News & Stories

Remote work is a massive security risk. Are employers keeping up?

Ray Fernandez

Jul 26, 20238 min read

Remote work is a massive security risk. Are employers keeping up? (Header image)

Our quest to understand the remote work security landscape starts with the story of an employee. For the sake of this story, we will say he is a man, and we will call him Bob. 

Bob is a DevOps engineer at a major technology company. As a remote worker, he works from home and various locations outside of the office — like millions of other people in the post-pandemic world. Somewhere around August 2022, Bob noticed that his home computer was acting strangely. His keystrokes would pause a little, and sometimes his browser would feel a bit slow.

But the plot of this story thickens. Bob’s name may not be real, but he is, in fact, a real person. Bob actually works for LastPass, one of the biggest password manager companies in the world, holding the passwords for more than 33 million users. 

That month, when Bob downloaded a third-party media software package onto his home computer, a remote code automatically executed itself and installed a simple piece of keylogger malware. The keylogger registered everything Bob typed in, including his high-level credentials and passwords. 

The attack that started with a keylogger on Bob’s computer and spread throughout the LastPass system didn’t happen overnight. It came from a hacker who persisted inside the company’s system for months, launching two attacks, one after the other. Not until May 2023 would a LastPass investigation finally acknowledge the full extent of the breach. All 33 million users’ data was at risk. 

Bob’s story is an example of what can happen when remote work environments go wrong. And Bob, while that is not his real name, is not alone. 

Remote worker sits in front of three computers

Hackers are increasingly targeting remote workers 

In Jan 2023, The Guardian confirmed it was hit by a ransomware attack “most likely triggered by a phishing attempt.” In December 2022, Activision, the blockbuster video game developer and owner of Call of Duty, was breached after a hacker accessed an employee system obtaining data from all the company’s workers. And in January 2023, a criminal breached Norton Life Lock using compromised passwords in a “stuffing” attack.

The list of attacks linked to remote and hybrid workers, leveraging stolen credentials, is never-ending. As the Center for Strategic and International Studies (CSIS) explains, cybercriminals, criminal organizations, and nation-state groups target any sector, including private, public, health, energy, government, and even defense and military. 

Fortinet’s 2023 Work-From-Anywhere Global Study reveals that two-thirds of companies surveyed experienced a data breach in the past 2 to 3 years due to “Work From Anywhere (WFA)” employee vulnerabilities.  

Humans make mistakes

The Tessian report, “Psychology of Human Error,” in its second edition, says that 1 in 4 workers fell for a phishing scam, up by 25% from 2020. More than half of workers (56%) said they had received a phishing text message. 

Additionally, as the number of breaches caused by data being sent to the wrong people is on the rise (32%), 2 in 5 workers admit they have sent an email to the wrong person.

2 in 5 workers admit they have sent an email to the wrong person.

The Tessian report, “Psychology of Human Error”

But why is this happening? Why are workers making these mistakes? Stress, burnout, and pressure are the answer. Over half of the employees surveyed (51%) said they make mistakes at work when they are tired or distracted. Meanwhile, 50% are stressed out, and 34% are burned out. When asked why they sent the wrong email to the wrong person or with the wrong attachment, half of workers responded they were under pressure to send emails quickly. 

Cybersecurity workers — who, 3 years ago, did not have the weight of the world going digital due to a global pandemic on their shoulders — are also experiencing pressure, burnout, and stress.   

Ethical hackers on companies getting hacked

Chris Evans is CISO and Chief Hacking Officer at HackerOne, the largest organization of ethical hackers in the world. The organization provides security services for the US and the UK Department of Defense, PayPal, GM, Reddit, AT&T, GitHub, and others. Evans spoke to us about the shift to hybrid work and everything that comes with it. 

“The global shift to remote and hybrid work environments drove mass digital transformation and introduced a slew of new security challenges for CISOs,” Evans said. “Many organizations I’ve spoken to that embrace digital-first workforces worry about the security risks that come with digital transformation. Namely, expanding attack surfaces and an increasing reliance on unsecured remote work solutions.”

Despite increasing return-to-office calls and the end of post-pandemic work policies, the world knows that hybrid work is here to stay. The Red Access 2023 State of Hybrid Work report says that about two-thirds of CISOs believe most of their employees will primarily work in hybrid or remote mode in 3 years. 

Remote workers in public spaces

The benefits of remote work are undeniable: reduced costs for workers and companies, better life-work balances, and flexible roles. However, Red Access says that CISOs are concerned about how this model affects security. In fact, 72% of CISOs agree that hybrid and remote workforce systems have a negative impact on their organization’s security.

A HackerOne report found that digital transformation was a leading cause of vulnerabilities. Ethical hackers working at the organization were among the first to raise red flags, as they identified vulnerabilities in the systems that drive how hybrid businesses worldwide work today.

According to CISOs, the top vectors of attacks are insecure browsing, poor endpoint security, misuse of personal devices, and of course, phishing and scams.  

The top vectors of attacks are insecure browsing, poor endpoint security, misuse of personal devices, and of course, phishing and scams.  

HackerOne report

“And we’re seeing the challenge of securing software supply chains come to life in the rise of supply chain attacks like SolarWinds and Kaseya,” Evans said. “Organizations are right to prioritize addressing these challenges. Those that have transitioned to digital-first workplaces must prioritize security best practices for themselves and when evaluating vendors.”

Evans says that one of the best practices worth adopting is a vulnerability disclosure program (VDP). As a leader of HackerOne, Evans also advocates for the potential and effectiveness of ethical hackers. He calls for the bug bounty program (BBP) to be considered as “continuous support from the global ethical hacker community, whose creativity and expertise augment internal teams to better identify gaps within their attack surfaces.” 

Inside a tech company’s efforts to protect its remote team  

Like most companies, we at MacPaw switched to a remote work model after the COVID-19 pandemic began. To make things even more challenging, in 2022 MacPawians spread across Europe and beyond as many fled the war in Ukraine. Today, only a fraction of our team chooses to work from the Kyiv office.

MacPaw’s IT Security Engineer Artem Bovtiukh explains that the company has all of its security policies, security agents, and action plans adapted to hybrid work environments. All team members not in the office work through VPNs. Additionally, team members undergo remote work security awareness courses. 

Multi-factor authentication and Zero Trust are particularly useful for MacPaw in remote work environments to ensure that access is granted only to authorized users, regardless of their location or device.

A day in the life of a security engineer

As an IT Security Engineer working to ensure hybrid work environments at MacPaw, Artem Bovtiukh’s day starts with checking monitoring systems, Security Information and Event Management (SIEM), and reacting to changes if needed.

As his day continues, he works on project tasks and reacts to alerts and user requests. Teamwork and organization are the keys to strong systems, and Bovtiukh is always in close contact with the security analyst and OfficeIT team to better react to challenges. 

If you were to ask Bovtiukh which security software solutions he has running in the background on any given day, he would be reluctant to share the details. And this is understandable. Security teams will not disclose specific software, as that information can be leveraged by cybercriminals. But Bovtiukh does share that the company has mobile device management (MDM) agents and endpoint detection and response (EDR) agents deployed and operational on workers’ laptops. 

Bovtiukh explains that when the security team at MacPaw gets a threat detection alert or a flagged notification from an employee, having a plan and being swift and efficient is critical. The team reacts according to the service-level agreement (SLA) as soon as they detect an incident or have an alert. 

All security team members know what to do during a threat situation. This allows them to react rapidly even if some of the team members are unavailable. Everything happens quickly at the cybersecurity command post of MacPaw. The security analysts start gathering as much information as possible. Simultaneously, any affected employee is contacted. Bovtiukh’s role during a security incident is to perform the necessary actions to mitigate the threat. 

Bovtiukh reveals that after the incident, the post-mortem (after-action) report is put together, analyzing all the information gathered, and lessons learned are shared with the security team and affected workers. From there, new plans of action are formed to prevent similar incidents from happening and to strengthen the hybrid work security environment of the company. 

Challenges, priorities, and security burnout

Artem Bovtiukh isn’t afraid to open up about security burnout and how he approaches it. He highlights time management and team communication as fundamental to managing stress. “And the gym! Having good exercises or taking a small run after a hard day works like a charm,” Bovtiukh says. 

When it comes to the top security and privacy challenges and priorities of managing remote teams, Bovtiukh lists them out for us as follows:    

  1. Securing remote access and access to company systems and resources
  2. Ensuring data privacy because team members can expose company data, especially when working in public places like co-working
  3. Maintaining endpoint security, because we have more challenges when we don’t have physical access to a laptop and ensure stable network access 
  4. Adopting new policies and updating security awareness programs, because establishing a solid cybersecurity culture caused the work environment to change and expand

The future of remote work cybersecurity 

Experts around the world are keeping a close eye on quantum computing, machine learning (ML), and artificial intelligence (AI) for their disruptive potential in cybersecurity. And MacPaw’s security team is no different. 

Artem Bovtiukh explains that AI and ML are double-edged swords. On the one hand, they are being used to improve threat detection and response. On the other, cybercriminals are using the same tools to develop more advanced attacks. 

“These technologies can analyze vast amounts of data in real-time and identify patterns that may indicate a potential security threat, but we still work with humans and human error, so AI cannot predict everything,” Bovtiukh says. 

We still work with humans and human error, so AI cannot predict everything.

Artem Bovtiukh, IT Security Engineer at MacPaw

When we asked Bovtiukh what types of attacks keep him up at night, he preferred to skip the question. However, he did make one thing clear. Bovtiukh says to always “expect the unexpected.” This advice certainly sheds light on the fast-paced, high-stakes lives of security specialists working in remote work environments.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.