As businesses head into the first few months of 2021, it’s likely that many employees will continue to work remotely for the foreseeable future.
Even when people are allowed to return openly to their offices, chances are good that a sizable percentage of people won’t want to come back. Remote work provides people with a number of benefits, but there’s always a risk that some individuals may fall victim to a cyberattack.
Remote workers are a perfect attack vector for bad actors who would like to seize control of corporate networks. Experts from the Ponemon Institute believe that around 60 percent of UK-based companies have suffered a cyberattack in the last 12 months. This has led to increased calls for business owners to ramp security protections as soon as possible.
Managing the Attack Surface of Remote Work Nodes
Since remote workers generally rely on their own technology while at home, it can be difficult for managers and IT department staffers to calculate the risk of a cyberattack happening. Those who rely on very simple technologies may, ironically, be the best protected. A company that simply asks people to email their work back to the office in the form of a text document usually don’t have that big of a risk of something happening.
Luckily, password managers not only enable users to store numerous passwords, they can also sync them across devices.
It doesn’t matter whether a computer is protected by a virtual private network if users haven’t set good passwords. Some of these data experts have suggested that a common six-character password could be broken in as little as 11 hours. Words that appear in the Oxford English Dictionary could be found in less than a minute.
There’s no way for managers to know what remote users are setting their login credentials to, which further complicates the process of calculating risk. However, there are a few mitigation plans they could put into play to dramatically reduce this heretofore unseen risk.
Preventing Users from Simplifying their Credentials
Since it’s impossible and unsafe for IT departments to look at password data, they can automatically require the use of a complex password. Remote interfaces that reject passwords under a certain length or complexity can slash the risk of them being guessed by several orders of magnitude. Compressing password hashes in an encrypted hard file cut the risk to nearly zero in most situations. As more content creators move to international settings, managers might consider setting such rules to be a vital manoeuvre.
This may still not be enough, however, because ransomware attacks can circumvent even the most sophisticated credential policies. The largest weight-loss and cosmetic surgery group in the UK lost over 900GB of patient photographs in this kind of attack, which were then held hostage by computer criminals. This attack and others like it earned £18 billion for criminal groups over the last 12 months.
Ransomware-related problems may force IT managers to take more drastic steps, which may be somewhat unpopular with their teams. Nevertheless, NCSC experts have advised that tech professionals do make such changes in order to improve security profiles across the board.
Fighting Back Against Ransomware-based Cyberattacks
While it’s difficult to get accurate statistics, it’s easy to believe that ransomware is quickly becoming one of the most destructive types of cyberattacks. Foreign currency firm Travelex was asked to pay an enormous £2.4m ransom, and firms who do shell out the cash often find that they don’t ever get their data back.
Experts are recommending that data never be stored on software platforms that haven’t proven themselves resilient to ransomware attacks. Some UK-focused Linux distros have grown in popularity as a result.
Few IT department managers can expect that their teams are going to adjust technology they have at home just to satisfy security experts, however. It’s quickly becoming difficult to encourage remote workers to even install browser updates on a regular basis, let alone OS-level patches.
Business owners should of course ramp up cybersecurity on their end first. It would look nothing short of hypocritical to expect others to make changes without making them independently. However, it’s vital that remote workers do something to protect themselves.
Perhaps the best idea could be to set aside a couple of days a month to walk everyone through needed updates, if at all possible. This could help to keep people on the same page without making it seem like they’re being penalised.