Top Remote Work Security Risks Every Organization Should Know

Remote work has become the new normal for many organizations worldwide. According to USA Today, approximately 14% of Americans now work from home, and around a third of all people who can work remotely choose to. Hybrid work is also increasing, with 41% of people splitting time between home and the office. 

As this shift from the office to remote work continues, it brings with it cybersecurity challenges. More workstations in more places mean more opportunities for a data breach or a cyber attack. While IT workers do their best to integrate off-site equipment into a cybersecurity strategy, providing effective remote work security means having to manage endpoints that are outside of a network envelope. This can make it tricky to ensure machines are updated and secured. It can also be a challenge to manage workers who don’t always use their work-provided equipment. Nonetheless, organizations have a responsibility to identify remote work security risks and establish policies and procedures to mitigate them. 

‍

Understanding the landscape of remote work security

The shift to a remote workforce: opportunities and challenges

Remote work offers organizations another tool for recruitment and retention, providing benefits in both morale and efficiency. According to Forbes, remote workers are 35-40% more productive, on average, and produce work with 40% fewer defects. 

For organizations, remote work can mean lower costs, since remote workers require less infrastructure. This can save organizations an average of $11,000 per year per remote or hybrid worker. Remote work also provides organizations with opportunities to employ talent from outside their typical geographical pool, enabling them to attract talent that might otherwise have been out of reach. 

Remote work is not without its challenges, however. In addition to the training and communications obstacles inherent in working with employees over great distances and across time zones, remote workers present some considerable security risks. 

While modern technology allows many workers to do their jobs almost anywhere in the world, every new remote or hybrid worker introduces a new network an organization must secure and at least one new device it must protect. Remote workers sometimes log in to company networks through their own, often unsecured networks, increasing the potential attack surface for hackers to exploit. And, while it is possible to send company equipment to remote workers for their home use, many use personal equipment to do their jobs. Those devices may not be updated or secure.  

Key statistics on remote work and cybersecurity

The statistics around remote work and cybersecurity risks can be alarming. According to the Lookout State of Remote Work Security survey: 

• 92% of remote workers report using their personal tablets or smartphones for work tasks, with 46% of them having saved a work file onto those devices.
• 43% of remote employees use personal devices instead of company-issued equipment, and the majority of remote and hybrid workers have admitted to doing personal tasks during work hours.
• Nearly 60% of remote workers admitted to sending an email from a work account to a personal account, and 45% of workers recycle their passwords for both work and personal accounts.

Organizations must adapt to a growing number of endpoints, including personal devices used as part of bring-your-own-device (BYOD) programs. Ensuring your organization has strong, enforceable security policies in place can make the difference between a secure network and a breach. 

The top security risks for remote workers

Understanding and addressing these remote work security risks can help organizations protect their workforce effectively.

Phishing attacks

Phishing attacks are on the rise and take many forms, increasingly targeting mobile devices. A phishing attack uses personal information (your name, the name of a contact, or the name of a company you do business with) to fool you into thinking you’re dealing with someone authorized to have your information. Often it will involve a message claiming to be from a trusted source with a link for you to log into your account. When you click the link, it will go to a facsimile of the login page you’re used to seeing, and when you enter your information, the bad guys will have it. They will then use your login details to access your legitimate accounts.

Phishing attacks can also use SMS messaging for “smishing.” In this form of phishing, a threat actor will send a text message claiming to be someone you know and asking you for information or to send them money or purchase something for them.

In all cases, a phishing attack, like a social engineering attack, is an attempt to get your data so that an attacker can access your accounts. You can generally spot a phishing attempt by looking at the details of the interaction. A phishing attack may come from an email address that is spelled slightly differently than one from a legitimate source. Or it may include a link that looks legitimate, but on closer inspection proves to direct to an illegitimate source. 

Shadow IT

Shadow IT is the use of unauthorized services and apps by an employee without their IT department’s knowledge. This can lead to many security challenges, often providing gaps in an organization’s security coverage. You can’t protect what you don't know is in use.

While shadow IT has always been a problem, the rise of remote work is adding a new dimension to it. Remote workers are sometimes able to circumvent an organization’s IT department entirely by using unauthorized devices and cloud services. 

Use of personal devices

While it is sometimes more convenient for a remote worker to use a personal device, doing so can present serious security challenges. A personal device may not be as secure as a device maintained by your organization’s IT department. Personal devices may also not be updated properly, leaving them vulnerable to exploitation.

The use of personal devices for work also creates the possibility that personal and work data may not be kept completely separate, which can lead to accidental data leakage.

Lack of physical security at remote locations

One of the benefits of an on-premises workplace is physical security. You can protect assets behind keycard-coded doors, and lock the office up tight after working hours.

Remote workers may not have such protections in place. Equipment may be lost in transit, or stolen from a home or secondary workspace, like a coffee shop. In such an event, a threat actor could gain physical access to devices containing sensitive information.

Unsecured networks

Your devices are only as secure as the networks you use to access them. Remote work introduces multiple new networks, some of which may not be secure. You may have best-in-class protections on your organization's network, but if remote workers access sensitive data, it will travel across networks beyond your control. 

In addition, remote workers will often utilize free access points at places like coffee shops or libraries, which can be open to anyone, including threat actors.

‍

Technical vulnerabilities in a remote work environment

By proactively addressing technical vulnerabilities, organizations can bolster remote work security and shield their systems and data from cyber threats.

VPN vulnerabilities and the need for secure connections

VPNs have been the solution of choice for providing remote access for two decades, but while the remote work environment has changed significantly in that time, VPNs haven’t. As a result, many organizations are counting on VPNs to provide secure access for remote workers, when in reality they aren’t equipped to do so in today’s business environment.

VPNs provide no visibility into outside resources and do not allow you to monitor and manage devices. They also prioritize access over security. Anyone with the right credentials can use a VPN to access anything on your corporate network, which presents a serious risk of lateral attacks. 

VPNs also offer a bad user experience. The technology was not designed to provide access for a large workforce operating remotely, including third-party contractors. When organizations attempt to scale their VPN solutions to accommodate cloud services and other apps, they must often adopt complex setups that undo many of the productivity gains associated with remote work. 

Unpatched software and outdated systems 

In an office environment, your IT department can perform routine updates on your technology, ensuring that your machines, apps, and security software are up to date with the latest security patches and fixes. In the remote world, there’s no guarantee your workers are maintaining their equipment with the same rigor. They could be using technology that hasn’t been updated in several cycles, leaving them open to attacks. 

This is especially challenging in BYOD environments. Some find updates intrusive and disruptive and avoid installing them altogether. As an IT administrator, it can be challenging to keep up with an array of different personal equipment and motivate users to install the latest security patches. 

‍

Strategies for mitigating remote work security risks

Develop and enforce strong data loss prevention (DLP) policies

A data loss prevention (DLP) policy is a necessary first step toward shifting your organization’s security posture from access-centric to data-centric. A DLP is a set of technologies and processes used to discover, monitor, and control sensitive data. It will allow you to control where your data is stored, how, and even why, and reduce the opportunities for breaches while helping ensure compliance with security and government standards.

Implement zero trust access controls

A zero trust approach assumes you trust no one, even users already within your network perimeter. Whereas traditional network security will allow users free access once they are inside the network perimeter, a zero trust approach will continually monitor and challenge users to prove they have the required level of access to your assets. It applies a granular level of security to users based on the principle of least privilege.

Enforce mobile endpoint security

Mobile devices are now widely used across corporate networks. According to Oxford Economics, 57% of employees say smartphones are essential to their jobs. Mobile devices are just as vulnerable to attacks as desktops and laptops. 

A mobile device management (MDM) solution can help ensure your organization’s mobile devices are up to date.  But in BYOD environments, it’s also important to employ an endpoint detection and response (EDR) solution, enabling you to secure both managed and unmanaged mobile devices.  

Go beyond VPNs for secure remote access

The modern worker is used to accessing whatever data and apps they need from wherever they happen to be working at the moment. Unfortunately, VPNs are not equipped for those use cases. They trust too much and don’t provide the visibility you need to manage your network.

Zero trust network access (ZTNA) is the answer. ZTNA is a cloud-native secure access solution that grants workers access to the apps and data they need. It continuously monitors behavior to delegate a user’s access based on risk levels. 

‍

The state of remote work security

Your workers are your greatest strength, but their devices and behaviors may be your biggest risk. Learn more about remote work security and how you can secure your organization by downloading our free report, The State of Remote Work Security.