This is Part II of a two-part series on improving work-from-home security. Part I discussed how work-at-home employees can recognize and mitigate some of their cyber risks while working remotely.
Here in Part II, we detail some of the steps that businesses with distributed workforces can take to keep staff, clients, and overall operations “cyber safe”.
Many of your staff have been working at home for a few months now, and depending on your location in the world, that’s a situation that may not be changing any time soon. While some jurisdictions are easing work restrictions, others have already extended work- or study-from-home programs until at least September, or even through to the end of 2020. And when the pandemic is finally over, many businesses will have learned the value of supporting distributed workforces, and may implement remote access as a standard way of doing business going forward. Similarly, many employees have found that working from home suits their lifestyle, improves their productivity, and addresses their health concerns, so they may encourage you to let them remain offsite. In this landscape, it’s important for companies to review and reflect on their cybersecurity posture for the long haul.
1) Staff Education: Your distributed workforce is now on the front lines of cybersecurity defense in their homes. It’s more important than ever for businesses to emphasize cyber awareness training programs. Many companies have developed resources or use training-as-a-service offerings. Review those training modules through a work-at-home lens, and ensure that some of the special circumstances of extended remote operations have been addressed. Education should cover best practices in setting up a home office, from phishing awareness to seating ergonomics to best practices on the phone and during teleconferences. Further, ensure that the training continues regularly – with the rush to move offsite and maintain basic services, it’s possible that non-emergency activities like staff training may have been set aside. This can have devastating consequences in the event of a phishing attack or privacy breach. Proper staff education is achieved through a steady diet of awareness training and testing – a dry, one-off PowerPoint presentation is simply not enough. ISA can help with online training resources that can be offered as a cloud service, quickly and cost-effectively.
2) Secure Remote Access: Since remote work will be here for an even longer period – and could be here to stay for many employees, business needs to review and confirm that remote access channels are secure. Virtual private network (VPN) and encrypted access for secure communications is key. Multi-factor authentication for staff is essential, particularly as many remote workers may be using shared devices to access corporate resources. Having two or more tests of identity before granting access to your corporate and client assets should clearly be a high priority. This higher security access approach is also available as a service, and can be implemented reasonably quickly in many situations.
3) Tech Support: Distributed workforces need to have clear methods of reporting technical issues. Now that the early days of scrambling to provide access are largely behind us, it is time to reflect on centralizing trouble ticketing and reporting. Since staff are no longer together in one physical location, it may be more difficult to identify and correlate emerging issues quickly – and time can be of the essence when experiencing a system problem or cyber attack.
4) Guidance and Resources: As outlined in the first part of this series, staff need to be aware of approved methods of handling document exchange and physical paper disposal. In the absence of clear, easy-to-use tools and techniques, employees will “find a way” to get their work done. Staff proceed with the best intentions, but may be more concerned with simply getting the work done rather than having the bigger picture about cybersecurity. If you don’t have a secure file exchange portal in place, staff will email copies of reports using “Gmail”. If people don’t know where to dispose of printed reports, paper will go into a garbage bag or dumpster, where it could be intercepted by others. If you don’t have inventoried, encrypted/password-protected USB devices, staff will use their own keys which may be lost or infected. If you don’t have a secure, approved, and documented videoconferencing tool available, they’ll launch Zoom without a password. Help them out by laying out best practices, then continue to refine and expand your documentation to provide guidance and resources that will live on beyond the pandemic. Consider preparing a home checklist for users to follow. This can outline best practices on securing smart home devices – starting with the home router and Wi-Fi security – then extending through the rest of the home. This will be a value-add to your employees which they’ll appreciate, and you’ll be more confident that corporate work is being done within a hardened security framework.
5) Personal Devices: In situations where security is of particular concern, consider assigning hardened laptops or loaner equipment to staff for work use only. This will mitigate the dangers of multiple users on a device, or exposure to unsecured or previously infected devices. This also makes it easier for your IT team to track who’s connecting to the network from the outside. If you can limit remote access to “known” devices, this can help reduce your risk. Absent this, more sophisticated “zero trust” security systems are the answer to help verify the identity of those looking to access your systems, both from known and unknown devices.
6) Backups: Finally – and this is essential whether or not a pandemic is in progress – businesses must be confident in their backup systems. Encrypted, isolated snapshots and backups could prove indispensable in the event of a disaster, whether it’s a naturally occurring, by accident, or as a result of cyber attack. Ransomware can cripple operations at an already precarious time for many companies – a proven and tested backup process is a critical part of any company’s business continuity/crisis response plan. For those companies still creating media backups, reflect on the challenges that the pandemic has creating in handling, storing, and swapping tapes. Consider online or cloud backups to eliminate the “hands-on” aspect of this critical function.
Experts and business agree – we’re not going back to the old ways of doing things, even when the pandemic is over. Take action today with ISA to ensure that you and your teams are cyber secure today and tomorrow.