10 tips for security teams to offer their employees to work securely when at home
March 2020 by Paul Colwell, Technical Director, OGL Computer
There are many potential pitfalls to allowing staff to work from home - a decreased security stance being one of the most potentially significant. We’ve picked out a range of best-practice tips and working strategies to minimise this potential risk, whatever your business vertical or size...
1. Lead from the top If staff are not already used to working remotely, or if there is a mixture of remote veterans and green starters, it is vital to have clear written guidelines that explain how to use services and software in a secure manner. Explaining how and when to log on and use video-conferencing tools, access internal resources and data is not only key to ensuring that best practice is established to begin with, but also that staff are fully briefed and in control of their working day. In some cases, entirely new collaboration tools might be needed, which require briefings on - many providers will have these assets already, so it isn’t necessarily a long and arduous task.
2. Ensure that endpoints are secure
Many businesses take the opportunity to issue remote workers with a dedicated laptop, which can be centrally managed and configured in accordance with internal data policies, as well as protected by the company’s choice of endpoint protection. If remote workers are using their own PC equipment from home, it is vital to ensure that they have installed reputable anti-virus tools, such as Kaspersky AV or Carbon Black, and that the AV is up to date with the latest signatures.
3. Manage the endpoints
By using commercial mobile device management (MDM) tools, devices can easily be set up with a standard configuration, saving time and effort. MDM tools usually include the ability to remotely lock a missing device, erase data or retrieve a backup, all essential services that will be appreciated by workers and IT department alike.
4. Ensure that existing devices are encrypted
It is recommended that any device containing corporate data be encrypted at rest, especially highly desirable devices like smartphones and laptops. The good news is that most devices support some kind of encryption natively, so ensure that this is activated and configured correctly.
5. Establish device loss protocols
In the event that a device is lost, employees need to know who to report this fact to, so that remote wiping and replacement can be triggered. It is important to recognise that devices will, sometimes, be accidentally lost and stolen, so staff should not be blamed - a culture of blame will also mean that losses and thefts will not be reported promptly, potentially increasing the risk of more serious data loss.
6. Educate and keep employees updated on phishing
Arguably the greatest single threat to companies today comes from phishing, whether untargeted volume fake coronavirus updates that deliver ransomware, or spear phishing attacks aiming to pull off Business Email Compromise (BEC) scams, the risk is significant. Remote workers should therefore be trained by the business to spot suspicious emails and query (or simply ignore) them.
In addition to initial training, it’s essential that remote workers act as their own first line of defence, by double-checking the authenticity of messages, emails and phone calls. If in any doubt, the exchange should be reported to a pre-agreed internal security team contact point. Be especially wary when presented with sudden ‘emergency’ situations, where a caller or email contact asks you to break protocol due to a poorly explained crisis.
7. Operate or subscribe to a Virtual Private Network (VPN)
A corporate VPN is an essential security measure, especially for remote workers that may be using suspect connections. However, it is worth bearing in mind that more licences may be required to support larger numbers of remote workers, and that bandwidth may be restricted at certain concurrent user numbers. It is also particularly important that VPN endpoints are fully patched, as with any other software. VPN use should be subject to two-factor authentication (2FA), which is simply set up on VPNs from the likes of WatchGuard and Palo Alto Networks.
8. Boost password strength and use 2FA
As in a standard office environment, passwords can present potential security risks if they are either too simplistic or written down on Post-it notes next to the monitor. Mandating strong passwords is important and adding an extra layer in the shape of two-factor authentication is highly recommended.
Larger corporates are likely to have two-factor already in place, but if not, there are a range of options to suit businesses of all sizes right down to the sole trader. When selecting any product, ensure that it offers 2FA.
9. Leverage Office 365
Many businesses will already be familiar with elements of Microsoft’s Office 365, but by building on top of the usual desktop suite of Word, Excel, PowerPoint and beginning to take advantage of powerful collaboration tools such SharePoint and Teams not only saves service duplication, but also simplifies data security and policy enforcement.
10. Equip teams with tools and processes to keep data secure
A common pitfall is for internal security teams to mandate tools and processes that are highly secure, commercially approved and a very poor fit for the processes that remote workers are required to carry out in the course of their everyday role. The result is typically a ‘workaround’, involving third-party services or USB drives, especially where data sharing and storage is concerned.
The moral of the story is to assess exactly what processes are required by workers on the ground (whether remote or not) and provide a solution that fits the bill. This might be in the form of approved cloud storage or file sharing tools that can ensure that data is properly encrypted and stored according to industry best practice.
There are a huge number of excellent remote working tools, from secure cloud storage services, Microsoft’s tools including Teams, Google’s G-Suite through to Zoom. However, not all will be a good fit for your business and processes, so don’t be blinded by the big names. When looking for advice, a reputable IT services provider can help navigate the choices available today, while the UK’s National Cyber Security Centre (NCSC) has published best practice guidance designed to protect data in remote working environments.