By Bradley Wolfenden
Part 2- Top 5 Things to Keep in Mind as You Implement Remote Work Policies
It’s likely that by now you’ve either heard of or have been personally impacted by recent cancellations of major industry conferences, closed campuses, travel limitations, or remote work mandates as a result of the continued spread of the novel Coronavirus (COVID-19). All of these actions are a reflection of the Center for Disease Control’s recommendations and proactive efforts focused on lessening the spread and impact of this virus.
We’re fortunate to live in a time during which enforcing remote work policies is not synonymous with a total halt in business continuity. With that said, these solutions hinge on expanding the use of technology: WebEx meeting rooms for conference calls, Microsoft Teams and Slack channels for real-time chat communications, recorded trainings, Google’s suite of products (i.e. Drive, Hangouts, etc.) for increased collaboration, and more. As organizations across the globe increasingly ask staff to work from home, it’s important to keep in mind several best practices that will help avoid sacrificing your cyber hygiene in favor of employee productivity.
5 Tips for Maintaining Alignment between Work-from-Home and Cybersecurity Policies
#1- Remind Employees of Your Security Expectations: Employees that are accustomed to coming into the office on a daily basis need to understand how a change in their work setting means becoming aware of policies and procedures that may not have been previously applicable. For example, use of mobile devices, accessing commonly sourced data or systems, and staying on top of patches and updates.
#2- Enforce Multi-factor Authentication (MFA): It’s easier for malicious actors to present themselves as a trusted user when remote work becomes commonplace vs. when employees are sitting next to each other in an office. MFA is a security enhancement that requires a user to present two pieces of evidence when logging in to an account (i.e. username and password, plus a code sent to your cell phone or email address, a fingerprint, etc.). Per a recent report from Microsoft published by ZDNet, 99.9% of compromised accounts Microsoft tracks every month do not use MFA. EmberSec recommends this as a best practice built into all cybersecurity strategies, as it adds a high cost to adversaries but is a relatively low cost to implement.
#3- Set up a Virtual Private Network (VPN) Connection: A VPN allows remote users to securely connect to an organization’s critical applications and enterprise-wide infrastructure. Establishing a VPN connection is a strategic layer to support remote work and becomes even more important when employees work on a personal device, as doing so is essential for maintaining full end-to-end encryption. If you already have a VPN set up, it’ll be important to ensure your company’s VPN server is robust enough to handle the increased workload of many concurrent connections and traffic.
#4- Avoid Adding any Unnecessary Layers: Transitioning towards an entirely remote workforce may mean that new products and technologies need to be introduced to your technology stack. This may involve integrating new Software-as-a-Service (SaaS) products, new and/ or different malware protection tools, and a number of other examples. Keep in mind that adding these oftentimes crucial resources creates new risks to your networks as they’re new threat vectors.
#5- Conduct Regular Audits: While remote work policies are in effect, companies need to perform regular audits on their inventory and stress and security testing on the technologies their remote work relies on. A company may not know that their VPN gateway does not have enough upstream bandwidth until they have performed a test-run of the technology. Security holes in the network configuration or on corporate laptops may not be revealed without first performing security testing. Furthermore, audits of digital assets will help maintain visibility of the company’s perimeter and minimize exposure to external threats.
Without the right tech tools, policies, and procedures in place, telecommuting could affect a company’s efficiency and hinder business results in a year where experts are already projecting a slowdown in economic growth.
"Remote work enablement requires upfront coordination between IT, Security, HR, and Business Operations to ensure a successful program. Relying on security training and awareness programs to drive 'cyber smart' behavior not only at work but also at home (modern firewalls/routers, using strong passwords, patching, etc.) will also go a long way in keeping employees and your organization secure.”
- Gerald Beuchelt, CISO, LogMeIn
Technological solutions are lifesavers in situations like this, but it can be easy to forget the basics in an effort to be hasty. The scramble to set up remote workstations for employees cannot neglect maintaining safe cybersecurity practices, and clear expectations and guidelines must be set around how your organization expects its employees to operate under new remote conditions.