5 best practices for securing a remote workforce
The ability to maintain security while working remotely has always been important, but it has become exponentially more so over the past year, as waves of workers have left their offices and fired up their laptops from home.
The current year has shown us that this trend isn’t reversing in the near-term—people will be remote until the COVID-19 pandemic is brought under control, and some employees may continue working this way on a permanent basis.
Given that it’s likely here to stay, it’s worth asking: How does remote work create risks around sensitive and confidential knowledge?
As it turns out, many different ways—take your pick.
The risk might come from the user themselves: For example, a remote worker could start routinely using work laptops for personal emails or web browsing, creating a riskier profile than if they were at the office. Alternatively, a member of the household—say, a 4-year-old child—might accidentally wander over to the laptop and start randomly pushing keys.
Then, of course, there’s the ever-increasing threat of phishing attempts and malware. By some estimates, cyberattacks are up 400% compared to pre-COVID-19 levels. Additionally, according to security vendors, we’re three and a half times more likely to have malware on our home PC's versus our desktops in the office.
Beyond users, there are risks related to infrastructure. Companies simply may not have enough network resources to handle everyone working remotely. As a result, patching efforts might be negatively impacted, and even backups may not work as well as they should.
The bottom line? Working remotely is a security minefield—but fortunately, it’s not all doom and gloom. With all the technology and security measures that are at our disposal today, we can work securely even while away from the office—it just requires following some best practices around employee awareness, endpoint security, network security, infrastructure requirements, and access, along with identity controls.
1) Start with employee awareness
Awareness is key. Remind your employees about phishing and the very real threat of clicking on an innocent-looking email that is asking them to update their user ID or password. Brief them on some of the telltale signs of a phishing email, so that they can better spot them when they (inevitably) arrive.
As a next step, remind users about acceptable use policies for work computers. While this will vary from company to company, the essence should be that the employer-provided computer is a work resource. While it's okay to check the news and do some light browsing on it, for instance, it's not okay to install your own software or use it as your primary device for personal emails or surfing the web. Likewise, the device should not be used by other members of the family.
Finally, end users should be educated about the importance of patching. A company’s patching infrastructure may not operate as seamlessly as it did when everyone was in the office—and as a result, end users need to reboot their devices more often and pay attention to messages regarding security patches.
2) Strengthen endpoint security from every angle
What about endpoint security? What are the best practices here? First up, companies should ensure that all drives are encrypted. Fortunately, they can get reports from their management tools on encryption status, helping to identify any potential vulnerabilities. As an additional step to make PCs and endpoint devices as secure as possible, end users should be advised against using external peripherals such as USB drives or cheap knockoff devices such as cameras or lights. Malware hides in all sorts of unexpected places these days.
Lastly, remind users to file their important documents in the company’s cloud-based document management system instead of leaving them stored locally on their PC. When properly filed, the files are not only better protected from security threats, they’re fully backed up—and there are no locally stored files that can be easily accessed if the physical device is lost or stolen.
3) Bolster network security with a VPN
It is highly recommended that any organization require their end users to use a virtual private network (VPN) for access to corporate resources, even when doing allowed personal work.
Beyond its basic encryption features, modern VPNs can provide posture assessment in several areas. For starters, the VPN can be used to enforce device certificates, so that an end user can’t use their personal computer (which might have security vulnerabilities) to connect to the corporate environment. VPNs are also very useful for checking the current patch level of the device, helping to ensure patching is actually happening. Similarly, a VPN can ensure that virus scans and virus definitions are up-to-date.
From encryption to posture assessment, modern VPNs have a full complement of features that can make remote working more secure—so there really is no good reason not to be using one.
4) Beef up infrastructure as needed
We’ve covered the importance of VPNs—but is your VPN infrastructure able to support 100% of your employees working remotely? If your VPN system goes down, your remote workers are out of luck as far as being able to securely get work done.
For this reason, it’s recommended to keep an additional “hot-spare” capacity (a standby that can easily be switched into production) for your VPN. Consider this an insurance policy to ensure your workers aren’t left high and dry in the event that one of your VPN systems crashes.
Next, think about bandwidth. If all your remote workers’ traffic is being piped through your VPN system, does your corporate ISP have enough bandwidth to handle all that data? This is a particularly relevant question given all the concurrent video calls and other bandwidth-intensive activities that are now par for the course.
5) Toughen your access and identity controls
There are several best practices around access and identity controls. First, think about adjusting the ACLs (access control lists) on your cloud services. For example, you can require your employees to come through your VPN before being able to access certain web services.
As far as identity controls, the best practice here is to implement SAML, an open standard that allows identity providers to pass authorization credentials to service providers. SAML can help you enforce your password policy and detect any brute force attempts to breach your network. It will also help you detect when someone is misusing their credential or if someone's ID has been compromised—no idle threat given the preponderance of phishing attacks.
Finally, it is an absolute requirement to use multi-factor or 2-factor authentication (2fa). This can take many forms; organizations often use a one-time password token, which is a physical device that spits out a temporary PIN. The idea here is that any end user must both provide a password and prove their identity some other way to gain access to the corporate network and the confidential knowledge it contains.
Be smart and be secure
Remember: It is fully possible to work securely while remote—but only if you’re smart about it. By following the best practices outlined above, organizations can ensure that remote workers are getting work done as safely as possible—helping to protect sensitive and confidential files and safeguard company knowledge, even outside of the physical office.
Companies and Suppliers Mentioned