Employee on remote work on video conference showing cyber risk of corporate workplace

Debunking the Corporate Workplace Security Myth: Cyber Risk in Offices vs. At Home

The outbreak of the COVID-19 pandemic and the ensuing mass migration to remote work created the belief that employees were less safe from a cybersecurity standpoint at home rather than in their offices.

This has been the prevailing line of logic for almost two years, but there is a great deal of evidence to suggest that a home office might be as safe, if not more secure, than an office cubicle. This line of thought is likely derived from the fear of the unknown. In reality, while some risk factors have changed, the risk is often reduced in a remote working scenario.

The myth of the secure corporate network

The fear of the unknown is actually what causes employers and employees to take additional precautions and implement security measures at home – sometimes even security considerations that are lacking in their corporate office. Companies generally trust their employees in the office, but this leads to a simplistic view that everything within the network is trusted and everything outside is not.

A corporate campus is a known quantity in which people feel good when ensconced at their desks. This complacency can lead them to overlook the risks because it’s what they are used to. Working from home is unfamiliar, causing people to be scared and uncertain about their security.

Home networks are commonly considered untrusted, and a zero-trust approach is usually taken to protect corporate devices against attacks coming from local networks. For example, some organizations require VPNs to block traffic. Alternatively, corporate networks are usually trusted, but this can lead to endpoints that are left open and vulnerable to attack from a variety of rogue devices connected to the local network.

Perceived trust can cloud judgment for security in office settings. Consider the networks and devices that have encryption and security protections. Unencrypted network protocols are extremely common on a corporate network, whereas they are immensely rare for a user working from home. Laptops and other portable devices also normally carry security protection assets such as encryption and pre-boot authentication, while office desktops and servers often do not because they are perceived to be protected by the physical access controls and data centers where they are located. Overall, unencrypted data, either electronic or printed is likely only in corporate offices.

Corporate networks are also often considered safe by external cloud-based services. Many organizations implement multi-factor authentication if accessing services from home networks, but this requirement is dropped if they are accessing the same services from the office network because of the perceived security based on the physical location.

Corporate offices are more susceptible to a physical attack

A quick web search can find a corporation’s main or branch offices, but when those 1,000 employees are working remotely it’s almost impossible to figure out where they are located.

In terms of a physical attack, a centralized office generally is easier to locate and provides a much more attractive and much easier target than someone’s personal residence. Additionally, considering the size of the organization there are likely many more employees, much more equipment, and potentially tons of data lying around making the office a juicier target.

Physical attacks such as tailgating are also more likely to succeed in a large office environment, in which employees might not immediately recognize each other, therefore potentially missing a stranger entering. Whereas tailgating into someone’s home on the other hand is extremely unlikely to succeed. Since access to physical offices is often possible for vendors, customers, and interviewees, the scope for an attacker to gain entry by posing as an authorized person is much higher.

Remember, there is a human risk element in an office space. Offices pose risks that make it harder to separate information. In an open office space where laptops are open and sensitive, confidential documents are printed, and employees or even guest visitors may overhear information they shouldn’t. In some cases, information can even be overheard in the background when an office-based employee is taking a call.

Perceived security vs. true security in communication platforms

Too many organizations view security through the wrong lens.

In some cases, an organization may think email is not secure and instead want to communicate via telephone or mail because it is perceived to be more secure since it is not through connected devices.

In its default state, email is not secure. The messages may be transmitted unencrypted between the mail server and the client, meaning that with the right access to infrastructure and skills, someone could still intercept them.

A telephone call is carried over a network in the same way and is subject to the same possibility of attack. Even worse, if an individual is using a telephone line, a bad actor could intercept the communication by opening the telco’s switch box on the street and tapping the wires to listen to the call.

The same threat holds true for conventional, or snail mail. This is routed in much the same way via physical providers but intercepting the post doesn’t require any specialist knowledge or access

However, intercepting email requires much more knowledge.

Practicing secure communication methods

With email, the basic SMTP protocol used for inter-server email communication is designed for plain text communication. However, this applies between servers from the provider to the target’s provider. Client-to-server communication does not necessarily use SMTP, and most users access their mail service over HTTPS (e.g., Gmail, Hotmail, etc). Intercepting the last mile is useless because the traffic is encrypted.

Even if the email was unencrypted, specialized equipment is necessary to intercept email communication, making it more difficult than snatching an envelope. An attacker cannot easily tap the wires under the street like a phone line, they need to have decoding skills to impact the signalling of an email.

All major providers support SSL and will default to it. There are also ways to publish policies to ensure that communication will never fall back to unencrypted SMTP. Standards such as S/MIME allow for end-to-end encryption of email using the same PKI infrastructure used for HTTPS websites.

Looking past outdated workplace security

What might seem like common knowledge is often wrong. There is a perceived notion of security in office settings. Whereas older forms of communication might not be hackable through the Internet, this does not mean that those platforms and methods are safer in today’s world.

The “tried and true” cannot be taken for granted as secure because it is what has always been used. Organizations should look at all sides of the problem before declaring one method is more secure than the another and reconsider the most secure workplace setting.