Remote work and the security issues that accompany it present a unique challenge for businesses. Prior to allowing employees to work from home, businesses need to review their current policies to determine if there are any preset security guidelines for remote work.
If policies exist, they should be reviewed to ensure that they address all of the issues identified below. If no policies exist, it is important to set standards, expectations, and processes for all employees. At a minimum, these policies need to provide guidelines on how to remotely access company information or company systems and use by employees of personal devices for company business. One of the easiest ways a business can protect itself is to limit those who have access to sensitive information. By limiting access, a business limits the number of opportunities presented to cybercriminals. Start by determining who needs to access the business's entire internal network and who needs access to certain programs.
A business can further limit those who can take sensitive information with them by limiting employees' ability to store, copy, or download data, whether directly on the device or onto an external device (such as a USB drive) when working remotely.
Equally important as limiting access is authentication. Authentication is the process in which a company verifies that it really is their employees accessing the systems and not others pretending.
By requiring users to go through several steps to verify their identity, a company can reduce the risk of exploitation without impacting productivity or involving IT. With the continued increase in phishing attacks, all businesses should require their employees to go through a multi-factor authentication process in order to access sensitive information.
In addition to remote work security policies, businesses need to focus on network security, at the office and at employees' homes. Savvy criminals know there are many ways to access information and they will seek out the weakest points to attack.
It is important to make sure that all of the equipment or methods used to access sensitive information are secure. Businesses should review every part of the access process, from deciding whether or not to use VPNs or remote desktops, to having current virus software on all devices (both personal and company-provided), to confirming that employees' home routers' passwords are strong. Here are a few general tips:
• Provide cybersecurity awareness training and make sure that all employees know who to contact to report security incidents and who to contact for technical issues.
• Avoid public Wi-Fi; use personal hot spots or encrypt your web connection.
• Designate which devices (company-owned vs. employee owned) can be used for which kinds of business activity and who is authorized to use these devices (only the employee).
• Require employees to encrypt or use secure third-party services to exchange sensitive data.
• Prohibit the use of unsecured personal external drives.
• Require employees to use strong passwords and to update them frequently. Require different passwords for different systems.
• Remind employees to be alert against phishing tactics, including emails from unknown sources or those requesting credentials or other sensitive information. Warn against opening file attachments or clicking on links.