Remote work and security

98

What is worth considering when delegating employees to work remotely?

Due to the COVID-19 pandemic, many companies decide to send employees to work remotely. Unfortunately, organizations that have never considered such a move before do not yet have adequate rules governing this mode of operation. Worse, it is difficult to prepare them while you wait. Let’s try to figure out what to focus your attention on to minimize the risk.

At first glance, the only difference for office workers is the lack of contact with colleagues. In fact, the case is much more complex, involving issues such as communication channels, rule spaces, the use of collaboration tools, hardware, and access to that hardware.

Communication channels

When employees work in offices connected to the local network, security solutions watch over the data exchanged. However, when employees work from home, they use private internet. We know nothing about its delivery, and we have no control over the security measures used. In some cases, not only your employee, but also a potential attacker may use your home internet. In short, it’s better not to share company secrets through these communication channels.

Solution:  If your employees need to connect to corporate resources remotely, make sure they use a reliable VPN solution that creates a secure communication channel between workstations and corporate infrastructure, and protects corporate data against external threats. Block access to corporate resources from external networks if the user is not using a virtual private network.

Fixed procedures

Remote workers are unable to discuss work-related issues with each other in person, leading to an increase in correspondence involving new participants (people who usually communicated in person). In short, if all employees are not present in the office, it changes the communication process a lot. This situation theoretically gives the attacker more options, especially when it comes to using BEC attacks . Among many business e-mails, one phishing message can pass unnoticed: in such circumstances, a fraudulent message asking for your details will not arouse suspicion. Moreover, at home, many people may be less focused and therefore less alert.

Solution: First, even when working from home, use only work e-mail. This will make it easier to identify a situation where a cybercriminal will try to impersonate an employee using an account in a different domain. Second, mail servers must be protected by technologies that can detect attempts to change the sender of the message. Such technologies provide our solutions for both mail servers and Microsoft Office 365 services . And third, educate them about cyber threats before sending workers home.

Collaboration tools

After losing personal contact, employees may seek other methods of cooperation. Some of them may have many disadvantages and must be properly configured. For example, if a document in Google Docs is misconfigured with access permissions, it may be indexed by the search engine and become a source of corporate data leak. The same thing can happen with data in cloud storage. Additionally, if we add the wrong person to a collaborative environment like Slack, they can access all of your file history and messages.

Solution: Of course, it’s best to choose a collaboration environment that provides the appropriate level of security and feature set. Ideally, registration should require a corporate email address. Moreover, it is a good idea to appoint an administrator to grant and cancel permissions. But most importantly, before sending employees to work from home, arrange a meeting (it could be a remote session) to raise awareness of cyber hygiene and inform participants to only use the company’s collaborative system (or approved by you). It also doesn’t hurt to repeat that they are responsible for keeping company secrets safe.

Equipment

In general, not all employees have access to corporate laptops, and cell phones are not suitable for all tasks. Consequently, employees may try to use their home computers. For companies that do not allow the use of their own devices for work, this can be a serious threat.

Solution: First, if employees have to work from home, provide them with company laptops and phones, if possible. Of course, these devices must be protected with appropriate security solutions and provide the ability to remotely remove corporate information, separate personal and corporate data, and limit application installation. Set them up to automatically check for the latest critical software and operating system updates.

If for some reason your employees need to use personal devices, enter rules for using them – for example, creating separate partitions for business and personal data. In addition, make sure that all employees install anti-virus software (even free software) on their home devices. Ideally, these devices should only connect to corporate networks if they have a security solution installed and the operating system is up to date.

Access to equipment

You are never sure about where and with whom your employees live, and therefore who might accidentally gain access to your data. In addition, they can take the device, for example, to a cafe, where the risk of leakage is much greater.

Solution: Most of these problems can be resolved by implementing security policies to regulate the use of passwords and automatic screen locking. As with other cybersecurity issues, in particular when it comes to working remotely, organizing awareness training should help to maintain overall vigilance.