In order to get the “best of both worlds” by allowing employees to work remotely but also to reduce the mentioned risks, let us look at what can be done to mitigate those risks:
1. Web Security Protection
Organizations should consider deploying security solutions that feature strong web security protection on employee endpoints and technologies capable of preventing network vulnerabilities from exploitation. Phishing scams and fraudulent website creation have soared in an attempt to capitalize on employee curiosity and negligence. That’s why organizations need strong anti-phishing and network attack defense technologies that can accurately detect and block such threats from preying on employees who work from home.
2. Work from Home Policy
Having a defined “Remote,” “Work From Home” or “Teleworking” policy is a must if your company plans on permitting staff to work from locations outside of the office. This can help reduce the inherent risks of working remotely by establishing a set of procedures that employees must follow in order to work from home. This policy should include additional information security policies to outline all employees’ responsibilities when it comes to the InfoSec program.
Some examples of procedures that need to be included in your remote working policy include:
- Process for approving remote workers
- Defined responsibilities for employees
- Outline what users must do to secure their remote workspaces
- Outline workstation or device hardening steps (this can be a separate policy or reference another policy)
- Ensure encryption is used for all data that is stored and in transit
- Mandate use of a VPN for remote workers
- Outline the procedure for reporting an incident should one occur
While having a policy will help reduce the risks, the policy also needs to remain up-to-date and should have input from your Information Technology team or an information security expert when being created or updated. Any policy involving information technology or data privacy should also involve someone who understands the subject matter. Again, information security policies are NOT static documents. As threats change and new technologies emerge, the policies need to be updated to remain current.
3. Offering the right Tools
Having a policy in place will let employees know what they need to do and how to do it, but providing them with the right tools will also reduce the risks of working remotely. Depending on the company and the role of their employees, these tools may vary. The following are examples of some tools that have seen referenced in Remote Working policies:
- VPN will ensure that network traffic is encrypted, even on a public network like at a coffee shop. This is also recommended in a home office if the home network is shared with others (family, friends, guests).
- Built-in Encryption by Apple (FileVault) and Microsoft (Bitlocker) ensure that it is much more difficult for data to be pulled off the device should the hard drive be lost or the device is stolen.
- Password Managers will help users store their passwords and generate secure ones. They help reduce the risk of employees using the same password for all services.
- Built-in Firewalls from Apple and Microsoft can be enabled on any of their devices. This is great to prevent inbound or outbound requests that could be malicious.
4. Training and Best Practices
Having a policy and supporting it with the right tools is important, but educating and training employees on best practices will help to explain and outline why they need to follow the policy and use the tools. Many companies offer some form of Security Awareness Training. However, this training is usually done only once a year and can quickly become outdated. Consider having monthly or quarterly training sessions to keep your employees informed and educated on threats and their responsibilities when it comes to your company’s information security program and working remotely.
Employees working from home must be provided with basic security advice: to beware of phishing emails, to avoid use of public Wi-Fi, to ensure home Wi-Fi routers are sufficiently secured and to verify the security of the devices that they use to get work done. It is likely that attempts to subvert security using phishing attacks will increase at this time.
Employees should be reminded to avoid clicking links in emails from people they do not know, and installation of third-party apps should be confined to bona fide app stores, even on personal devices. Along with basic security guidance, employees need to know who to contact in the event they detect a security threat.