How to Reduce Security Risks for Remote Teams
Over the last few weeks, there’s been a major shift to work remotely as a precaution against COVID-19. Apple, Google, Amazon and Twitter are among the largest companies asking their employees to work from home, with countless other organizations around the world wisely following suit.
But having employees work remotely without proper oversight or policies in place is raising security concerns. Connecting to an unsecured home network or coffee shop’s open Wi-Fi without a VPN puts company and customer data at risk.
Folks letting employees work remotely during the outbreak: Don’t let anyone walk out of your office without properly updated security & a solid VPN. Average Americans think connecting to an unsecured home network or Wifi in a café is fine. Protect your business & customer data.❤️
— Jennifer Aldrich (@jma245) March 10, 2020
Just as risky is ignoring physical security practices when you’re working in public—leaving devices unattended and exposing your laptop screen to visual hackers are two big ones.
Perhaps the greatest risk of all is your users’ identities. Identity theft is the number one reason organizations are hacked. Generally, this is accomplished through phishing. If you walk away from only one thing from this article, it should be this: Enable two-factor authentication (2FA, also called MFA or multi-factor authentication) everywhere possible for your employees. If you take two things away: Teach your end users to not get phished.
According to an iPass survey, most company leadership believe that remote workers and the personal devices they use could create security risks. The survey reported that 53 percent of Chief Information Officers (CIOs) in the U.S. thought that mobile workers had been hacked in the last year. On top of that, 94 percent believe that the rise of their company’s BYOD initiatives were the cause of increased security risks. 81 percent of CIOs reported a Wi-Fi related incident in the last year.
Use these tactics to protect remote employees from cyberattacks:
1. Create clear policies around remote work
Not everyone is an expert on cybersecurity, and people might bring their own assumptions to the table about how to stay safe online. To one person, being secure might mean just not opening email attachments from unknown senders (this is a good practice!). To another, it might mean changing passwords every few weeks (the latest NIST guidance on this is to create long, strong passwords rather than rotating them).
Sure, those things are helpful, but they’re not enough and they’re not very specific. Who’s to say that person isn’t changing their password from Password123 to Password321 and vice-versa?
There’s no way to know, and that’s why you’ve got to have clear policies in place that educate workers on what “secure” means to the company, and what’s expected of them in regards to keeping the company’s data secure.
Make it easy for people to get up to speed: Use an online security training course to get everyone on the same page about that definition of “secure.” Then share your policies—and make sure they’re written to be easily understood and super clear. The best organizations are running mandatory, live security trainings with all of their employees every quarter.
Every company will determine their own set of security guidelines, but here are a few things to consider including in yours:
- Require 2FA/MFA wherever possible, but mandatory on email
- Password best practices (AKA do not ever use Password123—and more importantly go for 16+ character passwords)
- Required security tools such as anti-malware/anti-virus (and that they must be kept updated at all times)
- Instructions on how to keep your screen secure when you’re working at a coffee shop, on a plane or any public place
- Turn on full disk encryption via FileVault 2 on a Mac and BitLocker on a Windows device
- A reminder to never leave your devices unattended, even for a minute
- What to do if one of your devices is ever lost or stolen
Note that all of these requirements may seem like a lot for your remote workers to remember—and they are—but a solid cloud directory service/identity management solution will automate virtually all of these types of tasks.
If you don’t have official guidelines or policies, don’t expect remote workers to know how to keep data secure.
2. Provide the right tools
Teaching people what “secure” means is a key first step. After that, give them the tools they need to actually be secure. Also, make sure your IT group has the IT management tools to enforce and audit that these approaches are working.
Some common tools security managers require employees to use:
- Two-factor authentication (2FA). This is an added layer of protection and helps ensure the right person is trying to gain access to an account or file. Typically, it means that after someone enters in their password, they’ll receive a text message with a special code that they’ll then have to enter in to gain access.
- Antivirus, anti-malware, anti-spyware, anti-phishing and anti-ransomware. All of these things should always be kept up to date—don’t ever skip a software update.
- Virtual private network (VPN). A must-have for anyone who connects to public networks. A VPN helps give a device privacy by creating its own private network for said device. The bottom line: Don’t ever connect to a public network without a VPN.
3. Give them a way to report security issues
Set up an email address like email@example.com where any worker can give the security team a heads up about an issue or reach out with a question. If your team uses Slack, set up a dedicated channel like #security.
Some organizations even have an easy way for employees to report phishing attempts to their IT and security teams, who often share it with vendors to collectively make spam filtering better. Remember that identity compromises are by far the number one way that organizations are hacked.
Staying on top of security
Cybercriminals aren’t retiring any time soon, but the good news is that many data breaches from the past could have been prevented. This means that many breaches in the future have the potential to be prevented, too.
Things are always changing, so review your policies often and adjust them as needed so you can stay one step ahead of cyber threats.
Did your company recently go remote? What security measures are you putting into place for your team? Tell us on Twitter.
Greg Storey, InVision’s Senior Director of Executive Programs, on standups and standing, evening escape plans and killing elephants.