So many employees working from home, so many security concerns. By this point, most companies have upgraded their security tools and processes to accommodate remote employees.
Typically, these include technologies such as VPN gateways, secure portals, remote computer access services, endpoint and network access security, and, in some cases, software-defined wide area networks (SD-WANs).
In most cases, these measures do the trick. But sometimes, it’s not enough. Every company has outliers—employees who, for a variety of reasons, may require additional security measures. Sometimes, it’s younger employees, which one study found are more likely to bypass cybersecurity practices if they view them as preventing productivity. That same study found that younger workers are 39% more likely to fall for and pay ransomware.
In other cases, it’s working parents, who are distracted enough that they may insecurely save passwords, reuse passwords across applications, or allow other household members to use their work devices for unsanctioned activities such as shopping or gaming. And then there are those employees who hold the keys to the kingdom.
These are just a few of the dozens of cases where standard cybersecurity prevention for remote work just isn’t enough.
Here’s how to identify the riskiest employees working from home and mitigate potential damage:
Identify categories of at-risk employees. In general, there are two categories—those with the highest levels of access, and those most likely to cause security breaches because of their behavior, either intentionally or unintentionally.
The first category is often simpler to identify. It includes anyone who has access to intellectual property, personally identifiable information or financial information, including executives and leaders of a company’s human resources and finance departments. It can also include IT staff with access to proprietary code.
The second category can be trickier. Some are easy to identify, such as employees who have had run-ins with HR because they have exhibited anger, a cavalier attitude or risk-taking behavior in the past. Sometimes, it depends on the specific situation of a company. Joe Nocera, a principal in PWC’s Cybersecurity, Privacy and Forensics group, described a situation that could easily make people a security risk who wouldn’t typically be considered security risks.
“When a company is planning a furlough, those rumors tend to start leaking a little early, and if employees find out, there could be economic fraud, IP theft and maybe even intentional harm to systems,” he said. “As you think about the population of people who could be impacted by an upcoming furlough, consider putting additional controls in place to manage the risk of insider threats.”
In the case of furloughs, Nocera also suggests shoring up processes to handle notifying and offboarding large numbers of employees safely. “Generally, processes aren’t designed to handle that volume of exits simultaneously, so having a solid plan to manage the situation and securely exit them while also monitoring behavior and buildup to that exit is critical.”
Put thought into how to secure remote workers with access to sensitive data. Drew Cohen, CEO of cyber and software company MasterPeace Solutions, has implemented secure document signing for his top employees and partners, especially for sensitive workflows. “We don’t necessary need to do this for every workflow, but it gives us peace of mind,” he said.
High-powered employees also could benefit from having dedicated devices with multifactor authentication. It’s not critical to require multifactor authentication for every action, Nocera said, but it is useful for higher-level activities. “You may not be worried about administrators checking email, but you might require it for systems administration. For executives, it’s probably not necessary for opening a Word document, but it would be important if they are trying to approve a high-dollar wire transfer,” he said.
Nocera also advised making executives aware of their social media and online presence because hackers will take what they can get and exploit it. For example, an executive taking part in a publicly viewable webcast should make sure there is nothing in the background that could allow for social engineering.
Use behavior monitoring to secure other at-risk employees. Preventing risky behaviors from at-risk employees is a good start. One option is installing behavioral analytics technology for those employees to identify unusual patterns, such as installing non-standard software, visiting risky websites or connecting to the corporate network at unusual times of day.
Enhanced monitoring for this group of employees is critical, said John Matthews, CIO of ExtraHop, a cloud-native network detection and response vendor. In his own company, for example, Matthews has relied on network monitoring tools for just this purpose. “At one point, we discovered that a junior engineer had downloaded a pile of code to his local machine. We responded to that alert and discovered that he was just trying to do something positive, but didn’t do it in the right way,” he said. This action spurred a discussion between the engineer and his supervisor, and there hasn’t been a problem with that employee since.
Providing at-risk employees working from home with the right technology also can make a difference. MasterPeace Solutions provides those select employees with an alternative home router combined with software-defined networking, which essentially isolates every device on their home networks. This allows the company to extend the boundary of the enterprise only to specific devices in an employee’s home, and segment those devices from all other devices in the environment. “It’s about stopping lateral threats inside a house,” Cohen said. “Just think about how your teenager might use TikTok on your home network. It’s not a good idea to trust any device running TikTok on your network.”
Don’t leave it all to technology; be hands-on. Managing humans by humans is the most powerful tool, Matthews said. “To really understand people’s frustration levels, you’ve got to put the time in, especially with telework,” he said. At ExtraHop, Matthews conducts daily stand-ups that involve getting the entire team together online. The company also uses some HR tools to perform “pulse checks” on staff. “We’re trying to keep tabs not only on work frustrations, but home frustrations, which can have a real impact,” he said.
Another effective in-person tactic is user awareness training. While this has always been a valuable tool, it can be even more effective for remediation. For repeat offenders, such as employees who have failed phishing exercises multiple times, companies can offer more tailored user awareness training.
Turn bad behavior to your advantage. Sometimes, risk-takers who initially cause problems can be an asset. Matthews recalled one employee—a quick study with a lot of training in ethical hacking. “There were a few times where I had to have a conversation with her about what she was doing on the corporate network,” he said. Matthews decided to turn her rebellious nature to his advantage by assigning her tasks such as pen testing and tool creation. “It’s a judgment call a line manager has to make, but it can turn out well,” he said.