Around the world, many people already work full-time from the comfort of their homes or local coffee shops. Employers have discovered, and research has consistently shown, that when employees telework, they remain productive due to having fewer distractions and spending less time commuting.
While the ability to allow staff to work remotely when needed gives greater flexibility to corporations, it also comes with cybersecurity risks. Not only can remote workers put their own privacy at risk, but working remotely could result in a breach in the company’s security.
Allowing some employees to work remotely from time to time is something most companies could handle prior to the last few months. However, when faced with a natural disaster, few organizations are prepared to have large numbers of their employees suddenly work remotely at the same time.
Many companies previously did not have the infrastructure to support a mass amount of people working remotely, and even less have the security to ensure their sensitive data isn’t being exposed. For the majority, their underlying hardware, software and support infrastructure are only designed to accommodate a small portion of their employee population working remotely.
If a company is considering allowing a large number of employees to work remotely, management should first ask their IT department whether their corporate network and infrastructure can handle the strain of, for example, having hundreds or thousands of remote users suddenly access infrastructure built for a fraction of the load, and/or having a majority of connections come in over virtual private networks (VPNs).
In addition to making sure the company’s IT infrastructure can handle large numbers of remote workers, management needs to check if their organization has any established security guidelines for remote work – including employee use of personal devices for company business -- and remote access to company information systems. If no relevant plans or policies are in place, this is a good time to establish at least some basic guidelines to address these issues.
The following are a few of the things an organization should examine to ensure its cybersecurity when employees work remotely:
VPN – Employees working remotely should use a VPN. Many people are aware that using a VPN will bypass geographic restrictions on streaming sites and other location-specific content. But a VPN has another important role, and that’s improving online privacy. A VPN encrypts all of your internet traffic, making it unreadable to anyone who intercepts it. Make sure employees exclusively use the VPN when working and when accessing company information systems remotely.
Wi-Fi Connections – Most Wi-Fi systems at home these days are somewhat secure. However, when outside the home, employees should be aware that unsecured public Wi-Fi networks in restaurants and public spaces are prime spots for malicious parties to spy on internet traffic and collect confidential information.
Home Routers – Many people don’t change their home router password when it is first installed, leaving their home network vulnerable. It’s important for employees to take simple steps to protect their home network in order to prevent malicious parties having access to connected devices.
Changing the router password is a good first step (it should be long and strong). Other actions might include requiring employees to make sure firmware updates are installed so that security vulnerabilities can be patched.
Passwords - It’s as important as ever to ensure that all accounts are protected with strong passwords. Unfortunately, many people still use the same password across multiple accounts. This means that all it takes is one compromised password for a criminal to take over all of their accounts. (Note: “Remember password” functions should always be turned off when employees log into company information systems and applications from their personal devices).
Two-factor Authentication - Having strong passwords often isn’t enough, for example, if an employee's credentials are leaked in a data breach. Two-factor authentication and two-step verification involve an additional step to add an extra layer of protection to an employee’s accounts.
The extra step could be an email or text message confirmation, or a biometric method such as facial recognition or a fingerprint scan.
Backups - All important files should be backed up regularly. In a worst-case scenario, staff could fall afoul of ransomware, for instance. Then all is lost without a backup. One of the most convenient and cost-effective ways to ensure important files are backed up is to store a backup of data in the cloud.
Firewalls - Firewalls act as a line of defense to prevent threats from entering your company’s system. They create a barrier between your employees’ devices and the internet by closing ports to communication. This can help prevent malicious programs’ entry and can stop data leaking from employees’ devices. Your employees’ device operating systems will typically have a built-in firewall.
In addition, hardware firewalls are built into many routers. Just make sure that they are enabled.
Antivirus Software - Ensure antivirus is in place and fully updated. Although a firewall can help, threats will inevitably get through. A good, advanced antivirus software can act as the next line of defense by detecting and blocking known malware. Even if malware does manage to find its way onto an employee’s device, an antivirus may be able to prevent it.
Encryption - When employees need to communicate sensitive information to fellow workers, up-to-date encryption tools should be installed on their devices. If your company doesn’t already provide them with secure methods of communication, you may have to come up with other options. Many mainstream messaging services come with end-to-end encryption as default or as an option.
Locking Devices - If employees have to work in a public space, then it’s important for them to keep their device secure. Password protecting their device will usually protect its contents until someone enters the password. A policy requiring them to do this should be in place.
Phishing - Train employees on how to spot and handle phishing attacks and other forms of social engineering involving remote devices and remote access to company information systems. Employees should be warned to be suspicious of emails from people they don't know -- especially if they are asked to click on a link or open a file. Even emails sent from people they know, but asking for unusual things, should be suspect. Instruct your employees to double check by phone call when in doubt.
Contact for Reporting Problems – Provide an email address and/or phone number for employees to contact your company’s Incident Response Team in case they experience any potential security problems when working remotely.
Finally, a word about the use of personal devices:
Home Computers - Providing laptops for all employees can be costly, so many organizations rely on staff using their home computers when suddenly working from home. This is one of the biggest risks to allowing employees to work from home and should be discouraged.
Employees’ personal computers do not have the same protections as work devices, nor the same capabilities to monitor activity. Their personal devices often lack the strong antivirus software, customized firewalls, and automatic online backup tools built in to business networks. This increases the risk of malware finding its way onto devices and exfiltrating both personal and work-related information.
Mobile Devices – Many employees use their personal smartphone for work purposes. In these cases, consider using Mobile Device Management (MDM) and Mobile Application Management (MAM). These solutions can help manage and secure mobile devices and applications through the remote implementation of a number of security measures, including data encryption, malware scans, and wiping data on stolen devices. Further, consider a mobile security solution that can provide your team with antivirus and endpoint detection and response capabilities to all your mobile devices.
As remote work becomes more and more common, it is essential for all companies to put in place the necessary infrastructure as well as applicable security guidelines, plans, and policies to minimize their exposure to cybersecurity risks. The above list should give you a good idea of the areas your organization should consider when creating remote work cybersecurity guidelines.
For more information, read our guide on securing a remote workforce.