As workers move out of the office, business security risks multiply

Companies must adhere to best practices to protect themselves and remote workers’ devices

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Equipped with a phone, an Inter­net con­nec­tion and nifty online tech­nolo­gies, remote work­ers often toil long hours and focus inten­sive­ly on the com­pa­ny mission.

Remote work­ers clear­ly have been a boon to cor­po­rate pro­duc­tiv­i­ty. But as the Inter­net of Things (IoT) gains trac­tion, remote workers—particularly those based at home—have emerged as a poten­tial weak link in cyber­se­cu­ri­ty, accord­ing to a report from secu­ri­ty ana­lyt­ics ven­dor Rapid7.

Relat­ed video: To man­age antivirus solu­tions, SMBs need a secu­ri­ty mind-set

Mark Stanislav, Rapid7 senior security consultant
Mark Stanislav, Rapid7 senior secu­ri­ty consultant

Con­sid­er baby mon­i­tors. Rapid7 senior secu­ri­ty con­sul­tant Mark Stanislav did. Stanislav stud­ied baby mon­i­tors sold by eight com­pa­nies and found all of the mon­i­tors vul­ner­a­ble to exter­nal hacks.

IoT devices such as baby mon­i­tors, smart TVs, gam­ing con­soles, sur­veil­lance cam­eras and cli­mate con­trol sys­tems are designed to store data and con­nect to the Inter­net. They do so via rudi­men­ta­ry soft­ware oper­at­ing sys­tems, often with a lim­it­ed user inter­face, much less actu­al secu­ri­ty features.

Easy pick­ings for scammers

This makes these com­put­ing devices a per­fect tool for crim­i­nal hack­ers. “Your cor­po­rate com­put­er like­ly has a fire­wall, anti-virus and numer­ous oth­er ways to pre­vent attacks,” Stanislav says. “Devices such as baby mon­i­tors are fair­ly weak at pro­tect­ing themselves.”

By infect­ing a device on a home user’s net­work, an attack­er “could con­ceiv­ably piv­ot to any oth­er device on the same network—including any com­put­er or con­nect­ed device tied in to an employer’s net­work,” he says.

More: Pro­tect­ing the Pro­tec­tor: Keep your Client Files Secure and Employ­ees Safe from a Breach

Crim­i­nal hack­ers can use con­trol of an IoT device as the launch­ing point to the rest of the devices in a home or remote loca­tion. They could try to steal pass­words, dis­trib­ute mal­ware or look for vul­ner­a­bil­i­ties in a remote worker’s computer.

Though com­pa­nies com­mon­ly use a Vir­tu­al Pri­vate Net­work (VPN) con­nec­tion to pro­tect data, “that doesn’t mean the type of traf­fic going back and forth is safe from a mali­cious worm prop­a­gat­ing from the home net­work into the cor­po­rate net­work,” Stanislav says.

Cloud has holes

Many com­pa­nies have moved their ser­vices to the Inter­net with cloud com­put­ing. This enables sen­si­tive data—which pre­vi­ous­ly may have required a con­nec­tion into a cor­po­rate network—to be acces­si­ble with a sim­ple user name and pass­word, he says.

Poor pass­word secu­ri­ty or a lack of vig­i­lance when it comes to phish­ing scams can quick­ly lead to employ­ee cre­den­tials being abused to break into these remote cor­po­rate con­nec­tions and cloud ser­vices,” he says.

Stanislav points to the infa­mous Tar­get data breach in 2013, in which the attack­er stole names, mail­ing address­es, phone num­bers or email address­es of up to 70 mil­lion people.

A third party’s remote net­work con­nec­tion into the cor­po­rate net­work was the foothold that allowed crim­i­nals to then pro­ceed to infect crit­i­cal point-of-sale sys­tems through­out the orga­ni­za­tion,” he says.

Head­ing off the bad guys

Stanislav sug­gests steps remote work­ers should take to pro­tect against cyber­se­cu­ri­ty breaches.

Employ­ees should be care­ful at putting unnec­es­sary Inter­net-con­nect­ed devices on the same net­work that they use to con­nect into their orga­ni­za­tion,” he says. “Many mod­ern home Wi-Fi routers allow you to cre­ate mul­ti­ple net­works that can sep­a­rate traf­fic, such as using one net­work for home com­put­ing and anoth­er strict­ly for work reasons.”

Employ­ees should nev­er use their work pass­words for any per­son­al web­sites or ser­vices, Stanislav says. They should work with their company’s IT secu­ri­ty staff to ensure their work sta­tion is prop­er­ly secured, “with secu­ri­ty patch­es applied in a time­ly man­ner and all avail­able secu­ri­ty tools and ser­vices installed and func­tion­ing as expected.”

Com­pa­nies are best equipped, he says, to observe employ­ee net­work activ­i­ty and deter­mine “if anom­alous behav­ior” may indi­cate a crim­i­nal abus­ing employ­ee access and privilege.

More sto­ries on security:
Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats
Know­ing how to nav­i­gate a sea of data alerts can be vital to security
SMB Bounces Back After Net­work Data Is Held for Ransom

Posted in Cybersecurity, Data Security, Featured Story