device leaves the office and goes remote it becomes a security threat, depending on where and how an employee accesses company data.
Ideally, an employee will have a company-supplied, dedicated laptop that’s only used for work. However, given the work situation in response to the Covid-19 pandemic, employers might have no other option than to allow employees to use a personal computer for work. We’ll address that later.
A foundational caveat for using a company laptop: DO NOT USE FOR ANY PERSONAL USE. This includes signing into personal email accounts, social networks, NOTHING; do not even sign in for a quick check. Doing so can unwittingly open the door for hackers to gain access to the company’s network.
#2 Public Wi-Fi
All public Wi-Fi should be considered unsafe, and untrusted. Accessing data even on a password-protected public Wi-Fi connection at say, Starbucks, is different than from home. You might think that getting the password from the barista and signing directly into their Wi-Fi connection is secure; however, anyone can fire up a hot spot and give it the same name and password as Starbucks’ Wi-Fi. If an employee signs onto that one by mistake—an easy and common mistake to make–they’ve unknowingly given that person direct access to their device and potentially or indirectly, the company network.
Depending on what kind of provider Starbucks has, they may be able to restrict access between wireless nodes; do they do this? Who knows? Does the barista know? Probably not.
Best advice, while at a place like Starbucks, access via your own hot spot or VPN if you have one on your company laptop. DO NOT access at Starbucks or any public Wi-Fi unless you have one of these options.
#3 Accessing Company Resources and VPNs
Another scenario is what kind of resources do employees need access to? Can they get everything they need to do their job with just an internet connection? Users will probably need to access resources that are in their corporate offices. They can do that with a VPN, which the employer needs to set up or have an IT technician do so.
The problem with a VPN is that if the employee needs to use a personal machine at home, the employer has no control over that machine. Once the employee has connected, they’ve opened a tunnel from their home network to your office network. This gives cybercriminals direct access.
The risk increases if the employee’s network or device is already infected with spyware, malware, viruses, etc.
An employee’s personal device needs to be considered an untrusted workstation.
Employers have the ability to implement a sophisticated VPN from an untrusted workstation back to the corporate network that would allow that user to access specific resources from restricted channels, so if there was someone spying on their workstation, they wouldn’t have access to the full corporate network.
This doesn’t make it an excellent solution, but it can reduce your security risk by up to around 80%.
Using time-saving features like autocomplete and saving passwords on your browser is tempting. What specific security risks do these habits pose?
Websites can put in hidden fields in a webpage and your browser will autofill them. Hackers can potentially get your email address, street address, phone number, and other personal information. And with that information, you can be compromised.
- Turn off autocomplete, and any saved passwords.
- Better solution: Use a password management app, like LastPass.
- Follow current industry recommendations for secure, unique passwords. (LastPass will generate secure passwords for you!)
Use firewalls for personal networks. Always have your provider firewall enabled, like Windows. Depending on how many devices you have on your home network, you should go even deeper than an anti-virus like Webroot.
Don’t rely on your ISP access point or anything it provides. Go out and buy your own security device or firewall and plug it into theirs–and then keep it updated. Some recommendations:
- Sonicwall Tz105 UTM
- Cisco RV110W
- Ubiquity UniFi USG
Get a hardware firewall hooked up that allows you to create virtual networks. Put your primary computer on one, and IOT devices on a separate network with no access to the computer in case an IOT device gets compromised.
Be aware, there are major security flaws for the top firewall manufacturers on the market. You must keep up with recent patches as soon as they’re released.
A common problem that an employer may now be facing is this: A patch was announced but it wasn’t a concern because at the time, they didn’t VPN. It didn’t seem relevant so they opted not to install it. Now suddenly, they’re sending employees home to work, they turn on their (unpatched) VPN, and now they’re exposed.
Backstory on Patches
A lot of security flaws are found by ethical hackers, who then notify the manufacturers. The ethical hackers release the exploit the day the manufacturers have promised the patch release, which notifies the public of the security flaw. If the patches don’t get applied immediately, the operating system will be vulnerable; unethical hackers can now exploit that flaw. It’s imperative to keep your operating systems current and updated.
Forbes’ article published in January of 2020 is an excellent read for more on this: “U.S. Government Issues Powerful Security Alert: Upgrade VPN or Expect Cyber-Attacks.“
Phishing emails are more difficult to detect when working from home. When an email seems to have come from a co-worker or superior, it’s harder to verify it; you can’t just call across the room and say, “Hey Joe, did you send this?”
Protocols for Emails:
- Do not click on any links in an email, unless you can verify the source–especially on a mobile device, where the link is difficult to investigate. Hover your mouse over the link and look at the URL and verify its origin.
- Don’t open PDFs, Word docs, images, or any attachments that come in an email without first verifying with the sender.
- Don’t reply via email and say “Joe, is this a legitimate message?” The hacker that sent it to you can reply, pretending to be Joe, and then delete all messages. Call on the phone to verify.
Safest practice: Flag any email from the internet, set the server to pre-pin a warning in the body of the email to state that “this originated from the internet.” That way if someone sends you something and they’re faking your CEO, you will know right away that it came from the internet.
In Exchange you can create a “transport rule” and it routes things for you. I have a client who likes to be copied on every email that comes into the company from outside the organization.
Make sure you have a corporate policy in place stating that employees have no rights to privacy when it to comes to email, and they should not be using their work email for personal purposes.
#7 Beware of Bogus Websites, Apps
Phishing emails and bogus websites centered around information about the Covid-19 pandemic are cropping up by the thousands per day, along with apps with global tracking maps that contain spyware and malware.
This has become a huge problem, as people are falling prey to this tactic. Do not seek information from untrusted sources. Doing so can compromise your device and network.
#8 Personal Devices
Back to using personal devices for work. An employee’s personal device can be managed through a Bring Your Own Device policy; if you don’t have one in place, you really don’t want people using their own devices.
Either use a VPN when connecting remotely, or Microsoft cloud offering.
Best Practice: Use Microsoft Windows Virtual Desktop in the cloud. You can build a full shared virtual desktop in the Azure cloud and establish a VPN connection between the Azure network and the company network via the cloud. If you have a compromised workstation, that compromise can’t cross to the Microsoft host without sign-in credentials and multi-factor authentication.
Using your personal phone or tablet to check work emails, files, etc. is a big NO when working from home.
If, however, employees are expected to respond to email during off-hours via phone, then Office 365 is the safest way to do so. With Mobile Device Management, you can set policies and settings that will help control access to your organization’s email and documents. You can also remotely wipe a lost or stolen device to remove sensitive information. You can read more about this on Microsoft’s Support page.
I hope this information proves helpful in securing your employee’s remote workstations and keeping your network secure as we face the challenges ahead.
Rex Nance, CEO
East Atlantic Security, LLC
Want help determining if your network needs additional security? Give us a call for a free consultation. 888-354-6208