Cybersecurity for the Remote Workforce
This article is a special contribution from Jeff Dawley, Founder, Cybersecurity Compliance Corporation. If you’re interested in contributing content to CVCA Central, please contact our editorial team.
And there we all were, mid-March, sending our teams off to their homes with whatever devices were available. Everyone suddenly scrambling to set up confidential access, online communication standards and some kind of structure for resources now forced to juggle a homelife with maintaining job continuity.
While many people were already remote-enabled, wide swaths of our workforce had remained tied to their physical office location for various reasons.
With this sudden change, or when addressing any remote work situation, there are locations that need to maintain a minimum level of cybersecurity in order to protect the assets of the organization.
There are two sides to this cybersecurity coin. First, the organization itself needs to prepare in order to best support a remote workforce. This includes everything from establishing polices and staffing the support function through to acquiring and controlling devices. Second, the individual resource needs to reconcile what has previously been a personal cyber-environment with office-level cybersecurity requirements, simply plugging a secure device into an unprotected home network will not protect your data.
Let’s tackle the work needed on the organization side first.
Step one is a collection of tasks designed to prevent adverse events from happening through education, awareness and compliance testing. Ensure you have or create policies for acceptable use of technology, privacy, data protection, social media and use of images, ideally complimented by a policy dedicated to remote work. In addition to having policies in place, running regular online education modules followed-up by quizzes and phishing simulations will reinforce the importance of awareness with your teams. Unfortunately, the chaos and uncertainty around the current pandemic has both reduced our attention on cybersecurity and increased the opportunity for bad actors to compromise our systems and data. According to Trend Micro, there were over 907,000 known malicious spam emails related to the coronavirus by the end of Q1 2020, along with 48,000 hits on malicious URL’s.
Second, is a series of technical decisions and related documentation around connection methods, authentication and device protection. Ensure your level or appetite for risk is met with appropriate technology controls. Remote access can be enabled through more security methods like tunneling (VPN’s) or secure portals, or less secure options like remote desktop access or direct application access (without adding any additional security layer), where risk or confidentiality remains less important. In addition, role-based access should limit access to only the systems required by the individual user to complete their task. Combine this with at least two-factor authentication when signing in, relatively short timeout periods and a robust password policy to reduce the risk of being compromised. For more sophisticated organizations, you can lock down admin rights on the devices and perform device health checks prior to granting access. With respect to devices, all endpoints connecting to a work network should be updated with the most recent security patches and approved virus protection.
And finally, the concept of a disaster recovery and business continuity plan. If you have not drafted one before now, this is your opportunity. You have a real-life example of what needs to be done if you don’t have physical access to your primary work location, and the lessons learned now will benefit you in the future.
More information around how to address your organization’s broader cybersecurity needs can be found in a cybersecurity framework called NIST CSF, one of the most easily understood and implemented cybersecurity frameworks.
As if it was not challenging enough thinking through these things from an organizational perspective, we need to also consider the practical and emotional needs of our remote workforce. Finding ourselves, and our teams, working from home environments unexpectedly means juggling the concern around the global pandemic and our loved ones, children and other device users in the house, pets and coffee, shared work/live spaces, etc. The last thing people want to worry about is whether or not their behaviour might be exposing their workplace to a cyberattack.
There are ways to help address some of the basics around cybersecurity so you and your team can keep your mind on the things that matter most.
Here are a few tips around how to secure your work-from-home environment:
Make sure you are up to date on your company policies around use of technology, data protection and privacy. These will include password complexity guidelines and any requirements to stay current with your cyber education and phishing/compliance testing.
It is important to know all the devices that connect to the network you are using for work. You should also limit or completely restrict who else in the household has access to your work device.
- Home Network
Do you run a separate network for work, or a secure, dedicated tunnel to your work environment? Do you have a complex password? Do you know how to stay updated with patches, security updates and anti-virus software? If the answer is no to any of these questions, you should connect with your IT department or IT service provider for advice.
- Video Conferencing
Cover your camera when not in use, and before beginning a video call, look back from the camera to ensure there is no confidential information in view. Ideally, you would conduct such calls from a private room that has a physical lock, and only using company-approved technology.
- Data Storage and Transfer
Follow your organization’s guidance around when to email and when to use other secure methods of exchanging data. You should also avoid storing sensitive files on your local machine.
- Physical Security
Lock your doors when you leave and always keep your technology out of sight from outside your residence when not in use.
We have talked about how to help secure your organization’s IT environment when deploying a remote workforce, and we addressed what individuals can do to help prevent cyberattacks in their home workspaces. The key to most of these tips is simply awareness. If you and your teams remain aware of potential hazards, risks and possible attacks, then you have a better chance of avoiding them altogether.