How to prevent data loss during remote work
19 Jun 2020
Who this article is forMany companies have been compelled to make the transition to remote work. The challenge here is to avoid potential data loss risks while providing staff with necessary work resources.
Not every company has qualified personnel who can set up remote access for employees without exposing confidential data.
This article will be useful to owners of small companies that have come across this problem. We will discuss several ways of connecting to office resources from home without using special equipment or additional servers.
How security issues appearWhen your staff work from the office, all necessary resources are located on their computers or in your local network. This way, only people who are in the office can reach these resources.
When staff work from home, they access work resources from the Internet, and here arises a whole range of possibilities for data exposure, which can lead to third parties accessing your data.
Many people think that their data is of no interest for attackers and take their own security lightly. However, there are hacking systems that just go through all computers they can reach through the Internet and attempt to break into them. Such attacks are not designed to steal someone's data, but specifically to get the access to a computer. With this access, malicious users can then perform future attacks from the computer (and possibly from the name of the "hacked" user).
Below we will talk about most common data loss cases and basic security measures. Then we will discuss methods of setting up remote access for distance work, related risks, and ways of eliminating these risks.
Loss of login and password
It is important to ensure that third parties never get a chance to steal credentials of your staff. Ask your employees to follow these rules:
- When you write your login details on a piece of paper, keep it safe.
- If you use an electronic device in a public place, always lock it when you don't need it (use a password to unlock the device).
- Avoid sending your credentials to anyone without encryption. You can never be sure your data is safe when you send it to somebody else, because you can't control security measures taken by other people. Besides, there is a chance of human error, which may lead to the message being sent to a wrong address.
Hackers use special software that connects to an open remote resource and attempts to access it by going through common passwords. This is why you should avoid using words from natural languages, numerical sequences, and convenient key combinations (e.g., qwerty) in your passwords. Sadly, too many users set their passwords by doing exactly that. Advise your employees to search for their own passwords in most common passwords lists, e.g., 50,000 Most Common Passwords.
When you use a simple password, it's almost as good as sharing your data publicly. To protect corporate data, ask your employees to set long complex passwords with special characters besides digits and letters. It is also important to set different passwords when registering in different services and change your passwords frequently.
Vulnerabilities in network equipment and software
A vulnerability is a weak point in a system that a hacker can use for breaking into the system. Hackers use vulnerabilities to modify behavior of software and gain rights for accessing your data.
At every stage of software development, there is a risk of introducing a vulnerability: it can be a result of a flaw in the project or a mistake made by a developer.
It is hard to tackle this kind of vulnerabilities without having qualified personnel. You can remind your employees that it is important to install new updates for the operating system and applications. Developers work on these updates with known malware in mind.
Network equipment can also provide an opportunity for malicious attacks. One of the main reasons here is that most users don't think that security of the network equipment is something they need to care about. For example, you will probably succeed if you search online for login details of your router – most users don't bother to change default credentials.
Typical methods of distance work organization
- File server. You can copy your files to a cloud storage. Various services including Google Drive, Dropbox, Yandex Disk, Mail.ru Cloud Storage, Microsoft OneDrive, and iCloud provide this opportunity. When selecting a service, don't forget to check when it can be used for free and when you have to pay for it.
- TeamViewer. TeamViewer allows you to connect to the desktop of your office computer from your home PC and receive access to all resources there. TeamViewer also has a file transfer mode, which is convenient if you need to send large files. This software is easy to set up and use, but here you also have to check when it can be used for free. TeamViewer is free for personal and non-commercial use, or as a trial version for business users. In order to continue using the application for commercial purposes, you have to purchase a subscription.
- Connecting to remote desktop with RDP (Remote Desktop Protocol). This option is provided by Windows, but in this article we will not cover setting up remote access with RDP, since it requires some advanced skills of a professional system administrator's level.
- Connecting to the company's network using VPN. This is a good option for companies with qualified personnel. In this article, we will not talk about it in detail.
Vulnerabilities of the methods and ways of eliminating or at least downgrading them
File serverIncorrect access settings
You should set up access to the cloud storage so that only certain users could work with it. Otherwise, attackers will get access to your files and will be able to read, edit, and remove them.
For example, a screenshot below shows how you can set up access rights with Google Drive.
Don't forget that you can grant different rights to your employees. You don't have to allow everyone to edit the files. Set minimal required rights for each staff member.
If you provide access to your files using e-mail addresses of your employees, an attacker may get your files by breaking into the e-mail account of one of your staff (e.g., by mining their password).
Hackers perform phishing attacks by sending Internet users e-mails encouraging them to follow a link and enter their credentials (phishing is a type of fraud in which attackers delude a user and make them disclose their password, credit card number, or other sensitive information). These e-mails usually look like they were sent by a bank, a payment system, or another trustworthy entity.
There are different types of phishing attacks. The attacks may be random or targeted. In case of a targeted attack, user data is collected through all possible channels, including social media profiles and user accounts from various websites. If a user has similar passwords everywhere, once data from a single website is exposed, all user accounts of this user become compromised. It means that an attacker becomes able to access data that is stored on the file server to which the user has access.
One of the most famous cases of data loss that happened on a cloud storage was the result of a phishing attack. Attackers stole around 500 personal photos of celebrities who stored their data on Apple's iCloud. This was done by password mining. After that, Apple introduced a notification system that alerts users about suspicious activity. The company also suggested using stronger passwords.
Tell your employees who get access to the cloud storage to set strong and unique passwords they don't use anywhere else. Also, remind them to change their passwords frequently and be cautious about suspicious letters they receive.
Do not store critical files in the cloud! Any system can be broken, and cybercriminals are constantly coming up with new ways of doing it. Even after taking all possible measures to protect the cloud storage, do not use it for data which exposure could do serious damage to you or your company (e.g., bank account details, passport data).
Even if you have given access to the cloud storage to a limited number of trusted users with strong passwords, you cannot be sure that third parties will not have access to your files.
The first case of major cloud data breach happened in 2010. Microsoft announced that non-authorized users had downloaded data from the cloud service Business Productivity Online Suite. It was due to a configuration issue in data centers located in USA, Europe, and Asia.
In order to avoid exposure of sensitive data, you should only store password-protected files on the server. Some document formats (e.g., Microsoft Office documents) provide this type of protection. We will show you how you can do it using Microsoft Word as example:
- Click on the FILE tab in the top left corner;
- Select Info in the left menu;
- Click on the Protect Document image;
- Select Encrypt with Password in the drop-down menu;
- Enter a strong password and click OK;
- Enter the password again and click OK.
You can also place files in password-protected archives on the server.
To avoid losing the files, advise your employees to copy all files from the server to their devices regularly.
TeamViewerThe advantage of TeamViewer compared to other existing software is its simple setup. To connect to a remote desktop, install the software and set it up according to instructions. You can download the software on https://www.teamviewer.com and read the instructions here: https://www.teamviewer.com/en/res/pdf/first_steps_unattended_access_en.pdf.
The main security risk with TeamViewer is leakage of login details when connecting to a remote desktop. If all of your employees use strong passwords and keep their credentials safe, that must be sufficient for data security.
However, even TeamViewer can be hacked. In 2016, hackers from China succeeded in doing it with backdoor software developed by the Winnti hacking group. This software modifies code of an application by adding new commands.
The TeamViewer security team discovered the attack before any user data was stolen. Then TeamViewer experts performed a global scanning of the system to clean up all malware that could be left from the attack.
There is not much basic users can do to tackle this sort of attacks. We can only suggest doing the following during distance work: be vigilant, choose software suppliers carefully, and install new updates when prompted to do so.
Connecting to remote desktop with RDPRDP (Remote Desktop Protocol) allows connecting your home PC to your office desktop through the Internet, as if your home PC was located inside the office and could reach all the network resources.
We will not discuss this method in detail. It is difficult to set up access using RDP without qualified personnel, and this method is not absolutely safe: it has the same issues related to data interception and mining of simple passwords. A vulnerability in OS Windows could also lead to data exposure – since data is sent directly, an attacker can access a remote desktop port through the Internet.
Connecting to the company's network using VPNYou can make distance work via RDP safer if you set up VPN. When you use VPN (Virtual Private Network), security is ensured by an encypted "tunnel" between your home PC and the office network.
If you would like to learn about using RDP with VPN, you can take a look at the following articles: How to set up an RDP connection to your home computer, How to Use a VPN Connection for Remote Work in Windows 10.