Remote Workers Using Personal Devices: Myth vs Reality
With the focus on employees working from home, many remote workers using personal devices will be inadvertently testing your organization’s ability to protect its network.
Iconic IT has made security a focus for our IT services. Matt Lee, Director of Technology at Iconic IT, has offered some insights behind the myths and the realities of allowing your employees to access personal devices while working from home.
Myth vs Reality
Remote workers using personal devices can open your network to a host of issues. Your employees may think they are working securely, but the reality may be something far different.
Here are the three biggest myths organizations and employees believe when they are working remotely.
1. Myth: Remote Workers Using Personal Devices Are Protected by Existing Safeguards
Your employees may feel protected by safeguards currently in place on their personal devices, such as “out of the box” antivirus protection. They may feel safe using standard protections such as Microsoft’s Windows Security.
The reality: When your employee installs a standard boxed antivirus solution, Windows Security is often automatically shut down. Your employees may believe they have enough security on their personal devices. Unfortunately, these home devices have higher risk profiles given their typical shared use and less business-focused personal browsing incumbent with more risk.
The solution: Install your organization’s antivirus on all personal computers. We recommend the two-tiered approach of our AV solution, Iconic Fortify.
Find out more about antivirus solutions here.
2. Myth: Remote Workers Using Personal Devices are Protected by Your Company’s VPN
Your organization may feel that Virtual Private Networks are enough to protect your network when your remote workers use personal devices to access your business’ files and data.
The Reality: VPNs (Virtual Private Networks) are a good start to protect your network but become less effective when accessed by your employees’ personal devices. These devices’ risks become the corporate network’s risks once connected over the VPN. Good security measures and layered protection are needed to combat and mitigate this risk.
The dangers of relying on a VPN alone don’t come from the VPN itself, but the potential lack of security on these devices and a lack of awareness on the part of your employees.
Your VPN is Only as Secure as the Machines Using It
Typically, personal devices only have antivirus software installed. This will not include Endpoint Detection and Response (EDR). Because personal devices are accessed as independent workstations, there is no active security monitoring or patching from IT professionals.
No Administrative Authority
Because personal devices don’t have the same levels of accountability as organizational devices, gaps in security may exist that can spread potentially over the VPN. Attackers often look for a foothold first and then build ways to elevate privilege.
Chances are your employee’s personal device is shared by other family members. Even if every user’s profile is separate, the profiles are kept in the hard drive of the device. Since all users are not connected to the VPN, malware can be installed from another user who is accessing the device.
Bypassing the VPN
If the VPN is slowing down the employee’s browsing, he or she may be tempted to bypass it. Some factors slowing the VPN could be the VPN itself, the age of the device, and distance from the server.
Gap Between VPN Launch and Connecting to the Internet
There is a brief gap between when a VPN is launched and when it connects to the internet. During this time, the device is vulnerable. This is especially dangerous if your employee is accessing data on an unsecured Wi-Fi connection.
Additional Concerns with VPNs
An alert released by CISA on Friday, March 13, 2020, stated that cyberattacks on remote workers are expected to increase. Per the report, even more weakness when using VPNS include:
- As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
- As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
- Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
- Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
Any type of secure, remote software that maintains network level separation to establish a connection to a work asset without exposing the risks of the local home device as in a VPN. Some examples of good strategies would be:
Use a 3d Party Remote Service, preferably one that allows 2 Factor Authentication. This is the most secure way to establish a network separated connection to a workstation at your office. It does not allow malicious software running on a home machine to reach the office’s workstation. Iconic uses “Connectwise Control for remote access to workstations.
Another option for remote access would be RD Gateway. This is a part of Microsoft Server and uses SSL certificates to secure connections. RD Gateway allows employees to log into their work desktops, so they benefit from existing security solutions on their office workstations while on their personal devices. There is no VPN required to use RD Gateway.
3. Myth: Remote Workers Aren’t Targeted by Hackers
You may think that if cybercriminals are targeting your network, they are only using workstations to try to gain access; a remote worker using personal devices is safe.
The Reality: Hackers are aware of the current shift to remote work. Current trends in cyberthreats include sending “coronavirus work policies,” updates from spoofing websites pretending to be trusted authorities like WHO or the CDC, and even maps allegedly detailing the spread of the virus.
The Solution: Send your remote employees an updated cybersecurity awareness policy that outlines their responsibilities in keeping your network safe while working remotely.
Iconic IT is Here to Help
Iconic IT understands you have a lot to consider. Here are a few steps you can take to ease the transition for your remote workforce while keeping your network safe.
- Issue company equipment whenever possible
- Adopt an acceptable use policy for remote workers
- Install end-to-end protections for remote worker using personal devices
- Make sure your employees are up to date on cybersecurity awareness
- Require multi-factor identification before any device can be connected to the network
- Understand the limitations of VPN and consider using Secure Remote Solutions either alongside, or instead of, a VPN
Iconic IT Resources to Help Your Transition to a Remote Workforce
Iconic IT has resources available to help you understand the transition and better protect your business while your employees work from home. All resources are free to download and will be helpful for you to develop a secure remote work culture.
1. Cybersecurity Awareness Training: Small Business Cybersecurity Education
An easy to use resource to teach your employees cybersecurity essentials
2. Acceptable Use Policies: Adopting An Acceptable Use Policy
Tips for drafting an acceptable use policy for remote workers using work-issued equipment at home
3. Using Teams to Streamline Your Communications: Teams for Remote Workers
4. Coronavirus Hacking Trends: Fear for Sale: Hackers Using Coronavirus Fears to Spread Malware
Forward this to your remote workforce to keep them prepared for this disturbing trend.
This guide explains two factor authentication and how this simple process can protect your network, even when remote workers using personal devices log in.
6. Protecting Your Network with a Remote Workforce: Keep Data Safe with a Remote Workforce
Pro-tips on keeping protecting your network safe while your employees are working remotely.
7. Remote Workforce Checklist: Remote Workforce Checklist
An easy to use checklist to help you make sure your teams are connected, working efficiently, have the tools they need, and are maintaining your network’s security.
Iconic IT is here to support our small to medium-sized businesses during this time. Feel free to reach out to us if you have any questions or need help with the tech your remote workforce needs to stay productive and protected.