Security and Best Practices for Your Remote Workforce
How to keep data and systems secure
More employees are working remotely than ever before, and companies are planning for a blended on-site and remote workforce, even after the pandemic. However, remote work, and the related online tools required, poses unique security challenges for companies.
Unless a company has sent each employee home with a full suite of office equipment, remote workers are using their own devices and WiFi over a home network, which can be problematic. When they connect up to a company server or network, it opens another window of vulnerability.
We have published a series of articles on telecommuting since the beginning of the pandemic, and along the way, I have collected insight from a range of security professionals on strategies and best practices companies can implement. Read on for a comprehensive list of tips.
Implement a telework policy
The consensus is clear: To mitigate security risks, big corporations, all the way down to the smallest organization with few remote team members should implement clear and comprehensive policies and take proactive measures to ensure the safety and integrity of company data.
This policy should include what’s acceptable when remotely accessing company resources, how data is handled and what level of authorizations are available. Expect policies to be more stringent on non-company owned equipment.
Hubspot has a free sample Remote Working Security policy that you can download and adapt to your company’s needs, and incorporate some of the other tips below.
Be wary of employees using their own devices
It may not be practical to restrict employees from using personal devices. However, you can require that data is kept separate. For example, documents created for work should not be kept on a personal Google Drive.
Set up secure company folders and make sure employees know the protocol to access them. The admin panel from your selected vendor, such as Amazon Web Service or Google Enterprise Solutions, lets you secure and control data. Employers can also require that specific company controlled mobile apps be used for company email on personal devices.
The company should maintain control of information flow, including being able to change permissions, delete or lock any sensitive data should an employee leave the company.
If employees do use a personal device for work, it is wise to have a Bring Your Own Device (BYOD) policy. Writing things out in advance will help avoid unnecessary disputes and the costs associated with them. See this sample BYOD policy from human resources advisers SHRM.
Provide secure team communications
Along the same lines as having a secure place for remote workers to file documents, companies should also plan a secure meeting, collaboration and chat environment, like Microsoft Teams. Providing company authorized tools will lessen the temptation to use less secure systems like Whatsapp, Facebook and Google Sites.
Plan for lost or stolen devices
Make sure there is a contingency plan if a remote worker loses a laptop with sensitive business information on it. Devices should be enabled to be tracked or remotely deleted.
Implement secure remote connectivity
Any connections made to the company should be performed through a Virtual Private Network (VPN) which either leverages SSL (Secure Sockets Layer) or IPsec (Internet Protocol Security) to encrypt communications from the remote teleworker’s machine.
The goal is preventing bad actors from interrupting or hijacking data while connecting.
VPNs mask IP addresses and make locations untraceable, a must for your remote team. A VPN also encrypts data in transfer, allowing personal and confidential data to tunnel from one device to the next, away from prying eyes.
All VPN providers are not the same. Check reviews, go with a reputable company, and make sure the VPN does not log your business activity. This data could be sold to a third party.
One downside of VPNs is that it may slightly slow down internet speeds. The trade-off for secure data is worth the minor inconvenience.
Provide endpoint security
Protect your company’s computer networks by making sure the endpoints—a remote worker’s laptop, tablet and mobile phone—is secure. Endpoint security has evolved from just antivirus programs to include advanced threat detection, data leak protection, investigation and response.
Use secure software
The software you choose could afford some additional security protections. For example, Microsoft 365 has stringent security features that adhere to ISO 27001.
Apply stringent wireless security protocols
Allowing remote employees to connect to the company through a wireless network opens up risks—from passive data collection to active denial of services attacks and everything in between. Consulting a security expert will help develop a wireless security system appropriate for current business needs, that is scalable for future growth.
Here are a few elements to consider for your wireless security plan.
Conduct internal audits and third-party penetration testing of the wireless network. This will help identify gaps in security that may have been missed during wireless network setup. Misconfiguration was the highest ranking security threat according to the 2020 Cloud Security Report produced by Check Point Software Technologies.
Use the best available security, which right now is WPA2. Consider increasing the protection by also applying EAP-Transport Layer Security (TLS) for more secure user authentication. Turn off WiFi-protected setup (WPS) to prevent bad actors from using it to breach your network.
Make sure wireless security protocols are included in your telework policy, discussed with employees and enforced.
The TV sitcom image of a remote employee working from the local coffee shop is a myth. No connection to company resources should be allowed over public WiFi, access points or hot spots.
Even with these protections, companies are wise to separate out WiFi from their core network by using a firewall.
Encrypt all emails
Emails are a popular target for cyber attacks. Encrypting all emails will make certain that the content is disguised, which will protect any sensitive information that may transpire during an email conversation and only the intended recipient will be able to see it. This can be done easily by reviewing and selecting an on-device security app.
Apply mobile phone security
Encrypted text messages and email are also freely available and easy to set up on Apple and Android mobile devices, as well as laptops. Current smartphone technology also has built-in encryption for the device that can be utilized by simply turning it on. Using these methods will provide a great level of security that is incredibly difficult to break into. Since this level of encryption is so easy to configure, there is really no excuse not to implement these technologies.
Require two-factor authentication
Protecting the entry point to your company system with 2-factor authentication adds an extra layer of security, especially when your team is using their own personal devices from locations around the world.
Implement password security protocols
Devices frequently come with default usernames and passwords that need to be changed.
Another important security protocol is to require passwords to be changed every quarter (or on a schedule you decide). If passwords have been compromised, this could limit vulnerabilities.
Make all passwords long and random. You won’t have to worry about remembering passwords if you use a password locker. LastPass for business has an encrypted password management system that makes password sharing among teams very easy. You simply share individual passwords with team members and they don’t ever see the actual password.
Passwords should only be shared with employees by telephone and entered directly into the password protection system.
The last words: Security training
We don’t think a security breach will happen to us, until it does. Simple security training for all employees should be done annually to provide essential reminders of everyone’s role in the security process.