How do you maintain security when employees work remotely, and your team is transitioning to a remote workforce?
As remote work is becoming a more prevalent trend in business and considering the recent COVID-19 outbreak, there’s no better time for employees and companies alike to make strides in securing remote work.
This guide aims to instruct employees and management of businesses, both small and large, of the tools and steps available to them.
Employing only one of the following security measures will not be enough to thwart cyber threats. Each security measure, in isolation, will not guarantee secure remote work; however, when used in tandem with multiple measures, it creates a compounding effect for your cybersecurity.
1. Develop a Cybersecurity Policy For Remote Workers
If your business allows remote work, you must have a clear cybersecurity policy in place so that every employee’s access to company data is secure. Without a strategy in place, any employee can easily become an entry-point for a hacker to hijack your organization’s network.
To prevent this from happening, create a cybersecurity policy stipulating guidelines complying with security protocols at home or travel. Policies may include the expected use of approved messaging programs with encryption, such as Signal or WhatsApp; updating and patching computer security schedules, like updating antivirus or anti-malware software; and protocols on remotely wiping devices if lost.
If your business has the means to give its employees laptops, you should consider it. This strategy is the best way to secure remote work because you can have your IT department manually configure firewall settings and install antivirus and anti-malware.
Conduct Regular Back-ups to Hard Drives
Any business is as good as its data. Most companies nowadays store data online on cloud storage services that are protected by encryption; although, regularly backing-up to a physical drive is also encouraged, as they cannot be hacked remotely.
Direct employees aren’t the only ones who risk compromising your company’s internal network. Third-party vendors are also responsible for creating entry-points into system infrastructure; therefore, your policy should extend to them as well.
Target’s data breach is an example of a breach caused by excessive privileges from third-party vendors. The Target example illustrates the need for organizations to reform their policy when issuing privileges to third-parties; otherwise, they may inadvertently create weak links in their security.
With third-party vendors in mind, you can gain a better understanding of your third-party environment by taking inventory of all vendor connections. Once you have an idea, it’s possible to increase your security by monitoring and investigating vendor activity through conducting session recordings and looking for any sort of malicious activity or policy violation.
Provide a third-party vendor with a service-level agreement (SLA). This option will force vendors to adhere to your organization’s security policies; otherwise, they face penalties.
Eliminate Shared Accounts
A simple yet effective approach is to eliminate shared accounts among vendors. Without shared accounts, you decrease the risk of unauthorized access; this is yet another reason to invest in a password management tool.
As business and life become more intertwined, employees often use their phones for work purposes. Although working from your mobile device can pose a security risk to your business.
Inform your employees of the danger of unsecured Wi-Fi networks. When using unsecured Wi-Fi, your phone is exposed to potential hackers looking to compromise your device. To prevent any unwanted intrusions, only use encrypted software to communicate.
It’s also best to restrict the use of applications on your mobile device when working. You can do this by delving into your phone’s permission settings for applications (app permissions).
Finally, turning off Bluetooth when working can limit paths to intrusion.
Network Border Protection
For large businesses, network traffic can be filtered to process the flow of legitimate traffic and block potential intruders looking to exploit your network. This filtering means you can analyze and prevent inbound requests that come from unauthorized IP addresses, as these are inherent risks to your system. Configuration blocking incoming requests from unknown sources can be set in your firewall’s inbound rules.
2. Choose a Remote Access Software
When telecommuting, there are three primary ways to secure your work online. Your options are using either remote computer access, virtual private networks, or direct application access. Each method has its benefits and drawbacks. Choose the method that works best for your organization.
Remote PC access methods, such as desktop sharing, connect a remote computer to the host computer from a secondary location outside of the office. This setup means the operator has the ability to access local files on the host computer as if they were physically present in the office.
By logging in to third-party applications, an employee can turn a portable device into a display to access data on their office computer.
Even though the benefit of direct access exists, this kind of software carries a high risk of exposing the company’s internal network to danger because it creates an additional end-point for external threats to access the business’ local area network.
To combat potential risk, not only does the organization have to encrypt its firewalls and communications, the employee’s computer requires the same level of encryption. Depending on the size of your business, this option may be too costly to avail.
Applications such as LogMeIn, TeamViewer, and GoToMyPC provide this type of service.
Virtual Private Network
A virtual private network (VPN) is software that creates a secure connection over the internet by encrypting data. Through the process of using tunneling protocols to encrypt and decrypt messages from sender to receiver, remote workers can protect their data transmissions from external parties.
Most commonly, remote workers will use a remote access VPN client to connect to their organization’s VPN gateway to gain access to its internal network, but not without authenticating first. Usually, there are two choices when using VPNs: IP Security (IPsec) or Secure Sockets Layer (SSL).
IPsec VPNs are manually installed and configured on the remote device. They will require the operator to input details such as the gateway IP address of the target network as well as the security key to gain access to the corporate network.
SSL VPNs are newer and easier to install. Instead of manually installing the VPN, the network administrator publishes the VPN client to the company firewall and provides it for public download. Afterward, the employee can download the VPN client from a target web page.
The drawback of a VPN connection is any remote device that uses a VPN has the possibility of bringing in malware to the network it connects to.
If organizations plan to use VPNs for remote work, it’s in their best interest to have employees with remote devices to comply with its security policies.
VPN installation varies based on operating system and type; although, it is quite simple to do.
Direct Application Access
The lowest risk option for remote work is directly accessing work applications. Instead of accessing an entire network, employees can remotely work within individual applications on the network.
In using this method to work, there’s little risk in exposing a company’s internal network to cyber predation. Due to the use of granular, perimeter applications on the network’s infrastructure, there are limited attack surfaces for susceptible data breaches.
Direct application access highly limits the risk of bad actors; in the same vein, it constricts work to the confines of one application. With little connection to all the data on the company’s network, the amount of work an employee is capable of pales in comparison to the aforementioned remote access methods.
3. Use Encryption
As important as it is to choose an access method for your online workers, it’s equally important those methods use encryption to secure remote employees’ data and connections.
Simply put, encryption is the process of converting data into code or ciphertext. Only those who possess the key or cipher can decrypt and use the data.
Encryption software is an added layer of protection for businesses and remote workers. For instance, if a remote employee’s computer is lost or misplaced, and a malicious actor recovers it, encryption software is the first line of defense in deterring unauthorized access.
Advanced Encryption Standard
As it stands, most businesses have the security protocol to use Advanced Encryption Standard (AES) to secure data due to its compatibility with a wide variety of applications. It uses symmetric key encryption, meaning the receiver uses a key to decode the sender’s data. The benefit of its use over asymmetric encryption is it’s faster to use. Look for encryption software that uses AES to secure company data.
When it comes to using things like email and software for general communication, look for applications that use end-to-end encryption, as it uses incredibly strong encryption that cannot be hacked if the two end-points are secure.
4. Implement a Password Management Software
Since most data breaches occur due to the use of illegally acquired credentials, password management software is an invaluable solution to remote work security.
Random Password Generation
Password management software does vastly more than just store passwords; it can also generate and retrieve complex, random password combinations it stores in an encrypted database. With this power, businesses can entirely reduce the use of the same or similar passwords.
Having all similar passwords has far-reaching consequences. For example, if a bad actor obtains your username and password, they can use those credentials as potential logins for other applications or web properties. Suffice to say, humans tend to reuse passwords, with or without small variations, due to our limited memory capacity. Unique strong passwords can eliminate this from ever happening and the rabbit hole of consequence that follows.
Automated Password Rotation
Additionally, password management software can entail automated password rotation. As the name suggests, passwords are constantly reset to limit the time of potential use. By decreasing the lifespan of a password, sensitive data becomes less vulnerable to attack.
Another strategy you can utilize to protect your data with passwords is to create one-time-use credentials. To enact one-time-use credentials, create a log of passwords in a spreadsheet acting as a “safe.” When you a single-use password for business reasons, have the user label the password in the spreadsheet as “checked out.” Upon completion of the task, have the user check-in the password again and retire it.
5. Apply Two-factor Authentication
Authenticating the identity of a user is an essential aspect of access control. To gain access, typically, one would require a username and password. With two-factor authentication, you can increase remote work security by creating two requirements necessary for login instead of one. Essentially, it creates an added layer of login protection.
Two-factor authentication uses two pieces of information to grant access. It uses credentials such as username and password in conjunction with either a secret question or pin code, which goes to the user’s phone or email. This method makes it hard for malicious actors to access systems, as it’s unlikely they will have access to both pieces of information.
It is recommended businesses adopt this security measure for system log-ins.
6. Employ the Principle of Least Privilege
The Principle of Least Privilege (PoLP) is an effective method to mitigate security risk and limit the privileges of your workers.
Network security privileges come in three flavors: super users, standard users, and guest users, with diminishing privileges in that order. Guest users have no bearing in this discussion, however.
Superusers are those who have full access to system privileges. They can issue changes across a network by completing actions such as installing or modifying software, settings, and user data. It is when superuser accounts fall into the wrong hands, and calamity occurs on the largest scale. Depending on which operating system you use, super users go by different names: administrator accounts in Windows systems and root accounts in Linux or Unix systems
The second user account of note is the standard user, also known as the least privileged user, and it has a limited set of privileges. This restricted account is the one you want your workers to use most of the time, especially if they don’t belong in your IT department.
As a precaution, we recommend having all employees use standard user accounts for routine tasks. Only give superuser privileges to trusted members of your IT team and have them only use these particular accounts to perform administrative duties when absolutely necessary. This approach, known as the principle of least privilege, dramatically eliminates the risk of a severe data breach by limiting excess.
Remove Orphaned Accounts
Orphaned accounts are problematic because they are old user accounts that contain data encompassing usernames, passwords, emails, and more. These accounts generally belong to former employees, who have no current connection to the company. These past employees may have moved on, but their accounts might still be on your network and remain accessible.
The problem is they are hard to see if your organization doesn’t know they exist. If you possess orphaned accounts on your network and external or internal threats find them, they can be used to escalate their privileges. These attacks are known as pass-the-hash (PtH) attacks. These insidious attacks leverage the use of low-level credentials to gain entry into your network and aim to steal the password hash from an admin account. If stolen, hackers can reuse the hash to unlock administrative access rights.
The best way to find and remove orphaned accounts, and any potential threats, is to use a privileged access management solution. These tools help to locate and remove lingering accounts.
7. Create Employee Cybersecurity Training
Internal personnel represents a large share of the danger facing a company’s network security. In fact, just over one-third of all data breaches in 2019 occurred due to a malicious or negligent employee.
That doesn’t have to be the case. Instead, businesses can alleviate the danger of insider threats by cultivating a security culture through training employees on cybersecurity best practices.
Physical Security of Devices
To begin, secure remote employees by encouraging them to lock computers when traveling physically. If there’s no physical access to their device, the chances of foul play remain low. Secondly, when employees work in public locations, instruct them to be aware of any onlookers when typing in sensitive information, such as logins or passwords. This phenomenon is called “shoulder surfing” and is more effective than it seems.
Instruct employees to always log-off or shut down their computers when not in use. Leaving a computer on that is not password-protected is as effective for system entry as any malware attack.
Lastly, if passwords get written down on paper, have your workers rip-up these papers instead of merely throwing them in the trash.
Safe Internet Protocols
If your business is unable to provide laptops or computers with internet restriction applications to remote staff, you can set guidelines for best practices in safe browsing, installing pop-up blockers, and downloading of trusted applications for work.
Social Engineering Attacks
Malicious actors that use human psychology to trick people into giving sensitive information are called social engineers. These social engineering attacks come in multiple forms; however, the most common are called phishing attacks.
Hackers design these attacks to mislead employees to a fake landing page to steal information or install malware that they use to compromise network security. Most commonly, phishing attacks occur from unsolicited emails. Therefore, train staff to never open unsolicited emails, click unknown links in messages and beware of attachments.
Secure Your Remote Workforce
In a globally decentralized business landscape, malicious actors will continually present a risk to business network security. It is with this danger in mind; businesses must take preventative measures in securing remote work for their employees or suffer the consequences. For more in-depth instruction watch our expert present more on Infrastructure Security for Remote Offices:
No matter the size of your business, there are affordable solutions you can exercise to protect your livelihood. If you need help in determining which option is best for your business, enlist the help of our experts today for a consultation. Hear one of our experts speak about the importance of Keeping a Tight Grip on Office 365 Security While Working Remotely.