Maximizing user convenience in exchange for data has become the key impetus for most app developers, and although a minority of users prefer adhering to an ethos of stringent data privacy, there are still a great number of users on the polar opposite end of the spectrum: these are the “1234” or “password” as password people who never seem to give the security of their multiple online accounts a second thought. For those of us between these two extremes, however, we must acquiesce to the knowledge that the high number of accounts we have to remember passwords to, the multiple devices we log in to each day, and the trust of the network are safe when we log on, carry within them a kernel of associated risk.
Don’t forget IoT
Internet of Things (IoT) devices aren’t new. For the better part of a decade, infosec professionals have warned about the vulnerabilities of the smart fridge in the company break room, and as more devices become connectivity-enabled devices, there has been no shortage of rather fishy incidents.
As consumers continue to find out the hard way that these devices have inherently weak security measures, companies need to keep in mind that their remote workforce can be highly susceptible to hacks, especially if the devices they use are paired with laptops or other endpoints (like smartphones) that they also use to conduct official business on.
Of course, these kinds of products all come with default passwords that users are then required to change.
Companies should strongly consider robust endpoint security measures to prevent ‘invasive’ IoT devices from penetrating their systems if they anticipate their remote workforce ever getting bored or amorous or both.
A college kid phones home to ask her dad for the Netflix password and he responds: “MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento.”
“Why is your password so weird, Dad?” asks the student.
“They told me it needed to include eight characters and at least one capital,” says Dad.
Despite being annoying, this password would take beyond the estimated end of time to crack. However, most people don’t go with passwords that are so long and complicated that they can not ever be figured out. But this raises a good point about security and convenience. When someone at your company decides to use “password” or “star wars” or “baseball” or any of the other bad passwords that people like to use, this compromises not just their own online security, but also the security of your proprietary client or customer data, as well as any other employees on your network.
One possible negative outcome of someone gaining access to your system through shoddy endpoint security is called internal phishing. It is exactly what it sounds like—an internal account is breached due to a weak password or other security flaws, and once inside your network the bad actor poses as that employee to send put malicious files disguised as internal documents, make requests of other employees for data, or simply mine information from the internal APIs they have access to.
An easy way to avoid this is to ensure your employees are aware of cybersecurity basics and aren’t recycling passwords, but also so that they only have access to files and systems that they are supposed to have access to. However, if you don’t have the ability to pull credentials remotely from your employees, this kind of attack can be difficult to control.
Update your software
This may sound like a simple one, but the reason software companies are always bombarding you with updates is because vulnerabilities aren’t always obvious or immediately discovered, but when they are they need to be addressed as soon as they are.
Sometimes patches are needed to update or add features that make the piece of software competitive and good for you to do business with, other times software updates are designed to merely increase functionality and efficiency. For your company to remain safe from cyber threats, it’s best practice to ensure any new updates are installed at the end of each business day, or at startup if the patch is addressing a security issue, so that your systems can remain safe.
Without software updates, the services you depend upon will run slowly, be less secure, and will leave your business open to more cybersecurity threats.
The best way to ensure your business is prepared to face cybersecurity threats is to foster a culture of cybersecurity awareness. If the people working for you are knowledgeable about various ways that things can go wrong when working remotely your company can severely limit the online threat profile that faces businesses online.
Additionally, incorporating a robust set of cybersecurity measures that allow your infosec team to gain remote access to endpoints on your network means your business will be in a position to actively mitigate threats as they arise—as well as install updates, make sure access is granted and revoked accordingly, and limit what your employees can access on work devices.
The consumer need for convenience drives technology companies to innovate, but that doesn’t mean convenience is the same thing as laziness. Nor should it mean that the gained convenience of adopting new tech should stifle your cybersecurity preparedness.