Skip to main content

How the increase in work from home will impact corporate cybersecurity

(Image credit: Shutterstock / Song_about_summer)

Covid-19 has changed many things. The rise in remote work significantly increased and companies were forced to test a new business model. At first, corporations were somewhat reluctant, but working from home yielded higher productivity. This is the effect of being close at home, with family, and less stress of commuting to and from work. 

Employees were given the comfort they long craved, while delivering quality work. However, there is a growing concern in cybersecurity, because corporate structures have certain protocols in place to prevent incidents. But if employees are working from home then they have to log in remotely from their home. Companies often use a VPN and firewall, which gives room for new cyberattack vectors, present within their home network.

Do employees connect to the VPN from their home network? 

Certainly, most employees probably do connect to their work domain through a VPN. But it is from their home network. Corporations will have to find a way to make sure that their employee home networks are secure because this opens a new can of worms. Home network vulnerability offers risk. Corporations must train their employees on how to practice good cyber-hygiene. Oftentimes, this presents an unknown challenge since companies and employees are not informed about these issues. It is easy enough to change and create new policies to prevent these risks, but only with the right information and training can cyber defensive strategy be truly effective for employees and employers alike.  

What about employees that deal with extremely sensitive information? 

Access control as per the principle of least privilege is the gold standard among corporations. It prevents unauthorized use of certain devices and systems for employees to work with. It also keeps the bag guys out.  Corporations need to be careful not to restrict the work from home experience, by making it too rigid. Again, the goal is to maximize security while improving working performance and efficiency.

If the most vulnerable point of attack is the end-user, then the phrase “you do not know what you don’t know “ springs to mind. 

It begs a few other questions. Are home office networks secure? And what tools would corporations recommend for their employees to use? Furthermore, are the employees conscious of their own cybersecurity? Are employers aware of their employee home network risks?

Such is the way of understanding cybersecurity fundamentals. Have they changed their passwords consistently? Do they use password managers? Are they able to avoid suspicious links and phishing campaigns? What about their browsing habits? Do they use the same passwords for everything? These questions may seem redundant but they are important. Corporations must constantly educate their employees about basic cybersecurity tips and tricks to prevent risk of ransomware or other hacks. Making sure they have certain tools to protect their home network, such as even partnering with cybersecurity companies in offering those solutions. 

Let’s face it, cyberattacks against corporations have doubled or even tripled, as people began working from home. Ransomware attacks alone have jumped 148 percent since March of this year. The need for robust cybersecurity is increasing on all fronts. Employees working from home have to stay cyber-vigilant and corporations must do whatever it takes to ensure all points of access are secured. This extends from the company to each employee’s home network. If they have to partner with home network security companies, they should do so from millions of dollars in losses and damages. Better to be proactive than reactive.

Let us ask ourselves, if we keep making the same mistake over and over again then those become bad decisions. Rather than making bad decisions multiple times, we can identify areas of improvement and take corrective action. Corporations and employees need to find a way of synergy, in terms of cybersecurity.

How do they best tackle things together?  

First of all, ensure that their corporate network is secure and employees need to be trained with vigilance so that they are avoiding clicking on phishing websites or emails. Also corporations have to create certain protocols in place, sometimes a lot of these hacks involve social engineering. For example, a financial officer working for a major company receives phishing emails to send a substantial sum of cash. They can be tricked into sending the funds to a random bank account, but it is disguised as an actual client invoice. Or even a voicemail using deepfake AI programs to impersonate a human phone call. So why is that type of system in place when it is subject to flaws? Proper processes, with checks and balances. If the executives or other major stakeholders are involved, it is worth having secondary channels available to verify a transaction. Also the employer can take the initiative and look up that client and perform verification, to ensure that certain types of transactions are warranted. Multiple levels of authorization will help these scenarios where being proactive is encouraged and vigilance is rewarded.

Let us dive further into the situation of data breaches. Working from home offers all kinds of risk from devices connected to a home network. Whether they are secure or not, there is always a problem with new vulnerabilities and zero-day attacks.

Also with the rise of IoT devices, having those breached from a home network could be the single greatest point of failure in preventing a cyberattack. If a casino can be hacked through a smart thermometer, and a home network can be hacked through a smart door lock, then suffice it to say that a corporate VPN could be bypassed. All a cybercriminal needs to do is breach a single device on a home network, where they can perform lateral movements and gain additional information. 

Another important question that employers and employees should ask, is whether these home networks are segmented? 

Do corporations need their employees to work on a separate home network? From a cybersecurity perspective, it is vulnerable for everything to be connected to the same network. Trusted devices should be isolated from the ones which are untrusted. Working from home presents a risk that can be solved by segmented office networks at an employees’ residence. Corporations will feel more comfortable sending data across VPNs. 

The work from home model was accelerated during Covid, which gave corporations little notice on drastic changes. But it is never too late to adopt more elegant solutions to prevent the risk of being hacked. Some companies are partnering with ISPs and other vendors to assist with cybersecurity. But there is a new paradigm on the horizon to deal with the rise of new threats. After all, this is a constant game of cat and mouse being played out. Home office network security is yet untapped but still no less vulnerable. Recently, the Colonial pipeline hack resulted from a simple password breach. There is a rampage of other breaches through home networks in accessing corporate data. 

There should be strict policies in place but employees have to be educated about the consequences of certain actions, even if they make a mistake. Hacking attacks and social engineering boil down to a confidence game as well. It could be as little as giving your friend access to your network, which becomes a backdoor based on ignorance. So who is to blame? All parties involved share equal responsibility. People must work together. There needs to be a simple and easy solution as well. Where both corporations and employees have a great experience and high sense of cyber vigilance. If not, it becomes too difficult or impossible to manage. A new Stone Age can be avoided for cybersecurity in the modern world.

Chukwudum Chukwudebelu, Chief Strategic Officer/ Co-Founder, Simius Technologies

Chukwudum Chukwudebelu, Chief Strategic Officer/ Co-Founder at Simius Technologies Inc. Chukwudum is experienced in product management, strategy, marketing, and sales in simplifying the consumer cybersecurity industry.