The trend towards remote working and working from home has brought with it many opportunities and challenges for organizations of all sizes. These challenges range from cultural & people issues, to legal and compliance to technology and infrastructure, but in all cases are forcing organizations to reconsider how they operate under this new model.
One of the key areas that can be easily overlooking in this (often hurried) move towards working from home is cyber security, and how to keep our staff and business assets secure. Security threats continue to increase, and now with staff working from home the landscape for those tasked with securing our organizations has changed again.
Here are 11 ways that you can help your organization remain cyber secure with staff working remotely and working from home.
Educate staff on security threats
As much as we can deploy technology solutions to enhance our security posture, ultimately the weakest link will always be our people. Despite all the best intentions most security breaches are still caused not by hackers or flawed software, but by staff clicking on the wrong link, or falling for a clever scam.
It’s that human element of curiosity and trust that opens up a window for vulnerability swaying exploitation efforts focused on people rather than infrastructure. In an 18 month analysis, Proofpoint reports the effect of people engagement to cyberattack strategies.
“Instead of attacking computer systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to “click here.” Whether attacking at a massive scale in large, indiscriminate campaigns, going after specific industries or geographies with more targeted campaigns, or seeking out a single person within an organization, attackers and their sponsors consistently found human beings to be the most effective vectors to infiltrate organizations and facilitate fraud and theft.” - proofpoint.com, The Human Factor Report 2019
From the same report, data shows that attackers are now less likely to target executive identities and are focused more onto non-executive representatives of the business that more likely would have publicly available contact details online which makes it easier for attackers to find and target them.
The best action you can take here is to provide staff with regular, ongoing education to help them understand the importance of cyber security, and to help them to identify risks and know how to respond when they do appear. This can be done through in-house training sessions, or with regular communication on collaboration platforms such as Yammer. There are even extremely affordable solutions available that automatically drip-feed security awareness training to staff via email, as well as test and report on the effectiveness of this training over time using ‘friendly phishing’ campaigns.
Multi-factor authentication is currently the single most effective technology solution you can deploy to help keep your organization secure. Most modern applications include multi-factor authentication; however, it is not always enabled by default. For most other applications and services that do not natively support multi-factor authentication there are third-party solutions that can be installed to add multi-factor authentication.
To deploy multi-factor authentication across your organization, you are best starting with an audit of all the applications and services in use. Then you can start to drill down into each of them to ascertain whether they natively support multi-factor authentication, and if so whether it is enabled for all user accounts. Be aware that some applications allow multi-factor authentication to be enable (or not) on a per user account basis, so make sure to check each user account within each application to ensure it is enabled.
Keep all software updated and patched
Hackers are constantly finding previously undiscovered flaws in software applications that they can use for malicious purposes, in turn prompting software vendors to release patches, updates and hotfixes as quickly as possible to fix these flaws and keep their application as secure as possible. For cloud-based applications such as Xero and SharePoint these updates are automatically applied by the software vendor.
However, for software applications that are installed on our own computers (including the Windows or MacOS operating system itself) we need to ensure that these updates are installed promptly to keep our computers as secure as possible. Ideally your organization will either have an MDM or RMM tool in place to ensure this happens on all computers (even the remote ones), or your Managed Service Provider will be looking after this for you.
If you don’t have either your own in-house IT support or a Managed Service Provider managing this for you, it is still possible to ensure your computers stay updated and patched, although it is likely to take a bit more work for you to make it happen.
Device Physical Security
Not all security threats come via the internet. The physical security of your computers and devices is just as important a consideration in keep your organization secure.
Lock your doors
If you have a computer at home that has access to any work-related information, confidential corporation information is at risk. The computer should be kept in a room with a lockable door, and the door should be locked whenever you are not in the room. If you have a laptop you could even take the next step of securing it in a drawer or cupboard when not in use.
Lock your screen
All computers and mobile devices should be configured to automatically lock the screen, ideally after no more than five minutes. This is particularly important if you are working from home with other people living in the house (especially children!). All the passwords and security software in the world are useless against an unattended and unlocked computer, and a child wanting to play!
Never leave laptops or devices in the car
Even though your car may feel like a secure place to keep your laptop, unfortunately that is not the case. It is all too easy for a criminal to either steal your car or ransack it for valuables like a laptop. Although not a security threat as such, here in Australia we have even seen laptops physically melted into useless blobs by the scorching summer sun when left in a car in the sun for too long.
Keep work data on work computers
Although most people will have a personal computer at home, when working from home it is highly recommended that they do not use their personal computer for work matters, but instead use a computer that is supplied and managed by the organization. A work computer is far more likely to be properly updated and patched, and to have higher level security applications and controls in place.
With a personal home computer, particularly one shared by multiple family members, the risk is too high that poor security controls and practices are in place and that the computer is safe to use to access confidential corporation information.
Encrypt data at rest
By encrypting data, we ensure that should anyone else gain access to that data they will not be able to read it. The data to them will effectively be useless. A lot of the data that we send via networks and the internet is automatically encrypted, meaning that anyone ‘listening in’ on those data transmissions will not be able to access the information.
What a lot of people do not realize is that the data that we store on our computer’s hard drives, by default, is not encrypted. This means that should someone gain physical access to your computer it is a simple job for them to physically remove the hard drive, plug it into another computer, and have full access to everything saved on that hard drive (even cached and draft versions of documents and emails that we may not even realize are there).
Encrypting the ‘data at rest’ on our hard drives is surprisingly easy. Windows computers have a built-in feature called Bitlocker which, when enabled, will automatically encrypt the data on your hard drive, rendering it effectively useless to any else trying to access it on another computer. Mac computers have a similar feature called FileVault. For corporate computers, these features can be automatically enabled by your IT department or Managed Service Provider, while for individual computers this feature can be enabled manually.
Avoid using portable storage devices
Portable storage devices such as USB thumb drives can be extremely convenient, however not only do we have far better and more convenient options these days, but they also present a significant security risk.
A classic hacking technique is to drop several USB thumb drives near the organization you are looking to attack. It has been shown time and again that a surprisingly high number of people finding one of the drives will take it and plug it into their work computer and open the files, at which point – bammo – their computer is infected. For this reason, if you absolutely must use a USB thumb drive, make sure it is a known-good device.
The other concern is of course that a staff member saves some confidential files to a USB thumb drive and then accidentally loses it. At that point there is nothing to stop someone else finding that drive and accessing the files.
Of course, these days we do have far more effective and convenient solutions than USB thumb drives, such as Microsoft OneDrive. By saving our files to OneDrive we can be confident that not only are they are secure and encrypted, but that we can also access them from any of our authorized devices whenever we need to.
Use Advanced Endpoint Security
When staff work from the office, we can provide extra layers of security and protection on the corporation network using powerful devices such as web and firewall filters. Unfortunately, when users work remotely or from home, they rarely have such powerful devices on their home internet connection, meaning one less layer of protection we can rely on.
Thankfully there is a new class of endpoint security products emerging on the market that not only provide the features of traditional endpoint security software (ie: antivirus software) but also go at least part of the way to providing the security protection that a corporate firewall would usually provide. And given that this software is installed on each computer, it does not matter whether that computer is located on the corporate network or a home network, the protection is still in place.
Connect to legacy office servers safely
Even though so much of what we do is now served in the cloud, there are still many situations where companies maintain their own applications on their own servers. This may be due to a legacy application that isn’t yet supported in the cloud, or it may be because of particular business processes that are more efficiently handled with data stored locally within the office. Whatever the reason, if staff need to connect from home back into the corporate network, it’s crucial that this be done as safely and securely as possible.
Virtual Private Network (VPN)
The first secure option is to use a virtual private network. In many ways this is just like connecting directly to the office network, however you are doing so via the internet. VPN’s are easy to use and once connected will allow staff to access office-based resources as if they were physically in the office (albeit maybe a bit slower). Key points for using a VPN:
- VPN access should only be granted to those staff with a justifiable need and reviewed periodically.
- Only work computers should be used to connect to the VPN.
- Connecting to the VPN should require multi-factor authentication.
Remote Desktop Gateway
The other recommended option for connecting to the office network from home is to use a Remote Desktop Gateway. This is a service that can be configured to run on your organizations network to allow staff working remotely to effectively remote control a computer that is physically on the office network. This office computer can be a normal desktop computer, or it could be a dedicated Remote Desktop Server (or Terminal Server as they used to be called). Key points for using a Remote Desktop Gateway:
- Remote Desktop Gateway access should only be granted to those staff with a justifiable need and reviewed periodically.
- Connecting to the Remote Desktop Gateway should require multi-factor authentication.
Backup remote laptops
It is important that all company information be backed up securely, to ensure that in the event of a lost device, data corruption, or other unforeseen event the information can be recovered. In most cases staff should be saving their work directly into an application or approved storage location such as SharePoint or Teams, however it is inevitable that some files will be saved to other locations on the computer such as the Desktop or the Documents folder.
The good news is that automatically backing up these locations is very easy using a feature in Microsoft OneDrive. Simply by enabling this feature certain folders on all computers will be automatically backed-up to the cloud, keeping files safe for recovery if required. This feature can be enabled with manually on each computer or ideally centrally on all computers by your IT support team.
Report lost devices immediately
Despite the best of intentions, it is inevitable that at some stage a computer, laptop or mobile device will be lost, stolen, infected or in some other way compromised. When this happens, it is critical that the staff member concerned notify management and IT support immediately. By doing so the organization has the best chance possible to limit the impact of the compromise, whether that be by remotely wiping company data, isolating an infected network device or otherwise securing company resources.
Although this may sound self-evident that fact is that some of the time staff may not even be aware that a compromise has occurred. They may leave a laptop in a taxi and not realize it for hours. Or they may have clicked on a dodgy link in an email and thought nothing bad happened. In any case they may be feeling embarrassed or vulnerable, and concerned about the consequences. It is important that staff be trained to notify management immediately though and reassured that doing so is the safest and best course of action.