Security Think Tank: Testing to improve remote worker security

Despite claims that employers are encouraging and, in some cases, requiring employees to return to work, it is evident that the pandemic has permanently altered the way people operate. It may well be that the pandemic only increased the rate of change. Many organisations already had the technology in place to offer remote working and understood the potential benefits such as increased productivity, increased retention and lower operating costs. But in addition to the benefits, remote working has brought its own cyber security dangers, which may have been missed due to quick adoption.

It is critical to examine an organisation's security posture via vulnerability assessments, penetration testing, or red teaming activities that cover the whole attack surface, including remote workers. This can significantly minimise cyber risk while also increasing security awareness and secure behaviour among remote workers and all employees.

Organisations cannot rely on a security operation centre (SOC) to detect anomalies and threats that come from remote workers. SOCs work on datasets of what normal traffic and behaviour looks like and then any deviation from this can be quickly identified. With work patterns so different and flexible now there is no clear ‘new normal’, making it increasingly challenging for SOCs to identify normal and abnormal behaviour.

Security testing helps an organisation in identifying and correcting vulnerabilities in software, systems, and networks, including evaluating any remote access. It is essential to establish and maintain the security of remote workers by testing all programmes they use for vulnerabilities that could compromise their data, privacy or day to day operations.

Not only can detecting remote access security vulnerabilities through testing prevent data breaches, but it also promotes security awareness and best practice among remote workers and the company as a whole, improving security posture.

When it comes to remote workers, the importance of security awareness cannot be overstated.

The ability to adapt security awareness to focus on the most significant concerns and vulnerabilities for your organisation, as well as demonstrate real-world examples based on actual discoveries, will resonate with remote workers. If security testing is done correctly and communicated effectively, it will improve awareness of remote working risks, ensure understanding of the need for security policies and procedures, and show remote workers how to take proactive and preventative steps.

Red teaming, which simulates a real-world cyber-attack carried out by a team of ethical hackers, can be particularly effective for businesses with a large and diverse remote workforce. Red teaming puts the entire organisation's cyber security, detection and response capabilities, as well as its overall resilience to cyber attacks, to the test.

Red teaming will highlight the vulnerabilities and threats that remote workers face when accessing the organisation's network, systems and data from any device. It also provides an opportunity to assess and improve the effectiveness of existing remote worker security measures and policies, such as MFA and encryption.

It can also help improve communication between the organisation’s cybersecurity team and the remote worker. Simply making sure remote workers are aware of potential hazards and who to report any suspicious activity to is extremely powerful, but often it is not as straightforward as it sounds.

Security testing remote user networks to assess all potential vulnerabilities has its own issues, including the ever-changing number of different devices, applications and configurations. In addition, the amount of personal data such as financial and health information that user networks may contain means there are serious ethical and legal privacy concerns. Any testing will need careful and specialist planning, preparation, and execution, as well as the understanding and authorisation of the user. Without consent any security testing of a remote user could fall foul of legislation such as the UK’s Computer Misuse Act.

It is critical to guarantee that any penetration test or red teaming effort is conducted by specialists who are committed to the highest professional and ethical standards and understand the specific issues with resting remote worker security. Not only are you allowing them to simulate an attack on yours and your workers’ systems, but the work must also deliver actionable and targeted advice. It may also require some contact with your remote workers. It is essential that any social engineering elements of the testing are carried out carefully and sensitively to promote security awareness rather than a blame culture.

The result must be a network of remote workers that are informed and empowered to help you implement any discoveries and continuously improve your security posture moving forward.

With the right security information, testing, tools and controls in place, together with ensuring training and information are readily available for end-users, working remotely can be as secure as working from an office.

Rowland Johnson is president of professional cyber security association Crest.