As Companies Switch to Permanent Remote Work, How Can They Adjust Their Cybersecurity Policies?

As American states begin lifting lockdown orders in anticipation of the end of the SARS-CoV-2 pandemic, some companies have allowed employees to permanently work from home. How will this change affect cybersecurity policy and outcomes? What response is necessary to protect company assets? With a recent jump in phishing and malware activity, it’s important to know how to maintain integrity while you or others work from home. In this article we will outline some cybersecurity tips for remote work to ensure your employees and company data remain secure.

Some organizations responded to lockdown orders early, instructing employees to take home laptops and other portable devices. If this was the case in your organization, you may already be protected by security measures in use on company computers, like virus scanning, network monitoring, encryption, password protection, and multifactor authentication. But with employees no longer receiving direct supervision to inspect for policy compliance, and many having to use personal computers, new strategy is necessary.

Attackers may be tempted to target company offices now that they have fewer personnel inside. Homes may also be tempting targets as they often lack the physical security measures of office buildings. Here are some cybersecurity tips for remote work to consider when protecting your organization, its data, your employees, and their homes.

Physical Security

The ever-helpful Lockpicking Lawyer has made a career of showcasing how easy it is for talented criminals to defeat improperly designed locks. Organizations should avoid storing sensitive data in employee’s homes whenever possible. Individuals required to access or retain sensitive data at home should retake relevant security trainings, investigate the strength of their current home security features, and use an alarm system with automatic 911 dialing.

All employees should take precaution not to reveal to friends or strangers whether or not they have brought company property home. They shouldn’t disclose their home address to untrusted parties or discuss their location or work activities over unsecured Internet connections. While it may seem unlikely that decentralizing data into employee’s homes would make it any easier for hackers to find, experienced criminals already know how easy it is to break into a house or apartment with improper physical security.

While attacks on high-profile data centers may seem rare and extreme, anyone capable of tactically precise attacks such as these could easily break into your home just as common criminals can. Unexpected breaches due to forces of nature also happen. Even a deer can break in! But hackers don’t need physical access to your home to steal your data if your network security or Internet hygiene is poor.

Can you spot what’s wrong with this picture? Don’t trust yourself alone to assess your physical security. Ask an expert!

Network Security

If you watch YouTube with a free account, you have likely been bombarded with ads for virtual private network (VPN) and tunneling services such as NordVPN or ExpressVPN. While some VPN providers tend to oversell the importance and relevant benefits to general audiences, the value of VPN services for business cannot be understated. In business environments, a VPN server inside the company offers encrypted connections to the company’s other servers so employees can access files from home without revealing secrets to an interceptor.

General-purpose VPNs make it possible for almost anyone to encrypt and partially anonymize their Internet activity. However, using VPN doesn’t make you invincible. Spyware on personal computers can still record an employee’s keystrokes, screen, or webcam feed, and transmit stored data that was meant to be kept private. Frequent virus scans and good Internet hygiene are an essential complement to network security.

Vigilant Internet Hygiene

Forbes’ recent summary of the Global Cyber Center conference on remote security has some great tips, including how to avoid phishing scams and recognize a breach. We have a few more tips to add that are especially relevant to Internet hygiene while working remotely, which you may want to incorporate into your security strategy.

1. Stay out of Starbucks! You should never connect your business computer to unprotected Wi-Fi, nor should you allow prying eyes to see what’s on your screen. The best way to keep your company computer and data secure is to use your work computer for work only, never personal use. Keep your work computer at home, and if you must use a computer while traveling, only connect to secure Wi-Fi, use VPN to encrypt your network traffic, and be mindful of who can see your screen.
2. Use a password manager. Services such as Dashlane and LastPass facilitate multiple user access to shared accounts, without the need to explicitly share passwords between users. They create stronger passwords than most humans use. Fear not, you don’t need to remember the random passwords the manager generates. You only need to authenticate your identity to the password manager, then it logs you in securely.
3. Completely shut down your computer at the end of each day. Leaving it running unsupervised only increases the chance of intrusion during a break-in or by covert remote desktop control. Restarting or starting up from a cold stop also applies updates to your operating system and installed applications, reducing the risk of a security breach.
4. Issue laptops or other devices to employees without a work computer as soon as possible. Maintaining administrative access to work computers ensures that virus scanning and firewalls remain in place, and makes it easier for organizations to authenticate access to company servers such as a VPN server. Employees still needing to use personal computers for work should realize they may need to modify their online behavior to secure their devices. IT leaders may use some of the same rules applicable to 3rd-party vendors when considering how to incorporate personal computers into their security plan. These articles by Sue Poremba, Alex Laws, Gregory Mooney, and Mirko Zorz contain great information about incorporating vendors and personal devices into your organization’s security plan.

File-sharing and Collaborative Workspaces

Internet services like Google Drive and Microsoft OneDrive make it easier to share files and maintain document history. They have seen a new surge in popularity as employees learn to work from home. However, many file-sharing and real-time collaborative workspaces present some unique risks, ranging from obvious to subtle.

Sending files to the wrong person is a common mistake. Employees can also be tricked or coerced into giving file access to a hostile agent. Employees should carefully read each step in the process of adding new user permissions before clicking “accept” or “OK.”

A more subtle mistake made by both new and experienced users of real-time collaborative workspaces is the dreaded copy-paste-save error. Google Drive documents record every keystroke that users make and apply the changes to the file in the cloud. If an employee types or pastes sensitive data into a Google Drive document, and the document saves before the data is removed, it may no longer be visible, but it isn’t really gone. Just as you would never store a password in plain text, you should never type passwords or other sensitive data into Google Drive or similar products.

While Google Drive, iCloud, and other filehost services promise security, we know that historically, they are not impenetrable. Sensitive documents should be created and stored according to your organization’s policy and protected with encryption. These documents should be backed up to encrypted storage and securely transmitted to separate locations in case one copy is destroyed. Some large companies use comprehensive business solutions for these tasks, such as Carbonite, IDrive, or Spectrum Protect. Before selecting a paid service, you should ask an associate how their service complies with applicable data privacy laws, such as HIPAA or CCPA. If you are unsure how to send files securely in your organization, ask your IT or security professionals for help.

In addition to these cybersecurity tips for remote work, it’s important to maintain effective communication and transparency with your remote team. Encourage them to report any issues or suspicious activity. If your company still needs to update security policies using the information provided in this article, address a single issue at a time. When updating your policies and procedures, be sure to keep in mind how remote employees can still maintain work productivity while also following security protocols. If you put in place overly restrictive policies, employees are more likely to find a workaround that can put their company at risk for cyber attacks. If you find a balance between efficiency and security, your remote workforce can remain productive and secure.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.