While most security thoughts seem to lie around hardware and software, there is one other major threat that seems to slip by without much public discussion. That is the threat posed by users, the so‑called threat between the keyboard and chair back.
The FBI carried out a study that showed that users are the greatest security threat, due in part to their unpredictability. Errors of omission and commission by users cause the majority of security breaches.
One view is that remote workers are the largest security threat, but the reality is a little more complicated than that.
There are two levels of threat associated with remote workers, the security of the connection itself, and the behaviour and actions of the remote worker.
In that circumstance, remote workers are no more of a security threat than workers connecting via the local corporate network connection.
Remote Connection Security Requirements
Virtual Private Networks
Ideally an organisation needs a secure connection between remote users and the corporate network. This can be difficult in the case of mobile workers who connect from a variety of locations, often using a public service, perhaps a public WiFi service in a hotel or mall.
Other connections may come from a home Internet connection.
This is where a virtual private network (“VPN”) comes in. Simply put, a VPN is a private tunnel over the Internet between two points. It provides remote users with direct access to the corporate network but provides a layer of protection against intruders trying to find a direct line into your network.
The remote user device, PC, Tablet or smart device hosts a software application that manages that end of the connection, ensuring that only authorised users can initiate a session over that connection. The host end of the VPN is usually programmed to recognise and allow connections by known remote users only.
Because they may be connecting from different sites over different connection types, the authentication process is multi-layered: first is a verification that the device is allowed to connect to the VPN , followed by a second layer of user authentication. Both are usually carried out by the VPN client software, invisible to the user. Thereafter the normal authentication process to connect to the corporate network and receive appropriate user authorities.
VPNs however are often not enough by themselves. They are often carried and managed by third parties which brings a level of insecurity into the equation. The VPN carrier needs to be thoroughly vetted before a connection can be deemed secure.
The FBI say that the only secure network is one that hasn’t been hacked yet. If you are intending to transmit highly secure corporate data over a VPN connection to remote workers, then a further level of security is in order.
Email can be encrypted using key-pairs on which only the intended recipient can decode and read the email. There are encryption applications for all common email applications. Attachments like worksheets can be protected in this way. There are also applications which will encrypt speech.
When they connect, there is no difference in the security processing of remote and local corporate network users.
What else needs to be done
As noted above, the majority of security breaches happen through user action or inaction. Not all breaches result in a cataclysmic collapse of network services. Many hackers intent on stealing financial data, or committing ID theft and industrial espionage want to do it as quietly as possible to provide time to dispose of their ill-gotten gains before the theft is discovered.
One common attack vector is phishing or spear-phishing. In both cases, the user receives an email containing an internet link. The mail appears to come from a trusted source, a financial institution, friend or colleague.
Activating the link initiates a process to collect user credentials which will be used later to commit the actual data theft.
What is needed is user education, both local and remote users, to ensure that they know and understand what an attack looks like, what they should, and should not do, and how and to whom to report the attempt.
The education process starts at induction, is regularly reinforced, and supported by a series of company-wide security protocols applicable to both remote and local users. It might be more difficult to include remote users who rarely visit corporate offices in formal sessions, but it needs to be done.
This may require that the configuration of all remote user equipment is managed from the corporate IT centre, by installing a suite of anti-malware and firewall software on their PC or laptop. They will certainly need the VPN client. It should also include password policies, length, complexity and regularity of change.
In answer to the question, are your remote workers your biggest security threat, the answer is no. They might be among your biggest security threats, but users in general certainly are.