With the recent pandemic forcing most of us to work from home, we've seen an unprecedented increase in VPN access, in addition to the cloud through the likes of Office 365 and Teams. Business continuity has become the number-one goal for IT departments, and unfortunately, this has forced security to take a backseat – and attackers are taking advantage.
Home-based workers often log in from unsecured Wi-Fi, use unpatched personal devices, or turn to unsanctioned services tools to collaborate, communicate, and share documents.
The remote work move has significantly expanded the threat landscape for cybercriminals. As the crisis continued, we saw a sharp rise in brute-force attacks against corporate VPNs and Advanced Persistent Threats, but also insider threats. It's likely that many companies have been compromised and simply don't know it yet.
The remote work move has significantly expanded the threat landscape for cybercriminals. As the crisis continued, we saw a sharp rise in brute-force attacks against corporate VPNs and Advanced Persistent Threats, but also insider threats. It's likely that many companies have been compromised and simply don't know it yet.
We can't turn back the clock on remote work and it appears this is now the 'new normal', with offices opening with limited staff, and more employees embracing the flexibility and work-life balance improvements.
Here are five suggestions to shore up your cybersecurity defenses in our new remote work age.
Know what happens in Teams
Microsoft Teams helps workers collaborate by creating and sharing files, folders, and more in the cloud, and understandably its use is exploding. But Teams also allows users – not administrators -- to call the shots. Users can spin up news teams, share files, invite internal and even external users, and share all kinds of information if the right controls are not in place. To complicate matters, files shared in Teams are then stored in new locations within Office 365. Teach staff about setting up Teams securely, restrict who can create groups and add users, and ensure you keep watch on the data that users share in Teams and where it ends up within Office 365.
Take a data-first approach
Data is the lifeblood of every organization, but most companies know very little about this critical asset. Your network file shares likely include salary information on employees, banking and payment information, business contracts and plans, intellectual property, and much more. Too often, data is overlooked and left open to everyone in the organization.
Should a breach take place, a hacker would gain the same access to your data. Visibility and context are key—know what you have and where it is, and understand how it may be at risk.
Restrict information access
Employers typically give their staff far more access to information than they need to do their jobs. In a recent report, we found that 53% of companies had at least 1,000 sensitive files open to all employees. Files typically multiply as employees copy, share, and resave information where it's often open to everyone.
When criminals steal user credentials, they gain access to everything the user has – and from there can maneuver at will, explore what's interesting on your network, access data, and more. Limiting access to data will help minimize potential damage when a breach does occur.
Get ready for more targeted attacks
Cybercriminals are focusing their efforts on specific companies, breaching their networks, and quietly searching for sensitive content. They will try to remain under the radar and steal critical files. Once they grab what they want, they'll hold up the victim for ransom and threaten to release the stolen files. Prepare by watching for unusual access and activity, especially during "off" hours.
Back up your critical data, and leverage automation to stop ransomware in its tracks. Should a ransomware attack hit your network at 3:00 am on a Saturday, technology will be the first line of defense.
Watch for signs of compromise
Remote workers should be leveraging VPNs and secure cloud services for work, which ensures that an employer can track and monitor data use. There is always the danger of employees accessing data maliciously, which is why close monitoring is so important.
If a user is logging into the network from two places at once, for instance, that could mean their account was hijacked by an attacker. Similarly, if a user starts accessing a lot of sensitive information they've never seen before, it should trigger an alert and investigation.
Remote work is shaping up to become a long-term reality. Attackers are well aware that companies are more likely to let their guard down when employees are remote.
Take steps now to understand and monitor your data, limit access, and prepare for possible compromise. Your data – and your company – depend on it. Already susceptible to mental health challenges, some lawyers’ stress levels are being amplified by the industry’s ongoing shift to remote work.
Oftentimes, working remotely can allow the flexibility to find a good work-life balance. But mental health advocates warn that all that time spent at home can also lead to undetected stress and feelings of isolation.
What’s more, some may find themselves working more than ever from home. A recent survey by the Association of Corporate Counsel found that over half of in-house respondents are working more remotely than when they were in the office, with over 40% also experiencing anxiety.
Still, law firms, corporations, and individual attorneys themselves are in a good position to address these potential mental health issues head-on.
To be sure, remote work is far from new to the legal industry, and some attorneys have adjusted well to the freedom of not being under the direct guise of their firm, noted Patrick Krill, founder of behavioral health consulting firm for the legal industry Krill Strategies.
“Law firms have been moving toward allowing people to work remotely over the last few years as a perk or benefit and to increase their well-being,” Krill said. He added that for some, this meant forgoing long commutes and dealing with “less stress because they can attend to other aspects of their life.”
Still, coronavirus-induced state shutdowns have left some lawyers out of the office for months, meaning burnout from overworking can go unchecked. “Often when lawyers find themselves with that extra time they tend to overwork and the lines between work and home are blurred even more,” Krill added.
Timothy Bowers, the managing partner of cloud-based VLP Law Group, advised that firms shouldn’t look to have access to their attorneys 24-7 while they are working remotely. For the attorneys newly initiated into remotely working, Bowers suggested maintaining their pre-coronavirus schedule. “I think it’s really important for folks to maintain some sort of routine that they had in the office.”
However, workload realities can make some routines unrealistic, said Kirkland & Ellis director of wellbeing Robin Belleau, a lawyer and licensed clinical professional counselor.
“You kept hearing the recommendation that you stick to your regular schedule and when people couldn’t they felt bad but in actuality they were doing what they needed to do,” she said.
Belleau believes that people need to be more flexible in how they structure their time when working at home with children and others.
While some are juggling multiple people’s needs and schedules, other lawyers can be experiencing strong bouts of isolation while working through quarantines. But some firms have looked to address that by hosting “virtual happy hours,” which can be a useful tool for fostering engagement.
“Telling jokes and being social in a way to make that connection in a remote world that we are used to but it’s important because we’re all online, [during] not just COVID but the protests, Black Lives Matter issues, all the chaos in the world,” said James Fisher II, founder and managing partner of virtual firm FisherBroyles. “We are keeping tabs of everybody and have that human connection so to speak.”
Krill also stressed that it’s critical to stay connected and leverage video conference platforms to spot any warning signs that may go unnoticed when an attorney is communicating entirely through emails or phone calls.
“It’s really important that someone working from home doesn’t go largely unseen for large periods of time and it’s happening,” Krill said, adding that during the pandemic, attorneys can go two or three months without a manager seeing them. ”There need to be nonnegotiable visual check-ins with people, not every day, but certainly regularly.”
But such check-ins also require more than just exchanging pleasantries.
“This is true in-person but more so virtually: If you’re a partner or supervisor knowing how to ask open-ended questions [is important],” Belleau said. “I even defer to this as a therapist. I will ask, ‘How are you doing?’ The typical answer is, ‘Fine.’ If you want to get more information about how they’re doing, you want to ask an open-ended question: ‘Tell me how your day is going.’ It’s an opening [for them to offer] more details and insights into how they’re actually doing.”