The shift to remote access

The Great Pivot forced every business to adapt its operational model to enable mass remote access. In the first instance, priorities were geared towards business continuity, getting employees set up, and able to access the needed services. In the rush to do so, this will have led to improvisations and best practices being neglected, particularly security configurations. Some may have retraced their steps and revisited configurations to tighten up, but many won’t have. 

The draconian attitude that employees “need to be seen to be working” has eased, largely due to the general acknowledgment that people can work beyond the office productively, despite early technological limitations. This is why, for 74% of businesses, remote working will continue once things have returned to normal. The real question is, can employees work securely whilst away from the office?

In our annual Cloud Security Report we revealed that 52% of organizations experienced a malware incident on a remote device in 2020, up from 37% in 2019. Any marked increase in threat trends is worrying for businesses, but malware and remote workers is a problematic combination, so we’re going to look at the potential reasons as to why this trend has occurred and some possible remedies. 

remote access and malware

Enabling remote access to corporate applications

Providing employees with access to corporate services was the priority at the start of the pandemic and this was likely done by scaling their existing remote access solution like a VPN or procuring a new service.

VPN has been a mainstay of corporate infrastructure for a long time, however, the technology was not designed for today’s cloud-based architectures or heavy workloads. Without proper planning, configuration and maintenance, VPN can give a false sense of security. Although it provides users with an encrypted route to the corporate network, it also enables broad access and visibility, which is ideal for malware attacks. 

As a recent example, Travelex’s breach demonstrated how bad actors can take advantage of a VPN compromise to deploy malware. The attackers utilized an unpatched critical vulnerability in Travelex’s VPN, causing the business to shut down operations across over 30 countries. 

Remote workers are inherently more vulnerable to security threats as they’re not protected by the corporate network and they don’t have the safety blanket of their colleagues. It’s very easy when you’re in the office to lean over your desk and ask a colleague whether they’ve received a strange email with a suspicious attachment. Phishing campaigns are an incredibly common delivery mechanism for malware.

As VPNs use password-based authentication, they can be susceptible to credential theft and stuffing. With businesses moving to more identity-centric models of security, Multi-factor Authentication (MFA) has been widely adopted to prevent account takeovers, but with the rush to remote work, some companies may not have integrated VPN into Identity and Access Management (IAM) processes. While IAM helps mitigate the threat of account takeovers, it doesn’t mean that they’re safe from malware. An authorized user can still have malware, and so a user’s identity should never vouch for the health of a device. 

Forced Bring Your Own Device (BYOD)

The overnight decision to work from home would have caught companies off guard, perhaps without enough inventory to give every employee a properly configured, corporate-owned device for working remotely; Bring Your Own Device (BYOD) would have been a necessary provision to get employees online and working. 

The security challenges of BYOD are well known by the infosec community, but it is a trend that has gained momentum and demand from employees and executives alike with productivity advantages outweighing security challenges. 

The lack of control over a personal device is a primary concern for administrators, there’s no guarantee that these devices meet the elevated security requirements of an organization. Employees are ultimately responsible for their own device security, so the reality is, they probably don’t meet the needed hygiene requirements. Our research shows that employees are generally slow to adopt new security-related updates. One example is the major WhatsApp vulnerability that enabled attackers to infect devices using a malicious GIF file; 50% of users failed to make the needed security update within a month. 

As well as maintenance of legitimate applications, administrators have no control over what applications can be installed on personal devices, which is problematic as there are plenty of examples of malicious applications available on the App Store and the Play Store. In one of our recent research stories, we found Trojan malware infecting 17 apps on the App Store.

Malware is easy to stumble across online, even in perceived safe spaces; malvertising is another example of how malware can be delivered, whereby attackers make use of advertising networks to distribute malware across perfectly safe websites.

It’s commonplace to install some form of security product on your laptop, however, there has been a long-held misconception that Apple products and mobile devices are immune to malware. If people are misinformed about how they can fall prey to malware, then it inevitably creates risk for organizations that have had to adopt BYOD programs.

How to protect remote workers from malware?

It’s no longer effective to create a fixed line of delineation between what’s safe (inside) and unsafe (outside). The shift toward cloud technologies and long term remote working makes this approach impractical and susceptible to breaches. Security needs to reflect the distributed and complex nature of modern workplaces.

To prevent malware from ever reaching the corporate network or a cloud application, it’s important to have endpoint diagnostics in place that can assess the health of a device and determine an appropriate level of access. Confirming user identity is an important part of the authentication process, but without risk-aware access controls in place, companies enable authorized users to shepherd malware to the business’ data. 

Ensuring an appropriate level of access is tied to each user identity is also essential. The principle of least privilege access has grown in importance, particularly due to the rising awareness of Zero Trust security models. For malware to be successful it often needs an account with elevated privileges, so limiting each user to only what they need, is critical in limiting the blast radius of a malware incident. 

Formulating a BYOD policy will help end-users manage their devices in line with the business’ security expectations. Despite security training, employees won’t have perfect knowledge of threats, vulnerabilities, and their consequences, so clearly stipulating acceptable usage on BYOD and minimum security requirements for access to company services will go a long way in managing risk. 

Webinar

How to secure SaaS applications when everyone is working remotely

Wednesday, February 17 2021 8:00 AM PST / 4:00 PM GMT

SaaS comes with a set of risks that companies need to consider as they embrace more cloud-hosted applications, but there are options for improving the organization’s defenses that IT and security leaders must consider. Find out at our upcoming webinar.

Register now