Login | January 23, 2021

Remote working security problems (and solutions) wrap-up

Technology for Lawyers

Published: January 1, 2021

As we now move toward the end of 2020, thank goodness (we won’t talk about hindsight here), it is time to encapsulate all of the remote working security advice that we’ve been parceling out over the course of the year in one handy reference guide.
First, the potential problems, starting with malware (virus) attacks. One antivirus company found that a quarter of all companies that went to remote working after shelter-in-place orders suffered malware attacks. These arose from some pretty predictable circumstances, including weakened security protocols and corner-cutting, as well as infections spreading from home devices back to the corporate/office server.
Phishing. As one would expect, the pandemic has given birth to a plethora of COVID-related scams, including phishing emails. The changes wrought by the sudden move to remote working can also negatively impact office procedures (like verifications). It can also introduce new working tools without adequate training in their use. All of these things can create cracks in the office safety net.
Data breaches can easily follow the switch to emote work, powered by unsecured networks, the fact that firm data is now stored on local devices (home computers, phones, etc.), and potential device theft. Also, the more devices are connected remotely to the network, the more chances there are for ransomware attacks.
All of these weaknesses can lead to unauthorized network access. Home workers may not have set up their VPNs properly or may not keep them updated. And a real problem comes from not properly securing Remote Desktop Protocols (RDP) that allow remote network access.
So—not to overstate the obvious but working to eliminate these weaknesses have to be foremost in the minds of all remote workers and firms.
And again, not to belabor these points, but data safety in the new remote workspace requires highly proactive effort, including constantly updated staff training, particularly on “not clicking on any email links”; constantly updated antivirus and VPN software; Strong spam filters; RDP management (including turning it off unless it’s really necessary); patch/update management; the use of multi-factor identification; and limiting user interfaces to the bare minimum, called “principle of least privilege.”
If you can’t do all this, hire someone who can. It will be well worth it.