15 Often-Overlooked Risks To Digital Assets In The Remote Work Era
When social distancing and lockdowns became part of everyday global life, many businesses quickly shifted to remote work so their teams could stay on the job. Often, technology leaders had to work quickly to enable their colleagues to work from home—in fact, for many companies, the change happened so quickly that they may have failed to take some important precautions, leaving vital digital assets at risk.
Now that their teams have adjusted to working remotely, technology and business leaders would be wise to take a step back and address the security vulnerabilities that the quick shift may have introduced. Below, 15 experts from Forbes Technology Council share some often-overlooked risks to digital assets that companies should work to mitigate as soon as possible.
1. Insufficient Email Security Training
From phishing attempts to more sophisticated threats such as scripted attacks, SQL injections and DDoS attacks, most business leaders grasp the importance of email security. However, even beyond the IT and security departments, team members should have basic knowledge of the common threats to email security so they can better protect their email and applications against them. - Gleb Polyakov, Nylas
2. Inadequate Access Management Controls
With remote working established, businesses are leaving themselves at risk with employees accessing company systems on potentially unknown devices and unsecured networks. The biggest issue is that companies are failing to do the basics: This means protecting data at its core and authenticating who can access it by implementing access management controls (including multifactor authentication), encryption and key management. - Alex Cresswell, Thales Group
3. Lack Of Data-Sharing And Data-Encryption Policies
Data encryption is something that many enterprises take for granted. There are many tools employees can utilize to transfer data, and these tools may or may not have robust encryption. It is important for enterprises to have data-sharing policies and encryption standards for the data itself to help mitigate the many ways there can be data leakage of sensitive information. -José Morey, Ever Medical Technologies
4. Remote Worker Offboarding And Publicly Addressable Assets
As Covid eases in the U.S. and people start to look around, I think remote employee offboarding is an area that will take a lot of companies by surprise. Highly privileged, publicly addressable assets (for example, the systems used in the recent REvil ransomware attack) and the home network as part of the corporate attack surface are two other areas that still need proactive effort. - Casey Ellis, Bugcrowd
5. Gaps Or Mistakes In Patching
Many IT teams were already stretched before the requirement to essentially support a “second infrastructure” of remote workers. I think even with the best of intentions, there will be gaps in patching as well as users taking it upon themselves to try to “fix” things when they may not be equipped to do so—or just a flat-out lack of the correct policies and tools to secure remote workstations. - Nate Cote, Kanguru Solutions
6. Legacy Technology
Too many organizations relied on the legacy technology of the past to try and enable the remote and hybrid future. Technologies such as VPNs and virtual desktops were never designed for a world where most people work outside the office at least part of the time. Not only do these legacy technologies not scale, but they also introduce additional security risks. A shift to zero-trust security models is critical. - Robb Henshaw,Cameyo
7. ‘Bring-Your-Own-Device’ Policies
There are many new personal devices accessing corporate networks. As these unmanaged devices browse the Web on the personal side, they are vulnerable to advanced malware, which can infect the rest of the corporation. Zero-trust security using remote browser isolation can help manage these types of risks, keeping workers productive while the company remains protected. - David Canellos, Ericom Software
8. Unsecured Endpoints
While it was understandable at the time, too many companies acted before they had a strategy or even a plan. In so doing, they skipped backups and left the door open for bad actors to breach the perimeter. They didn’t think about securing endpoints within a dispersed workforce. The imperative was getting connected and accessing data without fully grasping the larger context. - Adam Stern, Infinitely Virtual
9. Easy Access To Sensitive Information
Businesses need to understand that the “need to know” confidentiality principle is more important with widespread remote working. There has to be enhanced control over access to sensitive information; the physical office perimeter that organizations once relied on as a risk-mitigating factor for data leakage when designing applications no longer exists, and companies have limited control over users’ home environments. - Ross McNaughton, Gulf Bank
10. Lack Of Document-Level Restrictions
It’s difficult to track, control and protect confidential and sensitive documents once they’ve been distributed. Businesses need security features that travel with the document and allow access to be restricted at any time—even after the document has been shared—so that unauthorized users can be prevented from seeing, sharing or copying the data. - Madhan Kanagavel, FileCloud (CodeLathe Inc.)
11. Unmonitored Software-As-A-Service Use
With tools such as Zoom and Slack now deemed essential, IT executives are still figuring out how to purchase, manage and secure hundreds, if not thousands, of SaaS applications across millions of licenses. Companies need to make sure they can measure and track SaaS use to ensure compliance and security while also ensuring employees are using the right tools to maximize their productivity. - Jody Shapiro, Productiv
12. Missed Software Updates
Initially, companies proved to be much more nimble and responsive than might have been anticipated, but very few of them thought about long-term management implications. Maintaining the currency of software and patches on end-user devices that rarely or never come back to the office is a challenge. IT solved mobile device management for phones years ago; now IT has to deliver a similar solution for both company-owned and employee-owned laptops. - Phil Alberta,Next Phase Consulting
13. Bridged Home And Corporate Networks
One of the biggest risks I see is the bridging of home and corporate networks. When a company computer accesses a user’s home network there may be limited or no protections in place. As an example, if I have a home computing device that is compromised, the only thing standing in the attacker’s way is the security software I might have on the laptop—that’s the opposite of defense in depth. - Lewie Dunsworth, Nuspire
14. Video Meeting Privacy Issues
Companies are conducting more voice and video meetings nowadays, and that can lead to privacy-related concerns. Who can listen to the recordings and read the transcripts? Companies should devise transparent policies to let everyone know how transcription is done, where files are stored and who has access to them. Policies only go so far, however—the risk of inappropriate access remains. - Venky Balasubramanian, Plivo
15. Unenforced VPN Requirements
Big companies have locked-down VPN requirements for all employees, but small companies often do not. It’s remarkably easy for bad actors to do bad things when your employee is sitting in a Starbucks. Small organizations should find ways to demand and enforce that all remote workers use VPN at all times. - Bruce Kornfeld, StorMagic