With COVID-19 requiring nonessential workers to work from home or social distance, many organizations are trying to navigate having their workers not in the office and still maintaining the optimal security methods from their home offices. Keep reading for some recommendations on how to maintain optimal cybersecurity with remote staff.
How Do You Keep Up with Security Requirements When Employees Work Remotely?
The very first step is to provide workers with security knowledge. What are the expectations for them, their home office, and the equipment in their home office? The answers to these questions should be clearly communicated to them. In some cases, where security and privacy are paramount, these expectations can be documented in a work from home policy and signed off on by the remote workers acknowledging they will abide by the policy.
I recently had a client in the medical insurance industry that created a policy that included: workspace requirements, internet speed requirements, and hardware and software requirements. These workers have never worked from home and they deal with very sensitive data, so this policy was important to our client to both educate their employees and get assurances that security would be part of everyone’s home office.
What Protocols Should be Used to Provide Security for Employees that Access Systems Remotely From Home?
First, securing accounts being used for business should be addressed. Passwords should be strong and NOT used across multiple accounts. Additionally, two-factor (2FA) or multi-factor (MFA) should be enabled on all accounts that allow for that option. Having a strong password is not always going to be enough against attackers, which is where 2FA or MFA can be beneficial. or additional information on password guidelines see our post on NIST password guidelines.
Make sure all devices have security protection
One of the key things that is important is that every remote worker has appropriate security protection for their devices. That means for all devices that will be used for work, that the most current security protection available should be active. This would include current security patches, firewalls, device encryption, and virus scanners.
- Security Patching – Critical and noncritical security patches are released continuously to address security vulnerabilities. Having employees stay current on the available patch levels can help with potential security incidents or other known issues. Employees should be required to automatically have operating system patches installed, or at least have requirements around what patch level any equipment used for work should be within.
- Firewalls – Firewalls form a protective layer between the internet and employee devices. They can help prevent malicious programs from getting onto a device and also prevent company data from leaking from a device. Many laptops have built-in firewalls that just need to be enabled, or there are many third-party firewall options that can be added.
- Device Encryption – Full disk encryption is available on almost any device. Enabling the encryption is simple and should not impact the device. This is beneficial if a device was ever lost or misplaced, as it would prevent anyone without the password to gain access to the data on the device.
- Virus Scanners – While firewalls are a great layer of protection, there is always the risk that a threat could get through. The next line of defense would be an antivirus software that is set to run continuously or periodically to detect and block discovered malware.
Outside of devices such as laptops and mobile phones, other devices used for a home network should also be secured. If a router is used, ensuring the initial password is changed is important as well as making sure any security patches available have been applied. Additionally, if Wi-Fi is used, making sure the Wi-Fi is secured and password protected is very important to security.
Another thing to consider with remote workers is setting the expectation of how they will be communicating, both internally and with clients. How is everyone communicating? Google Hangouts, WebEx, or Zoom for web conferences? How about a chat tool? Having everyone on the same page with the preferred method of communication and how to use it will make meetings go a lot smoother and guide employees to a secure method of communication.
Once all devices being used to access company or client data have been secured, getting to company and client data from home should be addressed.
What are some Secure Remote Access Methods that can be used While Working from Home?
VPN into Company Network: With users working out of their home office, there is not the luxury of having them just log in and immediately being on the secured company network. If a company is using a traditional network, getting them securely into the network and then keeping any data passing back and forth secure is key. A virtual private network (VPN) is very beneficial because it encrypts a user’s internet traffic so it would be unusable if it was intercepted in transit. While workers are remotely accessing a work environment, it is important that they are encrypting information passing from their device back into the company network. VPNs can slow down internet speeds, so companies should look into the VPN options available and what is the best option for their remote workers.
Secure Cloud File Share: Where a traditional network is not being utilized, there is almost always the need to share and collaborate on files and data. Finding the right method that is secure and provides the right amount of storage is critical. There are many cloud storage solutions options available that are accessible, secure, and traceable. There are so many solutions available at all different price points so an organization of any size can find a solution that meets their needs. Additionally, some cloud storage solutions can integrate into existing systems, offer desktop syncing, audit trails, etc. And pretty much with any solution available, there is built-in security (i.e. encryption at rest and in transit).
Having remote workers adds additional security risks to an organization, but with the right planning and setting of expectations with employees about the remote office setup, business can continue as usual as possible during these times.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.