Balancing security and flexibility with a remote workforce

May 6, 2020 | Thomas Jung

This blog was written by an independent guest blogger.

According to the Pew Research Center, last year, roughly seven percent of U.S. workers regularly enjoyed the option of working from home. Well accustomed to the nature of remote work, these individuals were equipped with stable internet connections, collaboration and communication tools, and security technologies that helped them excel from their home offices.

As concerns regarding the spread of COVID-19 grew, , nations around the world opted to enforce social distancing guidelines to prevent the infectious disease from spreading. In response, companies of all sizes have been forced to embrace remote work without much time to plan ahead. Some businesses have shifted to as much as one hundred percent of their employees working from home.

As all parties involved adjust to this new way of working, critical concerns regarding the security of data and systems have surfaced and must be addressed to prevent cyber breaches. Here are five tips every enterprise should consider for better security of remote workers:

  1. Ensure your information security policy covers remote work use cases

In companies unaccustomed to remote work, information security policies tend to be written under the assumption that employees are on site. This has led to gaps in guidance on how workers should maintain the security of data and applications while working remotely. The sudden shift to home office setups requires that policies and procedures be established or updated to account for this new reality. Examples of relevant remote security policy components include, but are not limited to, mobile device management, access control, acceptable use, and more. For example, a Mobile Device Management (MDM) policy should describe the controls required to secure, monitor, and manage mobile devices used by employees. An access control policy is another common policy that already exists in most companies; however, it may not have been written with remote work in mind. This policy should include guidance on granting, monitoring, and terminating remote access for employees and third parties.

vpn at home

Photo by Dan Nelson on Unsplash

  1. Address security risks associated with employees working on personal devices

Some employees are now required to use personal devices to access sensitive information for work-related tasks. This increases the risk of potential data loss or leakage, and also makes it challenging to maintain visibility into employee actions. Defining a Bring Your Own Device (BYOD) strategy is an essential step in enhancing company security when employees may begin using their personal devices for business purposes. The policy should include guidelines on the minimum required device security controls, acceptable use cases, prohibited actions, and information on any company-sanctioned security tools that can be used to conduct business securely. It’s also important to discuss any employee rights or privacy implications when managing personal user devices that are connected to the corporate network. Lastly, the strategy should include plans for addressing lost or stolen personal devices that may have included sensitive company information.

  1. Get a handle on growing third party risks

As more employees work from home, collaboration technologies, such as Zoom, Slack, and Skype, have gained immense popularity. For instance, Zoom software daily meeting participants grew from 10 million in December 2019 to 200 million in March 2020. The unexpected rise in Zoom usage made the provider a ripe target for cybercriminals. On several occasions’ attackers were able to exploit flaws to steal customer data and hijack video conversations, leaving many highly dependent users at risk.

Ensure that your enterprise has a strong enterprise vendor management program. Review and approve solutions from genuine developers while restricting employees from downloading unsanctioned third-party software to mitigate vendor risks. Also, contact vendors for guidance on how their products can be configured or enhanced to reduce remote work security risks. Microsoft, for example, has created a portal with numerous resources on security that includes everything from cloud storage to access management for enterprises.

  1. Educate employees on how to operate securely outside of the office
    1. Equip employees with secure options for telecommuting: Employees often utilize unsecure home network setups that can lead to compromised network connections and endpoints. Reduce the risk by helping employees understand how they can secure their home networks. Employees should reset the default passwords for home network devices like routers. If possible, organizations should set up a remote IT support team to provide online and telephone guidance to employees configuring their Wi-Fi. Employees should also have access to a VPN for secure access to the corporate network.
    2. Encourage good cyber hygiene at home: Devices that lack basic security controls such as firewalls and antivirus, when connected to the same network, can expose more significant risks to all devices on the network. Organizations should provide remote workers with basic cyber hygiene knowledge, such as tips for protecting endpoints with antivirus and avoiding insecure public Wi-Fi. Remote workers should also avoid allowing other family members or associates at home to use their work devices for other activities.
    3. Help employees navigate pandemic-themed scams: As opportunistic hackers leverage COVID-19 uncertainties to lure victims into fraudulent scams, companies must act quickly to reduce risk to their employees and businesses. Numerous reports have been made regarding hackers preying on virus-related fears to spread malware to workers at home via email, text message, phone calls, adware, and more. The Federal Communications Commission  (FCC) issued a warning to consumers about campaigns and scam robocalls offering COVID-19 tips. Resources from reputable sources can be shared with employees to keep them informed of such risks.
    4. Never underestimate the power of basic security hygiene

A practical method for protecting data and systems in a remote work environment involves deploying fundamental cybersecurity technology:

  • Invest in a Virtual Private Network (VPN) and Multi Factor Authentication (MFA) solutions: A VPN offers advanced security and encryption capabilities to prevent unauthorized disclosure of information when your network must be accessed via the public internet. Businesses should also implement multi-factor authentication to reduce the risk of unauthorized individuals using compromised credentials. This practice adds two or more authentication layers using features like biometrics, a physical or virtual token, or other means, making it difficult for hackers to access a system—even if they have stolen passwords.
  • Keep systems and software up to date: An enterprise’s systems and data remain vulnerable in situations where employees use devices with unpatched software and operating systems. Organizations should assist remote teams in upgrading their software and operating systems to the latest versions that vendors support. This rule applies to all technology, whether leveraged for remote work or not.
  • Monitor activity: Security monitoring technologies such as Data Loss Prevention, Security Event and Incident Management and more can help detect and address block threats in real-time. This is important when dealing with not only external attackers but also insiders who may be taking advantage of the company or abusing access while working remotely.
  • Maintain a contingency plan and keep back-up data: Security teams should design a reliable course of action to help the organization respond effectively to data breaches and other disruptions to operations. Companies should also implement robust data back-up and recovery strategies.

Today, a growing number of organizations are urging work from home adoption to enhance productivity and stay profitable amidst the coronavirus pandemic. Fortunately, technologies such as cloud computing and collaboration tools allow people to use virtually any business application instantly from distributed locations. Despite the numerous benefits businesses leverage in remote working strategies, protecting fluid perimeters from soaring cybersecurity risks has become a significant challenge for enterprises. Most companies are ill-prepared in supporting work from home approaches, exposing themselves to risks such as insecure home network setups, coronavirus-themed scams, and vendor risks. Securing a distributed workforce requires synergy from both the organization and its remote workers to reduce risks.    

Thomas Jung

About the Author: Thomas Jung

Thomas Jung is an Information Security consultant who is passionate about keeping organizations, individuals, and communities protected and safe from bad actors. In his spare time, he volunteers at Operation Kindness and Operation Safe Escape. He can be reached through his website Jung Tech

Read more posts from Thomas Jung ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial