ARN

How remote working impacts security incident reporting

Security teams must update their security incident reporting policies and processes to account for remote work or risk exposure to increased threats.

The ability for employees to work remotely comes with many benefits, from better work-life balance to lower expenses to higher productivity. 

But a widely dispersed workforce can pose some great challenges for security teams, not least of which is how remote work affects security incident reporting. 

With companies growing more accustomed to implementing security technologies and processes better attuned to mass remote working, incident reporting has the potential to become a major stumbling block.

Along with introducing and maintaining such protocols as remote-appropriate identity access and authorization practices, security teams must also review and adjust their reporting policies to reflect the nature of remote work or expose their organizations to significant security threats.

Having a remote workforce can create an overload of security incidents simply due to the diversity of networks created by a multitude of user home or remote setups, as opposed to an office environment whereby everyone is on the same network, Forrester Senior Analyst Paddy Harrington tells CSO. 

“It’s one thing managing 12 networks because you have 12 offices, but if you have 1000 employees, 900 of which are remote, you have 912 networks to be concerned with. This means that incidents, including those that are reported, are going to vary a great deal more because everybody’s home network is different.” 

And that can lead to alert fatigue for security teams if even just a fraction of incidents are reported, Harrington says.

New challenges for incident reporting

Operational, behavioral, and technological factors can all impact cybersecurity incident reporting for a remote workforce, introducing a new set of challenges mainly centered around communication and collaboration, Austin Wolf, staff information security analyst at Code42, tells CSO.

“Do you reach out via Slack or Teams, or over email? Do you pick up the phone and give someone a call? How do you keep everyone involved in the incident on the same page? When an incident occurs, teams need to work closely together and corralling your team in a remote environment is sometimes harder than just gathering around someone’s computer screen.”

According to Taharka Beamon, SOC manager at Reed Exhibitions, employees in traditional office settings typically use the local help desk as their first point of contact for incident reporting, “with many people preferring to visit IT staff in person to explain unexpected or potentially malicious behavior on their computer.”

This becomes troublesome if a remote system is compromised and the employee is unable to use it to report that they are experiencing an incident, nor can they walk down the hall to the nearest IT support office, adds Jason Hicks, field CISO at Coalfire.

Without convenient, remote-friendly communication channels and instructions for all eventualities, businesses are likely to suffer from poor reporting from workers outside of the office, who may delay and then forget to report a potential security incident altogether, says Jonathan Wrolstad, senior threat intelligence manager at ExtraHop. 

Differing time zones across more dispersed workforces come into play too, which can lead to delays in reporting and response times, says Mirza Silajdzic, cybersecurity analyst at VPNOverview.

Remote work influences employee behavior around security

Remote work also impacts and changes staff behavior and awareness around cybersecurity, which can impact incident reporting, says Richard Jones, global CISO at Orange Cyberdefense.

“Formal settings such as an office with structure and organisation provide employees with an established routine and clear boundaries for what is work-related and what is not. Remove this perimeter and they may struggle to maintain the vital human element of security protection because people adapt to their surroundings and responsibilities blur when working from home.” 

Therefore, what staff may think to report as a security incident will continue to change over time, Jones tells CSO.

“A lack of mental or physical connection to an office can mean that employees may be tempted to downplay the seriousness of a potential infringement and not fully appreciate the relevance or application of corporate policies within the home environment,” says Blackberry’s Keiron Holyome, VP UKI, Eastern Europe, Middle East, and Africa. 

Remote users may even be more reluctant to report a security incident due to a sense of embarrassment, he says.

“Cyber shame – a reluctance to report a breach due to embarrassment or fear of the consequences – can mean potential threats are ignored or buried.”

System- and endpoint-based security incident reporting and response can be negatively impacted by remote working too, says Immanuel Chavoya, emerging threat detection expert at SonicWall. 

“For instance, if the system flagged a user’s machine for a malware intrusion, there may be some delay in the security team being able to make any necessary updates, whereas, in person, the security engineer can immediately access the device and take any necessary action.”

One of the main security challenges to a business with remote workers is the inability to view all endpoints in the system, which inhibits the operation of core security detection needed for report and response, Chavoya adds. 

“Endpoints become disparate in their location when accessed remotely, disrupting the connection to the corporate infrastructure, ultimately leading to a potential increase in the average time to detect malicious activity and the average time to resolve the security incident.”

Poor reporting = loss of customer confidence

The risks of an impeded reporting process due to remote working are significant. When incidents go unreported, reports are delayed/miscommunicated or follow-up actions/responses are hindered, it can leave vulnerabilities exposed and/or buy attackers time in the system to infiltrate more of the network before the security team can detect and contain threats and malicious activity, Chavoya warns. 

This can not only exacerbate the severity of incidents and attacks but can also damage both the reputation of a business and its ability to meet certain data protection regulations which stipulate strict rules surrounding disclosure. These could lead to loss of customer confidence and large monetary penalties.

It is therefore paramount for security teams to update their reporting policies and processes to account for the security implications of remote working.

“The home and hybrid working trend is here to stay, so it is incredibly dangerous for security teams to rely on policies and processes designed for a bygone era when most, if not all, employees were based in a controlled office environment,” says Holyome. 

However, teams must approach new strategies with careful consideration so as not to introduce greater threats, he adds. 

“With resources already stretched by the rise in the frequency and complexity of cyber activity, additional pressure on time and skills to roll out policies across a distributed workforce – including adapting the education and enforcement of policies amongst remote employees – can itself create vulnerabilities and risks.”

Effective remote security incident reporting policies

Ensuring effective remote security incident reporting is key to establishing clearly defined, documented, and easy-to-use communication channels and processes for employees to reach IT and security staff, Beamon says. 

“Internal policies about the maintenance and punctual updating of documented contact information for IT and security teams are crucial. Teams have an added responsibly to ensure employees have contact information for IT and security staff.

This includes providing phone, email, and anonymous communication channels to allow for the method that is most comfortable depending on the situation.”

Employees should also be encouraged to save contact information for IT and security teams along with quick reference reporting instructions offline or on their company cellphone for use in an emergency. 

Effective marketing of this information is your best solution here, adds Hicks. “I’ve put this information on mouse pads, coffee mugs, posters, and other swag over the years. It’s also important to make reporting email addresses short, sweet, and memorable, and keeping the phone number consistent year over year.”

Contact hours should be reviewed to account for the fact that users may be using their devices outside of traditional work hours for personal reasons, Chavoya states. 

“This could also include replacing the in-person response processes, for instance, when a user’s machine needs to be re-imaged remotely, they may need greater guidance on the OS imaging.”

Overall, teams need to be regularly reviewing how accessible their incident reporting processes are for those not based in the office, Holyome says. 

“Are there simple instructions and available contacts that can be used by people that may be experiencing internet outages? Can employees still get in touch with the IT team if they are locked out of corporate software due to the breach? Does the company promote a no-blame culture and empower individuals at all levels in the organization to report issues freely and without fear of recrimination?”

Training and awareness-building help keep employees safe

Training and awareness are also important tools and should encompass the importance of reporting even potential incidents and stressing the heightened security risks remote workers face, experts agree.

“For home-working employees, a cadence of regular communications on security topics can keep the topic top of mind and work towards tackling cyber shame,” Holyome says. 

“In particular, education on phishing tactics and cybercriminals’ exploitation of internal chat functions most used by remote employees will help to raise awareness of the threats to look out for in day-to-day work life.”

As part of these activities, security teams should share real-world examples with staff and, most importantly, ensure that incident reporting numbers are never included in KPIs to show the effectiveness of strong security – unless the intention is to identify a particular business unit that reports the fewest incidents and may therefore need further awareness training. 

Senior leadership should be encouraged to participate in these exercises as well.

“Tabletop exercises and more realistic simulations should also be conducted to ensure all parts of the company are capable and comfortable reporting potential incidents while working remotely,” Beamon says.

Security teams themselves must understand the key threats their remote workforce faces and give clear guidance for what security incidents look like and how they should be reported, says Wrolstad.

“Security is not top of mind for most workers, and they need to be reminded of what the key threats are and what they look like so that they can recognize them during their workday.” 

Security teams need to put themselves in their remote users’ shoes and describe potential security risks in a way their users can recognize, he adds.

Taking the threat level into consideration

Finally, security teams also need to consider how they prioritize the reporting of and response to incidents based on remote-working threat levels. 

“Renewed focus should be paid to certain parts of organizations’ infrastructure, notably VPNs, which have been used for decades by many organisations but have become more important as they are now relied on by a large percentage of employees daily to access corporate networks and resources,” Beamon says. “VPNs therefore need to maintain availability while security teams ensure that any vulnerabilities are swiftly remediated to maintain the data confidentiality and integrity. For internal teams, a vulnerability or incident reported related to VPN and remote network connectivity should have a raised priority level.”

Wolf believes an increased focus on differences between internal and external security incidents is also required.

“It’s important to differentiate whether it’s an internal or external security incident because the approach towards investigating employees wouldn’t be the same as external threats.”