Working out how to maintain security when employees work remotely ultimately comes down to how well you can control the virtual work environment your employees use. To do this successfully, businesses need to overcome work from home security challenges (like use of personal devices and unsecured networks). Overcoming these challenges often comes down to the use of technologies that regulate the end points on a business's data network, or that monitor the data network itself.
And then the real challenge comes: how to secure remote workers by developing a strong work from home security posture without flushing your productivity down the proverbial crapper in the process.
As work from home (WFH) has become ubiquitous — 57% of companies say that more than half of their workforce do their jobs remotely at least 2 days a week. So no wonder striking this balance has caused IT leaders, CTOs, and CIOs more than a few sleepless nights.
So is WFH security really a problem? In short, yes. A big one—as shown in a report by MalwareBytes which found a whopping 20% of organizations experienced a breach caused by remote working in 2022.
And…if that's not enough to have you hiding behind your home-office chair, Acronis' annual end-of-year Cyberthreats Report found that the average cost of a data breach is expected to be over $5m dollars per incident in 2023.
So let's say we all agree that WFH security is a pretty serious issue and there's a pressing need for solutions to deal with it. That's what this page is all about. You can jump to how we've tackled this on our product page or read on as we explore:
What is work from home security?
In short, the term 'work from home security' AKA 'work at home security' covers any measures taken to ensure the virtual environment that remote workers use maintains confidentiality, integrity, and compliance.
The goal of work from home security is to protect data assets, systems, and networks from unauthorized access, theft, damage, and other malicious or negligent activities.
This level of security has been the norm in office-based working setups so why is securing work from home so challenging?
For a combination of reasons:
- Employees using personal devices
- A lack of access controls
- Employees using unsecured networks (both at home and on the move)
- Increased number of out of date patches
- Greater chance of physical device theft
For help with identifying and mitigating these risks check out our guide on conducting a remote worker risk assessment. Or read on as we dissect how you can maintain secure remote working
How do you maintain secure remote working?
If you've already read our blog post of the security risks of working from home (or done even the smallest amount of research on them) chances are you have a pretty bleak picture of it.
Thankfully there are a series of ways that you can take the pain out of WFH.
But—and here comes the caveat—some of these security measures bring their own challenges. So if you're ready to kick things to the next gear already, jump to how to balance business outcomes and security with remote working.
Seven ways to secure home workers
Use a VPN
VPNs (or virtual private networks) are tools that encrypt internet traffic, routing it through a secure tunnel. This means remote workers can access their organization's network and data in the knowledge cybercriminals will find it much harder to intercept sensitive data.
VPNs are extremely popular amongst businesses with a WFH workforce—but as we discuss below—VPNs come with a big productivity tradeoff.
Implement multi-factor authentication
Multi-factor authentication requires users to provide more than one piece of evidence to verify their identity. This can help mitigate against phishing attacks because even if a hacker can skim one set of login credentials, they'll need another corresponding set to get their nefarious masterplan in motion.
For the same reasons this is a great way to mitigate situations in which a physical device is stolen.
Use endpoint protection
Endpoint protection software monitors the files, processes, or systems on remote employees' devices and scans for any malicious or potentially malicious activity.
The endpoint protection software is often downloaded to the endpoint (likely a device) that needs to be monitored. This means it's a great way to mitigate the risk of security threats when WFH employees use personal devices to access company networks or company data.
The obvious issue here (explored below) is keeping the endpoint security up to date and not destroying employee morale in the process.
Use cloud-based security
Another method is to focus more on the network itself. Cloud-based security aims to do just that.
It works by hosting firewalls, intrusion detection systems, and other security tools in the cloud to protect their network and data from anywhere. This makes it a great solution for remote work.
Regular security access training is a great way to mitigate human error.
When employees are not working in the office, the opportunities for 'water cooler' chat or 'village notices' are vastly reduced. You can't rely on employees educating each other by telling their colleagues in passing about the dodgy email they just received—which raises the chances that one of them will unwittingly click it.
Having a rigorous system of security education or best practices is a must.
Monitor network traffic
Businesses can also monitor the traffic on their network to detect potential threats. Businesses will usually do this in one of three ways:
Packet sniffing (yes, you read that right) involves capturing and analyzing all the network packets transmitted between devices on the network.
Packet sniffers can be configured to operate in either filtered or unfiltered mode. Unfiltered means the sniffer will capture all packets and save them to a local drive for further investigation. Filtered means the sniffer will only capture packets that fit certain criteria.
This can help businesses identify potential security threats, such as malware or unauthorized access attempts.
NetFlow analysis involves collecting and analyzing metadata about network traffic flows. This could be the source and destination of the traffic, the amount of data being transferred, or the protocols used.
The results of this analysis allow businesses to identify patterns of behavior that may indicate a security threat.
Intrusion detection and prevention systems (IDS/IPS) continuously monitor your network to identify and prevent any unauthorized users accessing certain data or networks. An IDS/IPS uses both behavioral and signature-based monitoring and logs data about suspicious or malicious activity.
Using this data the IDS/IPS can then pass it to your IT security administrator or terminate a suspicious user's session.
This makes it a great way to identify and protect against malicious actors or actions.
Implement a disaster recovery plan
While prevention methods are preferable, damage control is something that businesses can and should consider.
A disaster/recovery plan will outline the practical steps an organization will take in response to a cybersecurity breach, attack, or data leak.
These might include ensuring an employee's laptop can be wiped or disabled remotely should it get left in at their local Denny's (for example).
These seven methods can provide businesses with a lot of protection against the security risks posed by remote working. But as we have mentioned throughout, many of them come with major trade offs in terms of productivity or employee experience.
So the big question is: how can you protect yourself against the WFH security risks without impacting your business performance?
How to balance business outcomes and security with remote working.
The best way to strike this balance is to use a dedicated WFH environment solution. When done right, these solutions, platforms, or apps can negate the need for some of the methods above.
Why do I need a dedicated WFH solution? Because the methods used to maintain security while working from home are only worth their salt if they don't constrict your business or your employees to the point that their jobs become harder or markedly less enjoyable.
Because employee experience (EX) is a big thing. According to a report by Gartner, the employees of organizations that effectively shape EX are:
- 31% more likely to report high-intent to stay
- 35% more likely to report high discretionary effort
- 47% more likely to be high performers
Which means when we take a closer look at some of the key methods businesses use to secure work from home, we find they're not as useful as they first appear.
The drawbacks of using A VPN include everything from slow running internet speeds right the way through to getting locked out entirely
VPNs are expensive which often means businesses (especially fast growing SMBs) will try and make sure the cost doesn't get too out of hand. That often leads to businesses opting for a VPN with limited server space—and suddenly your entire workforce gets hit with lag.
This is because at times of high activity, there will be a bottleneck of data packets trying to get through the secure VPN tunnel. Worse still, VPNs are blocked in some countries (and occasionally from domestic WiFi networks too).
This means that if your employees are (kinda understandably) making the most WFH and actually traveling—they'll be at the mercy of the VPN to actually do their work.
The drawback of using endpoint protection is that—not to put too fine a point on it—it's really intrusive.
Picture the scene, your employer isn't giving you a work phone because it makes a lot more sense to use your personal one. But to ensure your work email account remains secure, they ask you to install a piece of end-point monitoring software so they can keep an eye on your device.
So suddenly your personal device is being monitored by your employer. Not only is this inconvenient, it can start to make your employees feel like they're under surveillance.
Add to that overly zealous multi-factor authentication methods and your EX might be the reason your employees start dusting off their resumes.
How does a WFH environment solution work?
There are a bunch of companies out there offering work from home environment solutions—the problem is, some of them are not quite up to the task.
To help you sort the pretenders from the contenders, we've provided a checklist of features that cover the four most important considerations you need to be aware of.
Overall level of security
Any WFH environment solution needs to actually be seriously performant. So with that in mind make sure you check if the platform:
- Has compliance for GDPR, CCPA, SOC2 built in
- Allows you to update remote worker application automatically
- Was designed to cater to the specific compliance needs of your industry
- Provides you with a secure environment that can only be accessed by an authorized end-user
Ability to account for human error
Sometimes, we screw up at work. That's just the nature of the beast. But when it comes to WFH environment solutions, you need to ensure your platform:
- Blocks the use of copy/paste—so you don't end up with accidental sensitive data drops
- Disables the use of screenshots and screen shares
- Stop employees being able to download sensitive data to their device
The level of employee experience As we mentioned above, EX is big business. So it's worth getting medieval when accessing the EX your WFH environment platform offers. Key things to consider are:
- Whether the platform is plug and play or requires a heavy lift from your IT department to set up.
- The speed of the platform when it's actually handling the kind of user traffic you need it to.
- If the platform is intuitive to use (e.g. by using a browser-based framework so your employees won't need a lengthy onboarding process).
- ses simple, effective, and non-invasive authentication (like biometric logins).
If it's remote-native or not This may sound basic but the final thing to consider is if the environment has actually been designed for the specific challenges of working from home.
There are a lot of solutions that are trying to reframe their current functionality in WFH terms, rather than actually making solutions built for remote working. To avoid this make sure the platform in question:
- Doesn't rely on VPNs to ensure security
- Ensure the virtual workspace is completely independent of the device it's running on
- Has a secure hub where workers can add any additional apps or tools they need—so they don't have to go hunting for third-party ones
Ensuring you have these points covered can be the difference from spending money on information security, and actually making information security work from home.
Obviously we're biased as heck, but we think the solution that covers these checklists best is Cubeless.
- Anyone can set it up and use it (and get going in minutes)
- It's super simple to use (Chrome interface so there's no learning curve)
- It's SOC2 compliant and you can easily add industry-specific policies
- You get a virus engine, keystroke logger blocker, copy/paste blocker, secure cloud-based download storage and more
- It costs just $30 a month with no commitment!
If you want to find out why we think it's worth all the hype—head over to our product page and let us know you think it stacks up.