Companies of all shapes and sizes are now being advised to allow employees to work from home where possible. This is sensible advice from a public health perspective but it can undermine the safety of businesses that are not used to taking the measures needed to effectively secure the remote workforce.
If you are in the process of mobilizing a WFH network, here are 5 key strategies to ensure your corporate network also gets the protection it needs. A little extra attention now could save you a lot of disruption in the future.
Remote working can be as secure as working from the office providing everyone takes their responsibilities seriously and are equipped with the knowledge they need.
Even if you already deploy remote workers in your organization, now could be a good time to audit your security protocols and ensure adequate training is in place.
Every business will be different so you will need to decide which elements of cybersecurity are most important to your workforce. Most businesses should incorporate phishing awareness since this is sure to be a key tactic used by cybercriminals during this period.
You need to be confident that none of your employees could be duped by a fake email purporting to be from the company. Staff are likely to be anxious about pay, tax and health insurance during the pandemic. Phishing emails asking them to click a link for information could more easily slip under the radar when people are worried.
Password hygiene is another simple yet vital part of any corporate cybersecurity strategy. Minimum rules for password strength should be imposed with employees instructed to change passwords regularly. All services, networks and applications should come under the umbrella to avoid creating a weak link in the chain.
Due to the need for social distancing, security training should be managed online where possible.
For many businesses, there is an assumption that mobile devices and remote workstations are riskier than on-site technology because they sit outside of the security perimeter. This is often referred to as a ‘castle-and-moat’ approach.
This can lead to a false sense of security where companies become blind to security threats within their security wall (e.g. insider crime, using insecure devices in the office) yet overly worried about accessing services outside of the office.
The zero trust approach assumes that all attempts to connect to the corporate network are potentially suspect. Authentication of devices and access control is governed at a user level with access granted or denied based on automated policies. A user can be an employee, a device or even an application.
Zero trust security services can be based in the cloud and handle connection requests from both inside and outside the office. Remote workers can download client software on to any device they use and access a familiar dashboard each time.
Zero trust security software can also prevent bottlenecks which can occur if remote workers have to connect to the on-site network before accessing services and applications.
Although zero trust, user-centered security is preferable, a standard virtual private network (VPN) is the next best thing and is the minimum level of security you should be putting in place to protect your business.
If you already have a VPN, make sure there are enough seats available for all your remote workers. Alternatively, there are third party VPN providers but you must make sure they have a good track record and servers in your region.
A VPN forms an overlay network that enables users to connect to both the corporate network and the public internet without exposing their IP address. This means that remote workers can hide their location and even configure their settings to pretend they are in a different region or country. So if you need to recruit remote workers in Europe, for instance, they can access geo-restricted resources without any problem.
A VPN also encrypts incoming and outgoing information. Theoretically, this means remote workers can use public WiFi hotspots securely although it is probably better that they connect via a personal or corporate WiFi network where they can.
As with zero trust security, VPN users will need their own login credentials and should use strong passwords in line with your cybersecurity policy.
Ideally, all remote employees would be provided with factory fresh mobile devices locked to the company network. In reality, many remote workers, particularly those employed or contracted by smaller businesses, have to use their own devices. In this case, a clear ‘Bring Your Own Device’ (BYOD) policy should be in place to ensure users access corporate networks and VPNs only for work reasons and to keep work and personal data well apart. Employees should agree to only download mobile apps from secure stores (e.g. Google Play, Apple Store, etc.)
There is always a danger that a personal device has picked up malware at some point in its lifecycle so all BYOD devices should be scanned by enterprise-grade anti-virus and anti-spyware software. Endpoint security, such as a device-based firewall, should be installed to provide some basic protection against brute-force attacks.
Employees should also take particular care when carrying and storing their devices. It should also be possible to remotely wipe corporate data, including access credentials, from a BYOD device should it ever be stolen.
Back-ups are vital for businesses of all sizes. Not only do they enable businesses to carry on their work should data be accidentally lost or corrupted, they can also provide protection against ransomware attacks.
Once the compromised devices or networks are isolated and purged of the malware causing the attack, back-ups can be used to ensure minimal, if any, data loss.
Remote, cloud-based back-up services are usually the safest option as the data is then out of reach of local disasters or cyber attacks. Storing backups locally is riskier as the backup servers or media could also be damaged or compromised during an attack.
Back-ups should be frequent and automated wherever possible. If you use a mobile device management (MDM) or enterprise mobile management (EMM) service, backup schedules can be remotely configured for each device.
If automatic backups are not possible, at least ensure you have a clear mandatory back-up policy in place. Check in with employees to make sure they are backing up as required.
Securing your remote workforce should be a priority for businesses in these uncertain times. Zero trust security technologies are popular but even a robust VPN can afford vital protection.
Where remote employees are using their own devices, these should be cleaned and secured before operation, stored safely and be capable of remote deletion. Back-ups should be mandatory and automated where possible.
Everything then needs to be integrated into a corporate cyber security policy which includes frequent and high quality online training.
This may seem a lot to do but putting robust remote worker management policies and technologies in place will not only protect you during the coronavirus pandemic. It will set you up well for a business landscape that is increasingly valuing remote employees as a key part of an agile and productive workforce.