How to ensure a Zero-Trust approach for remote workers

A man working on a laptop in his kitchen and checking his smartphone.
(Image credit: Vlada Karpovich / Pexels)

Despite the fluidity of restrictions across the globe, there has been a seismic shift in working culture that looks like it is here to stay. The Work From Home (WFH) movement has been fueled by a sharp increase in remote workers who continue to search for roles that keep them at home rather than in an office. Whether permanently remote, hybrid, or temporarily remote, device security becomes even more critical when employees are not on-site.

About the author

Sami Bouremoum, CEO of Hofy.

It shouldn’t come as a surprise, then, that there has been a sharp rise in cyber-attacks that directly correlates with this exodus of employees from the traditional bricks-and-mortar workplace. 2021 was a record year for data breaches; by Q3 2021, the number of publicly reported data breaches had already surpassed the total for 2020 as a whole (according to the Identity Theft Resource Center), and the total number of breaches exceeded the record set for a single year. It is a similar story for phishing emails. Security firm Barracuda Networks reported a 667% increase in phishing emails from February-March 2020; a time when many governments first introduced work from home orders. 

A remote workforce is more vulnerable to cyber-attacks than office-based ones for a variety of reasons. The most obvious one is perhaps the increased reliance of digital information sharing; conversations, or even documents, that could be highly sensitive are shared via networks rather than by word of mouth or sight. These networks are often insecure too; home networks can be compromised, and public spaces, such as coffee shops or co-working spaces, often have limited security that is easy to attack. Then there are the devices; the increased use of personal laptops and devices replacing traditional desktop computers. Countering these vulnerabilities is not straightforward, especially for firms hiring internationally.

The challenges of maintaining endpoint security remotely

One of the most obvious security challenges with remote workers is communication. Verbal conversations have been replaced with facilities such as instant messengers, emails, cloud documents and video conferencing. These are all susceptible to attack and, even with encryption, can never fully guarantee to be completely resilient to cyber-attacks. 

Out-of-office networks present another challenge to businesses; within an office, an IT department can impose security measures, such a blacklisted IP addresses and firewalls, on their network. Companies have no control over a home broadband or public WiFi; anyone could access the same network as an employee and the company would neither know about it, nor be able to counter the threat.  

In addition, an increasingly prominent challenge is personal device use. The risk of sensitive information leaking into an insecure environment is significantly increased when employees download messenger apps such as Slack and Zoom onto their personal devices and carry out tasks on their phones - both of which are more likely when employees are working away from an office on asynchronous schedules. It is therefore unsurprising that in CISCO’s Benchmark Report 2020, over half (52%) of respondents considered mobile devices a significant cyber security challenge.  

The final challenge is geographical consistency. Companies that embrace remote working are no longer limited to hiring within commuting distance to their offices, and can now access talent globally. For IT teams, this makes the task of pre-configuring, deploying, managing, and recovering devices securely that much more challenging.

Considerations when providing remote employees with devices

It is essential that any company with remote or hybrid staff implements a robust device management solution. For additional security, organizations should also look to pre-configure devices with applications and security policies before being allocated to remote hires. Below are a few considerations for a business with regards to device management:

  1. Security Policy: There needs to be a sensible level of security in place; perhaps encrypted disc drives or, at the very least, a device password policy along with firewalls and/or anti-virus software.
  2. Installation of Applications: Applications could also be pre-installed on devices to limit the threat of third-party applications being attacked by cyber criminals.
  3. Software Updates: Software updates are another consideration; these can often be done remotely but should be routinely monitored to check that a device is up-to-date.
  4. Loss or Theft of Devices: If devices are lost or stolen, a business will ideally want the ability to wipe any data in order to prevent external bodies from accessing sensitive data.
  5. Outgoing Employees: On average, more than 80% of former employees retain access to at least one sensitive business system after they have left their role; it’s therefore a good idea to again be able to remotely wipe data from a device once they have left their role.

Zero-touch pre-configuration and unified mobile device management

Running an in-house IT team makes sense for office-based organizations. When employees are dispersed throughout the same country, it can still be possible to operate this way; albeit with significant time delays that can hamper the employee experience. When companies operate transnationally, with workforces distributed throughout the world, an in-house IT team is even less effective. With most scaling organizations operating in this manner, there needs to be a complete re-think of how to approach device management. 

Think about the time that goes into sending one new hire a laptop. Someone in the IT team must order the laptop to their unit, unbox and preconfigure the device, and then courier it to the new hire. This time could be better spent elsewhere. By outsourcing this device pre-configuration to companies like Hofy, and then operating under a zero-trust policy in which employee devices are connected to a platform which enforces endpoint encryption, security policies and the installation of antivirus software, the risk from cyber-attacks can be dramatically reduced. 

When the employee then leaves the company, and their privileges need to be revoked, the device can be collected, and any sensitive data securely erased. Only through this perspective of device-specific security can a company truly aim to be secure from cyber-attacks with a remote workforce in place.

Connect safely online with the best business VPN.

Sami Bouremoum, CEO of Hofy.