How to Maintain Cybersecurity When Employees Work Remotely
Keeping company data safe is not easy when employees are at the office. It is even harder when they are not. Given the current situation with the COVID-19 epidemic, many organizations are enabling their employees to work remotely, which can create potential security issues. From stolen hard drives to social engineering, there are lots of threats to watch out for. The following security best practices can help to mitigate many of those threats and maintain a secure network environment.
Define Threat Models
Each company will have a different threat model. Some have valuable customer information to protect, while others have physical resources with access control requirements. Oftentimes, organizations must comply with regulations concerning data security, especially in the healthcare and financial services industries.
Business organizations also have different IT resources. Some run their own data centers full of servers, while others only have endpoint devices (like laptops and desktops). Many companies also use cloud services, which must be protected in a different way than on-premises servers. Does the security of these resources change when employees are working remotely? What kind of data would hackers target? Carefully defining threat models is the first step in developing a plan to prevent breaches before they happen.
Enforce Remote Device Security
When employees are at home, computers are not under the same type of protection they might be at the office. Theft and unauthorized access are far more likely when machines are out of the company’s control. To minimize the risk, it is best to separate work computers from personal computers, especially if sensitive data needs to be transferred to the remote computer.
Additionally, to reduce the chances of data being recovered from a stolen computer, requiring full-disk encryption on every remote computer is recommended. In doing so, the data on a powered-off computer cannot be accessed without a passphrase. It is also a good idea to require strong user account passwords, with lock screen enabled, to prevent an attacker from accessing a running computer.
Some companies issue mobile devices, while others have a bring-your-own program. Regardless, the same security practices should be followed—isolating work and personal data, requiring strong passwords and short screen lock times, and forcing timely software updates.
Secure Corporate Network Access
At the office, employees connect directly to the corporate network. When they are working remotely, they are by default connected to their own network. As a result, companies need to provide remote employees with the means to securely access the corporate network from home.
The most common approach to this problem is a VPN. Using a VPN allows remote users to tunnel into the corporate network and access it the same way they would at work. Additionally, VPNs encrypt traffic between the corporate network and the endpoint device, preventing a potentially compromised home network from traffic snooping. It is important to make sure that only company-issued devices can connect to the corporate network to prevent data leaks from compromised personal devices.
While VPNs are effective in many cases, they pose a few issues. For example, they are primarily useful for computers and do not work as well on mobile devices. Additionally, they are heavy on bandwidth usage, which slows down traffic or even fails when large files are being transferred.
Two excellent solutions for accessing company network resources, are Remote Desktop Servers (RDS), and/or Remote Desktop Protocol (RDP). RDS and RDP are far more efficient over VPNs. These protocols provide a virtual terminal into the business, offer greater control over what the user can access, and utilize significantly less Internet bandwidth. The experience to the user, while not the same as being at the office, can nearly as fast in terms of response without compromising security.
Secure the Human Element
Humans are anything but infallible when it comes to security. Regardless of where employees are working, solid security training is a must. With less direct oversight, remote employees are even more susceptible to phishing and malware. Statistics show that 90% of data breaches are caused by human error. Even with perfect network and endpoint security, human error poses a huge risk.
While most organizations do some sort of phishing training, it is rarely enough. Standard point-of-failure training, which sends phishing emails to employees and shows a training module immediately after clicking a link, may also be less effective compared to separate education and continual simulated phishing tests. Companies should train their employees and then subject them to frequent simulated phishing attacks to significantly decrease the rate that real attacks are successful.
According to an article by CSO Online, 83% of phishing attacks occur outside of email. They are more prevalent in text messages, games, social media, and mobile apps such as Facebook Messenger and WhatsApp. Keeping employees vigilant on every platform is crucial to preventing the most common cybersecurity threat.
Another effective way to mitigate the effects of phishing attacks is to require two-factor authentication (2FA) on every work account. This will ensure that if passwords are compromised, it will not be enough to log in successfully. Depending on the value of a particular account, using SMS-based 2FA might not be adequate. Attackers could potentially transfer a phone number by swapping the sim card. Time-based one-time password (TOTP) codes are a more effective way to secure accounts. For the highest-value accounts, hardware security keys are the most effective (but least convenient, because they can be clumsy to use with mobile devices).
Secure Remote Working
As many business organizations rush to get their employees working remotely due to the Corona virus outbreak, security might not be at the top of their minds. It is important to remember that hackers see this as a great opportunity to exploit easy vulnerabilities. Proactively securing company resources is the only way to stay one step ahead. Contact your Outsource IT account manager to learn how we can help in this regard.