As workers move out of the office, business security risks multiply
Companies must adhere to best practices to protect themselves and remote workers’ devices
By Gary Stoller, ThirdCertainty
Equipped with a phone, an Internet connection and nifty online technologies, remote workers often toil long hours and focus intensively on the company mission.
Remote workers clearly have been a boon to corporate productivity. But as the Internet of Things (IoT) gains traction, remote workers—particularly those based at home—have emerged as a potential weak link in cybersecurity, according to a report from security analytics vendor Rapid7.
Related video: To manage antivirus solutions, SMBs need a security mind-set
Consider baby monitors. Rapid7 senior security consultant Mark Stanislav did. Stanislav studied baby monitors sold by eight companies and found all of the monitors vulnerable to external hacks.
IoT devices such as baby monitors, smart TVs, gaming consoles, surveillance cameras and climate control systems are designed to store data and connect to the Internet. They do so via rudimentary software operating systems, often with a limited user interface, much less actual security features.
Easy pickings for scammers
This makes these computing devices a perfect tool for criminal hackers. “Your corporate computer likely has a firewall, anti-virus and numerous other ways to prevent attacks,” Stanislav says. “Devices such as baby monitors are fairly weak at protecting themselves.”
By infecting a device on a home user’s network, an attacker “could conceivably pivot to any other device on the same network—including any computer or connected device tied in to an employer’s network,” he says.
Criminal hackers can use control of an IoT device as the launching point to the rest of the devices in a home or remote location. They could try to steal passwords, distribute malware or look for vulnerabilities in a remote worker’s computer.
Though companies commonly use a Virtual Private Network (VPN) connection to protect data, “that doesn’t mean the type of traffic going back and forth is safe from a malicious worm propagating from the home network into the corporate network,” Stanislav says.
Cloud has holes
Many companies have moved their services to the Internet with cloud computing. This enables sensitive data—which previously may have required a connection into a corporate network—to be accessible with a simple user name and password, he says.
“Poor password security or a lack of vigilance when it comes to phishing scams can quickly lead to employee credentials being abused to break into these remote corporate connections and cloud services,” he says.
Stanislav points to the infamous Target data breach in 2013, in which the attacker stole names, mailing addresses, phone numbers or email addresses of up to 70 million people.
“A third party’s remote network connection into the corporate network was the foothold that allowed criminals to then proceed to infect critical point-of-sale systems throughout the organization,” he says.
Heading off the bad guys
Stanislav suggests steps remote workers should take to protect against cybersecurity breaches.
“Employees should be careful at putting unnecessary Internet-connected devices on the same network that they use to connect into their organization,” he says. “Many modern home Wi-Fi routers allow you to create multiple networks that can separate traffic, such as using one network for home computing and another strictly for work reasons.”
Employees should never use their work passwords for any personal websites or services, Stanislav says. They should work with their company’s IT security staff to ensure their work station is properly secured, “with security patches applied in a timely manner and all available security tools and services installed and functioning as expected.”
Companies are best equipped, he says, to observe employee network activity and determine “if anomalous behavior” may indicate a criminal abusing employee access and privilege.
More stories on security:
Managed security services help SMBs take aim at security threats
Knowing how to navigate a sea of data alerts can be vital to security
SMB Bounces Back After Network Data Is Held for Ransom