converted/transferred using these applications.
I Spy a Wi-Fi
When employees work from home or any public place outside enterprise networks (such as coffee shops), they leave their de- vices open to attack because of security risks inherent in public Wi-Fi networks. Attackers can mimic public Wi-Fi networks and trick their targets into joining the fake network, or attack- ers can join a legitimate public Wi-Fi network and tunnel into target devices (especially if employees have turned on their de- vice discoverability).
Late last year, there was a deadly root access bug uncovered in Apple devices that allowed attackers to gain administrator ac- cess on target systems and cause dangerous levels of compromise. While that bug is patched and fixed now, the security threat of public Wi-Fi networks remains.
Awareness Issues
The most secure cyber defenses cannot stand up to human error. Even if organizations are aware of security threats and communi- cate them to employees, ingesting and retaining this communica- tion is often not incentivized enough (or not interesting enough) for employees. This leads to reduced awareness levels and em- ployees repeating the same mistakes that—if they’re working re- motely—are much likelier to lead to successful cyberattacks.
What can we do?
Improving organizational security for remote workers is not rocket science, and many points this article mentions might seem self-evident. Nonetheless, it’s surprising how often simple fixes go ignored. The following suggestions are a good starting place to ensure that organizations stay secure while continuing to promote the positive aspects of remote work.
Historically, lengthy passwords with a combination of letters, numbers, and special characters are less likely to get breached through brute force. Contrary to popular opinion, NIST recom- mends against changing passwords regularly. Employees usually change just a couple of characters from password to password this way, leading to confusion without increased security.
VPNs Are A Must
Whether employees are working from home or any other public location, organizations should ensure that Virtual Private Net- works or VPNs are used. By combining encryption protocols and virtual P2P connections, VPNs protect any sensitive company data that employees might access while connected to non-enter- prise public/private networks.
There are various VPN protocols out there: some provide en- cryption, some facilitate connections, and some do both. Proto- cols such as SSH, SSL, or TLS fulfill both duties (encryption and connection) and should be preferred by organizations that aim for security as well as convenience.
Awareness Programs with A Twist
Security awareness programs delivered through dry, text-heavy presentations are unlikely to have the intended effects, no matter how positive the intent. A few tactical tweaks to awareness pro- grams can drastically improve uptake:
• Including interactive, engaging assignments as part of the train- ing. For example, a “design your own phishing email” contest where employees come up with their best phishing emails.
• Encouraging and rewarding employees that show “good secu- rity behaviors” and sharing their successes with the group.
• Learning from security failures and sharing with transparency
to avoid repetitive mistakes.
• Creating a culture of openness and blamelessness so that em-
ployees that have made mistakes come forward honestly with- out fear of being punished.
Update, Patch, Maintain
Devices with out-of-date software, certificates, and agents create conditions where compromise becomes easier and more likely. Organizations should monitor the version recency of operating systems, SSL certificates, and security software (such as firewalls and endpoint tools) on all employee devices and especially those that avail of remote work.
Although any deficiencies along these lines won’t create secu- rity incidents on their own, they will weaken a device’s “immune system.” Attackers will usually scan devices for these deficiencies and target accordingly.
These solutions are by no means exhaustive, but they rep- resent “first-pass” guidelines that organizations can set up and build upon. Even with all these precautions (and more) in place, it’s inevitable that breaches will occur. But by being proactive in defense and agile in response, organizations and their remote workers stand a good chance of coming out on top.
Abhishek Iyer is the technical marketing manager at Demisto.
Str!ct P@ssw0rds
Make sure that employees use strong passwords and that they use different passwords across systems. A single password used across applications might be convenient but it then takes just one vulner- ability to compromise all the employee’s accounts. For guidelines on password strength, you can refer to NIST’s latest identity guidelines.
WWW.SECURITYTODAY.COM NS15
Brian A Jackson/Shutterstock.com