As workplaces transition to an environment where working from home is more commonplace, many businesses are confronting the reality of a shift in the needs of information security. Where previously you were primarily concerned with securing a network and devices totally under your control, you now face a whole host of potential vulnerabilities.
Small businesses are particularly vulnerable because they may lack a large IT staff familiar with the challenges of managing a remote workforce. In this article, we'll discuss some security practices that will help you secure your sensitive information no matter your business’s size.
The Weakest Link in the Chain
Your sensitive data is only as secure as the weakest point in your security controls. Whether you are dealing with healthcare information, proprietary product specs, or customer payment details, unauthorized access can spell disaster both financially and in the court of public opinion. Unfortunately, the most significant weakness will almost always be your employees.
No amount of expensive software will ever combat employees who are unaware of remote work security best practices. Training your employees in these best practices should be your greatest priority, up to and including the C-suite. Phishing, spear phishing, and whaling attacks are much more challenging to execute on an aware victim.
Productivity concerns are also notable when it comes to a remote workforce. Training your employees on some remote work best practices will also be beneficial as adjusting to a new working environment.
The decision to provide company-owned devices for remote work is an executive decision with many factors. Cost may be prohibitive; however, the potential for a security incident is exponentially higher on a device that you don't own and don't have as much control over. Known vulnerabilities in unpatched operating systems can be exploited, subsequently compromising your entire operation.
Even if you provide company-owned computers and mobile devices, follow these tips to ensure they are as secure as possible:
- Regularly update the devices and apply any available patches.
- Eliminate de minimis use policies. Even minor personal use can lead to a device being compromised.
- Do not allow the devices to connect to a public network. If mobile use is necessary, consider providing a wireless hotspot to connect to a company-issued mobile device.
- Require employees to maintain up-to-date routers using WPA2 encryption. Remote access to the device by your IT personnel can confirm that the home network is appropriately conforming to company policy.
- Monitor usage to ensure compliance with company policy.
- Enable full-disk encryption and remote wipe capabilities. This should also include device tracking.
We briefly touched upon public WiFi avoidance and home routers above, and there are important reasons why those are two critical components of a successful remote work policy. A compromised device accessing a secure network defeats the security controls of that network. If the device is a secure, company-owned, and adequately maintained machine but accesses a secure network through compromised means, the result is the same as a compromised device. Unsecured and poorly secured home networks leave you vulnerable to man-in-the-middle and other similar attacks.
It's not feasible to have your IT personnel visit every remote worker’s home, but allowing them remote access to any device used for remote work can accomplish the same goals. You can verify that your remote workers using personal devices have appropriate antivirus installed, and you can also confirm that their home network is set up using modern equipment, default passwords have been changed, and WPA2 security is in use.
Office 365 and G-suite are two software as a service (SaaS) options that allow you the ability to host, work on, and store documents, email, and projects without having to download them to individual machines. SaaS increases security in that your remote workers are not downloading and then uploading anything as they are working on it; however, it is not by any means the only source of security that you should rely on.
Infrastructure as a service (IaaS) also provides flexibility as you adjust to a more remote environment. Instead of having to purchase and then configure all the necessary servers and other infrastructure to support remote work, services like Microsoft Azure and Amazon Web Service allow you to stand up email servers, databases, virtual machines, or several other items that are infinitely more scalable through IaaS providers.
Remote Desktop Protocol
While Remote Desktop Protocol (RDP) is useful for connecting your employees to their work computers when they're working from home, it is also a security risk. Known vulnerabilities in older Windows RDP functionality leave almost 1 million computers open to security risks.
Implementing network-level authentication and installing available patches on older systems mitigate some of that risk. Removing the Administrator group from Remote Desktop Services and only adding new users through the System control panel adds another layer of security. You can take two additional steps to secure remote access methods using a Virtual Private Network (VPN) and multi-factor authentication.
Not All VPNs Are the Same
VPNs provide a secure, encrypted tunnel through which your remote workers can connect to either your network or a remote desktop. To maintain adequate speed and reliable connectivity, it is essential to select a VPN provider with enough servers available to manage their traffic. It's also critical to remind your employees that merely using a VPN doesn't make using public WiFi or another unsecured network safe.
Weak passwords, passwords compromised in earlier data breaches, targeted spear-phishing attacks, and social engineering can result in unauthorized access to even the most secure network. Here are several passwords protection methods you can implement for better security:
- Require strong passwords. Long passwords with unique characters and numbers are more difficult to guess or brute force.
- Enable multi-factor authentication. Require employees to verify their identity through secondary means, preferably through an authenticator application and not a text message.
- Use a password manager. Directing your employees to place their passwords within a password manager or password vault lessens the chances that their passwords will be compromised even if a cybercriminal gains access to their device. Some options are LastPass, 1Password, Bitwarden, or Keeper, and many applications allow biometric security even further to secure the vault contents.
Remote work security best practices are continually evolving, just as cybercrime and corporate espionage tactics are. Small businesses are facing a unique set of circumstances, and they are doing so with limited resources. Get more news and tips to help your small business grow on our newsletter signup page.