The surge in organizations transitioning their operations online to enable many if not most employees to work from home was a shift that a lot of organizations were inadequately prepared to make. Some were forced to relax their security postures to sustain operations. This article provides best practices for remote employees to help protect company data.
In recent months, we saw many traditionally structured, onsite only organizations set up remote workforces with little advance notice. In the spirit of business continuity and connectivity, some organizations relaxed security capabilities, including patching, security tool updates, and monitoring.
With the indefinite length of the pandemic, we are still seeing cyber and IT teams continue advancing their remote workforce capabilities, yet at a more measured pace. They are now more strongly focusing on the long-term implications of company data protection and the need to secure endpoints such as laptops and mobile devices. In some cases, organizations with relatively newly established remote workforces are stepping back and evaluating their latest cyber risk postures to ensure that their employee telework practices are keeping corporate data as protected as it can be.
Unanticipated Expansion of Security Boundaries and Attack Surface
The original attack surfaces and digital boundaries that security teams were responsible for defending has transformed or in some cases disappeared altogether. Keeping sensitive data within the confines of secure corporate internal systems or buildings is no longer an option for some businesses to survive. Laptops and other mobile devices expand an organization’s security boundary because they are outside company systems and networks, no longer protected by multiple security layers.
Additionally, some organizations are allowing employees to work from home on personal devices, which typically lack corporate malware protection, vulnerability protection, AV, patching, and local firewalls. Employees using personal devices for work risks contamination or leaks of corporate information and PII and opens companies up to local, federal, or international privacy law violations and compliance issues.
What Security Controls?
Security controls as they originally existed onsite for corporate meetings, strategies, and more no longer exist. Some remote workers are intentionally circumventing cybersecurity while at home to meet project deadlines, such as sharing sensitive information via email instead of corporate-approved channels, further increasing an organization’s overall cyber risk.
Businesses cannot prevent their employees’ family members or other outside parties from viewing their screens, making it challenging to monitor who exactly is logging into corporate devices in a telework environment. Strong passwords and multi-factor authentication can help. See more information for a holistic approach to insider risk management here.
Increased Use of VPN Split-Tunneling Creates Another Attack Vector
Many organizations discovered after the transition to a remote workforce that they lacked adequate VPN bandwidth and licenses to support office workloads and Internet traffic. To help manage the workloads, some companies are relying on VPN split-tunneling. This opens them up to more risk from the users’ home networks by providing nefarious cyber actors another attack vector for targeting remote workers that have this capability turned.
How Your Remote Workforce Can Help Protect Company Data
In many cases, working from home is a privilege. Remember, security is everyone’s responsibility. In order for companies to thrive in teleworking they need to train and trust their employees to help protect company data and information.
The following actionable recommendations can help your employees protect personal and company data while working from home:
- Keep all personal and work devices up-to-date. Instill in your employees that their home network and devices are being targeted today more than ever before. It is equally important to patch and update both work machines along with home computers, phones, routers, WiFi, and other IoT devices. Don’t forget antivirus. This consistent behavior can help prevent or stop an attack in case of an accidental click on malware.
- Guard your WiFi. Follow best practices from your WiFi manufacturer, use a very long, complex password, and ensure that guests using your WiFi keep their devices patched and up to date. Avoid using public WiFi connections. If you must do so, use a VPN.
- Think before you click. Don’t accept emails, social media friend requests, or click on attachments you are not familiar with or expecting. Before clicking, hover over links and check where they lead to or manually type in the URL address.
- Power down devices when not in use. Several threats can persist in home devices that go away when the power is shut off. At least once a day, turn off all computers, routers, and any other IoT devices. Leave them powered down for at least one minute before turning them back on.
- Log out/sign out or lock your computer when you are away. Especially if you are using a public computer, such as at the library or an Internet cafe, and close the browser. It’s quick, easy, and may save your account from unwanted trespassers.
- Turn off your work VPN when not in use.
- Set up your workspace in a low traffic area. Don’t face your monitor toward windows or exposed to third-parties in your home. If possible, work in a private room or area of the home.
- Enable whole-disk encryption on smartphones, laptops, tablets. This helps protect your information if one of your devices is stolen.
These are not the only actionable recommendations to help protect company data in a remote work environment. However, they help serve as a starting point or a review remote workforces to guard their personal information along with corporate data.
For more insights, on managing remote workforces, seeGPSG’s Best Practices for Managing Remote Teams here. Also, download the free Telework: The New Data Protection Imperative webinar here featuring GPSG Cyber Vice President, John Lister along with cyber leaders from The Emery Group and PKWare.
Contact GPSG at cyberteam@gpsg.co for a free consultation on setting up and protecting remote workforces from cyber threats.
Disclaimer: This website provides ever changing content,
conversations, and insights on cyber threats and trending solutions that is
accurate to the best of our knowledge. Although we are cybersecurity experts,
we provide information which we hope is helpful, and do not endorse any
specific products, tools, or solutions referenced herein. Consult with your
cybersecurity team before taking any action.