Prior to March 2020, the majority of daily work was conducted within the four walls of the office. This meant organizations could rest assured that emails, phone calls and video meetings were all hosted by the secure company Wi-Fi network. Once the pandemic hit, employees were scattered all over cities, provinces, and even countries, forced to work on company-issued IoT devices over home and public Wi-Fi networks.
Widespread remote work is likely here to stay, even after the pandemic is over. But the resumption of travel and the reopening of public spaces raises new concerns about how to keep remote work secure – in the home, in the airport, in a neighborhood coffee shop, and beyond.
In particular, many employees used to working in the relative safety of an office or private home may be unaware of the risks associated with public Wi-Fi. Just like you can’t be sure who’s sitting next to your employee in a library or other public space, you can’t be sure whether the public Wi-Fi network they’re connecting to is safe. And the second your employee accidentally connects to a malicious hotspot, they could unknowingly expose all the sensitive data that is transmitted in their communications or stored on their device.
Taking scenarios like this into account when planning your cybersecurity protections will help keep your company’s data safe, no matter where employees choose to open their laptops.
The perils of public Wi-Fi
An employee leaving Wi-Fi enabled when they leave their house may seem harmless, but it can make them vulnerable. Wi-Fi enabled devices can reveal to bad actors the network names (SSIDs) that the user normally connects to when they are on the move. A fraudster simply needs to use this information to imitate a known “trusted” network that is not encrypted, then sit back and wait while many devices automatically connect to these “trusted” open networks, without verifying if the network is legitimate.
Often, attackers don’t even need to emulate known networks to entice users to connect. According to a recent poll, two-thirds of people who use public Wi-Fi set their devices to connect automatically to nearby networks, without vetting which ones they’re joining.
If your employee automatically connects a company-issued device to a malicious network — or is tricked into doing so — a cybercriminal can unleash a number of damaging attacks with far-reaching consequences for your organization.
What’s the worst that could happen?
First, the network connection can enable the attacker to intercept and modify any unencrypted content that is sent to the employee’s device. That means they can insert malicious payloads into innocuous web pages or other content, enabling them to exploit any software vulnerabilities that may be present on the device.
Second, and once such malicious content is running on a device, many technical attacks are possible against other, more important parts of the device software and operating system. Some of these provide administrative or root-level access, which gives the attacker near-total control of the device.
And third, once an attacker has this level of access, all data, access, and functionality on the device are potentially compromised. The attacker can remove or alter the data, or encrypt it with ransomware and demand payment in exchange for the key. The attacker could even use the data to emulate and impersonate the employee who owns or uses the device – and all because they left their Wi-Fi enabled.
A multi-layered approach to remote work security
Luckily, these worst-case scenarios won’t occur every time an employee connects to an unknown network while working remotely outside the home — but it only takes one malicious network connection to create a major security incident. To protect against these problems, make sure you have more than one line of cybersecurity defenses protecting your remote workers against this particular attack vector.
Require VPN use: The best practice for users who need access to non-corporate Wi-Fi is to require that all web traffic on corporate devices go through a trusted VPN. This greatly limits the attack surface of a device, and reduces the probability of a device compromise if it connects to a malicious access point.
Educate employees about risk: Connecting freely to public Wi-Fi is normalized in everyday life, and most people have no idea how risky it is. Simply informing your employees about the risks can have a major impact on behavior. No one wants to be the one responsible for a data breach or hack.
Verify users continuously: If an attacker does gain access to an employee’s device, early detection is vital. To boost security, consider layering on technologies that can verify users continuously without adding additional friction. For example, passive biometrics verifies each user’s identity based on their inherent behavior, like how they hold their device or type, making it possible to spot many intruders before they can do serious damage.
As we reach the end of the pandemic, work arrangements will continue to evolve. It’s impossible to know exactly what the future of work will look like just yet. However, it makes sense to begin preparing now for a future where “working from home” doesn’t necessarily happen at home.
That means taking a multi-layered approach to security that takes into account the risks of public Wi-Fi. By educating employees, leveraging a VPN and using technology to continuously verify user identity, you can protect your company’s data from this lesser-known method of attack.