The way employees work in today’s tech-driven office has changed significantly over the last few years. Working from home is becoming increasingly common. Cloud applications – Salesforce, Google Docs, Microsoft Office, etc. – are the gold standard because they allow employees to do their jobs from anywhere. And employees are using their own mobile phones and laptops to access work documents and emails remotely.
The good news in all of this is that employees are now often happier and more productive than they have been in the past. But at the same time, this changing nature of work is creating new cybersecurity concerns for both employees and employers as the same technology that enables you to work remotely also gives cyber criminals new ways to steal company data. Here are four of the top security issues businesses need to keep in mind in the modern office:
Your VPN is only as effective as the employee using it
Virtual Private Networks are obviously having a big moment this year. When Congress overturned regulations that prohibited ISPs from selling a customer’s web browsing history, consumers and organizations of all sizes began increasingly turning to VPNs to protect their browsing data and information from being tracked and sold.
VPNs going mainstream is definitely good news, especially for the IT people who have been hammering home the importance of network security for years. But of course, a VPN link is not the be-all-end-all of your company’s web security. One major drawback of a VPN link is that it will require backhauling of data at the HQ, which means you will need to increase capacity on the network through expensive hardware and software upgrades.
The big security weakness in your company's VPN, however, is that -- whether you know it or not -- employees don't really want to use it. Concerns over slow speeds or battery drainage (whether those concerns are founded or not) mean employees are simply turning off the VPN and working over an unsecured public network. When employees bypass the VPN so simply, their information - and the company’s data - is not sent back to HQ to be encrypted first. This not only increases the risk of a hack or breach, but also means that ISPs would be able to track and sell a user's browsing data.
Public Wi-Fi isn’t always safe, even if you are using a VPN
A related issue is brought on by employees using open public Wi-Fi. Open Wi-Fi networks are accessible from almost everywhere -- coffee shops, hotels, airplanes and the subway -- but it’s no secret they are also cybersecurity nightmares.
If an employee is trying to get her job done from a Starbucks or while traveling and using in-flight or hotel Wi-Fi, her data may not be secure even if she is trying to use a VPN link. This means opening up your network to hackers that now have access to an employee's sensitive information including personal data, healthcare records and credit card information. And not only does this affect the employee, but the employer and others associated with their network - ultimately opening them up to cyber attacks.
The reason for this is a bit of a chicken and egg scenario where authenticating access to the public Wi-Fi (by accepting terms of use for example) will need to be done before the VPN can establish a connection. And if the VPN is turned on, it won’t be able to establish a connection until after you can access the Internet. The result? Employees will often simply turn off the VPN while it is authenticating. Even for a few seconds, this can create significant security concerns as unencrypted data moves over the public network and becomes vulnerable to potential cyber theft.
This is true even if an employee’s device connects automatically to the network, as is the case with many public Wi-Fi networks, for which the user must still actively open a browser to a “captive portal” before gaining internet access. Here, too, potential hackers are gifted a critical void in protection until the VPN takes over. And what may or may not be exposed during this fleeting, but valuable, period depends on what software is running. For example, whether using a POP3 or IMAP server, Apple Mail or Outlook email, if your account automatically checks for new mail, then that traffic (potentially including sensitive login credentials) is clearly visible for waiting hackers.
SaaS applications mean more of your data is in the cloud
With Salesforce, Google docs, Microsoft Office and other cloud applications now used by nearly every company, employees are accessing their work from everywhere. As a result, more company data lives outside of the organization’s network perimeter than ever before. Just last year, Dropbox announced that upwards of 68 million logins were hacked and leaked across the Internet.
While these SaaS applications are typically very secure, your employees’ own devices may not be. One major attack on Salesforce – known as the Zeus trojan – took advantage of an employee’s infected computer to steal Salesforce login credentials and then exfiltrate company data. What’s more, cybersecurity experts have long warned of the risk of smartphones being hacked without the user’s knowledge, providing direct criminal access to Google Drive materials, DocuSign documents and more.
BYOD is here to stay
This brings us to one of the top issues IT people need to manage today: the fact that more employees are using their personal mobile phones, tablets or laptops to do their jobs outside of the workplace. Of course Bring Your Own Device (BYOD) has many benefits for the organization -- primarily the reduced hardware spend. Beyond that, BYOD goes a step beyond was what previously available to remote workers, enabling employees to access work from anywhere.
But there are also myriad security concerns brought on by allowing employees to access company data or applications on their own devices. How is data protected on a device outside of the company’s secure network? How do you create standard cybersecurity protocols across different devices or operating systems? What if an employee device is stolen or lost? These are questions all companies must consider when employees take advantage of BYOD. Unfortunately, many organizations have not been able to solve these issues even though BYOD is almost a given in most office environments today.
Conclusion
The answer to all of this is that organizations need to look for security solutions that follow the user, not the other way around. Most cyber solutions have not adapted to the modern workplace. Cybersecurity solutions work best when the user doesn’t even realize they are working and that means having the same protocols and protections regardless of where the employee is working or what device they are using.
Peter Martini, President / Founder, iboss
- Also check out our list for the best VPN
