author photo
By Clare O’Gara
Tue | May 19, 2020 | 2:46 PM PDT

COVID-19 may have caused the recent spike in the remote workforce. But for many, working from home is here to stay, even as parts of the global economy begin to reopen.

Take Twitter CEO Jack Dorsey. He recently said that his company's employees can continue to work remotely "forever" if they want, even as coronavirus concerns ease.

Working from home can be great for cybersecurity professionals, too.

SecureWorld recently covered a theory from Internet Security Alliance senior director Josh Higgins that remote work could help solve the cybersecurity talent gap:

"Most employees are seeing positive outcomes from teleworking, including increased efficiency and lower risk of burnout. Further, it revealed that 85 percent of respondents agree that teleworking is here to stay—even beyond the pandemic."

But working from home still has risks; in particular, massive security risks.

What are the security risks of the remote workforce?

According to a survey of 6,000 employees by Kaspersky, 73% of employees working remotely "have not yet received any specific cybersecurity awareness guidance or training from their employer." 

Adding to that is the fact that 27% reported already receiving COVID-19 related phishing emails.

Those are some scary statistics. And what about technological gaps that have appeared?

Technological risks have grown with remote work

Working from home changes everything about your environment, physically and digitally.

As we've learned, that change can actually benefit employees when it comes to productivity and mental health.

However, working home comes with inherent technology security risks, particularly given how fast the transition occurred in the midst of COVID-19. Many organizations scrambled to prepare.

Greg Franseth covered this in one of SecureWorld's Remote Sessions panel discussions. Franseth is the Director of Professional Services for Cadre Information Security:

"One of the things that it's made the situation worse is a lot of home networks were already hacked. So we were sending people home and they had, whether it was their router or their Internet of Things devices, we were sending them into exposed situations. So it's an unusual situation rather than a hacker coming and creating an incident. We were extending our environments to include spaces that were already penetrated by hackers of various sorts.

You have to plan for the things you aren't thinking of. That's really critical."

This reality makes security awareness even more important where working from home is concerned.

Why security awareness is critical, including for remote employees

Ryan Kalember, EVP of Cybersecurity Strategy at Proofpoint, discussed the crucial nature of security awareness during the opening keynote of the joint Proofpoint and SecureWorld eSummit:

"When we looked at the data on how the attackers' techniques actually work, we realized that 99 plus percent of it relies on social engineering; it doesn't rely on technical vulnerabilities anymore.

You want to know who would actually fall for those threats, who might click on malicious links. And not all users are created equal."

When considering those who are very attacked people within an organization, this is how Kalember explains things:

"There is a tiny little sliver of users at the very top, they get almost all the interesting attack activity. That might be 50 people, that might be 250 people depending on your organization, but you are going to see a cluster of people that are much more appealing to the attackers than everybody else. Understand who those people are and how you can better protect them.

Maybe even better than that, learn how they think and how you might exhibit empathy as a cybersecurity practitioner, and then achieve better risk management outcomes for your organization."

Remote work means changes in how we communicate about security

While the shift to remote work comes with risk, it also poses a new security opportunity.

Mike Bailey, Sr. Product Manager for Proofpoint, covered this idea during a recent SecureWorld web conference:

"It's really creating that new opportunity. If you're a security department, you say I want to educate people, want to make sure they're safe while at home. I want to connect with new channels. It's the perfect time to email your staff, to email your HR partners, to email other departments and say, 'How can we work together now?' It just has shifted everybody professionally, their attitudes on working and work life balance, and the things you can do to help end-users. And that's probably one of the biggest silver linings we're seeing from the pandemic."

This includes knowing how to communicate with the security team if an employee thinks they could be experiencing a cyber incident.

Now is the time to reframe cybersecurity through the work-from-home lens.