Security teams have faced a great challenge during the COVID-19 pandemic. They’ve had to make it possible for work to continue securely – yet do it at a time where the network perimeter has been obliterated. While it’s a unique challenge, there are steps security teams can take to lock down remote workers. Here are some tips based on our work over the past 10 months.
1.Distribute a work-from-home policy.
Start by developing a work-from-home policy that addresses the unique needs of remote workers. These policies may cover security protocols directly within the policy or reference complementary policies such as a dedicated Data Loss Prevention policy. These policies typically cover the following: data handling procedures, such as the classifications of data that remote workers are allowed to access and how company files should be stored and transmitted; personal devices policies that specify the minimum security requirements for personal devices, and the level of restrictions applied to a personal device versus a work device; computer monitoring disclosures to notify remote employees of the computer activity being tracked, how that data gets used, and who will have access to their activity data; home office security requirements, such as if they are required to use a work-exclusive internet connection, clean desk policies, and whether or not they are required to use a private workspace
2. Restrict the use of personal devices.
While it’s convenient to let remote employees use personal devices for work, it’s a significant risk from a security perspective. By giving remote workers company-owned devices, organizations can establish critical security controls, such as monitoring computer activity, limiting admin permissions, applying web filtering policies, and restricting the way applications are downloaded and used on the device. Naturally, employees will object if the company wants to put these type of controls on their personal devices. But there’s another option: In a hybrid approach, security teams can implement a conditional access policy that lets workers do low-risk tasks on personal devices, while restricting access to corporate applications that track financial data or sensitive personal medical information. This approach works well for organizations that want to have the capability for employees to work remotely without needing to invest in company-provided devices for every employee
3. Offer remote employees cybersecurity training.
No amount of technology will entirely address what’s fundamentally a human problem. To properly secure their remote workforce, organizations need to offer their employees ongoing security awareness training relevant to the context of their role. Attackers will do all they can to exploit vulnerabilities, and the rapid shift to remote work caused by COVID-19 serves as a case in point. Particularly persistent groups have also used social engineering tactics such as vishing (verbal phishing) to bypass MFA and gain access to corporate VPNs. These vulnerabilities are more manageable when employees are equipped with adequate policies, training, and procedures
4. Keep mobile employees away from public Wi-Fi.
Employees who work from home may want to experience a change of scenery by working in public spaces. The free Wi-Fi offered by hotels, airports, and coffee shops are a convenient temptation for remote employees. The widespread adoption of HTTPS on the web has made public Wi-Fi more secure than in the past, but there are still risks: Attacker-owned honeypots can mimic the SSIDs of nearby wireless networks. Once an employee connects to these networks they could have their network traffic inspected or get served with fake login screens that capture their credentials. Also, the security measures of public Wi-Fi hotspots are inadequate for the employee’s intended use. These hotspots are not controlled by the organization, so there’s no way to guarantee the security of the network. While the use of a corporate VPN can reduce the risks of using public Wi-Fi, it’s better to have a private internet connection. Mobile employees can create their own private and password-protected Wi-Fi hotspot using the data plan of a mobile smartphone, though some carriers may throttle connection speeds and restrict data usage. Security teams should give them a dedicated mobile router that includes a suitable data plan for business purposes.
For optimal security, companies must set clear policies and offer the staff dedicated cybersecurity training, company-owned devices, and a secure internet connection. With these tools in place an organization will greatly improve its security posture and make work-from-home a viable option. As companies move into 2021 and bring some people back to the office, what we’ve all learned about managing remote work during the pandemic will come in handy once life returns to normal.
Neel Lukka, managing director, CurrentWare