The COVID-19 pandemic provided a great opportunity for businesses to realize the efficiencies gained by remote workplaces and allowing employees to work from home. Employees benefited because they like the flexibility, the absence of a commute, and a greater freedom of where they live. Meanwhile employers are exploring the savings in office rent and associated expenses, and the benefits of being able to find talent beyond traditional geographic limits.
So, working from home—in varying degrees—appears to be part of a new reality that will continue long after the pandemic has passed. From a security standpoint, this means that all organizations need to sharpen their focus on keeping their workers—and backend infrastructure—secure.
Last month I wrote Seven Steps to Staying Secure While Working from Home, as a guide to employees working without the conventional protections of on-premises firewalls, security monitoring, and IT staff ready to stop by to help.
This month I would like to cover similar territory—but from the perspective of the employer. Addressing security for remote workers should be considered mission critical for all employers, but too often this is overlooked. Employers can’t assume that their employees are working securely—or that the precious backend systems they connect to can remain safe. Security must begin at the very top of the organization to ensure it is in place and tightly protected all the way across.
Here are seven steps employers can take to help ensure security is maintained, even when employees are working from home:
1. Create an Official Tech Toolbox—and Require Its Use.
It isn’t fair to employees to leave them fending for themselves when it comes to security. Work with your IT group to identify the best anti-virus tools, virtual private network (VPN), encryption, two-factor authentication, firewall, and other resources to help strengthen and retain security. Your Tech Toolbox should also include the applications and utilities you want your employers to use in conducting business. A formal application set makes it easier for IT to manage versioning and security updates.
2. Require Use of Company-Issued Computers.
The best way to implement your Tech Toolbox is to embed the tools—which should be continually maintained for security updates—on the company owned computers you provide to your employees. Company computers should not just be issued, their use should be required. Hackers and other bad actors were swift to identify a tendency for work-from-home (WFH) employees to use their personal computers for work—which too often made the work of hacking into them easier. A headline from The Tech Republic captures the problem: “Security faux pas: 56% of employees use personal computers to WFH.” It’s also important to stress that when it comes to work computers: No Kids Allowed … Or spouses … or friends. A work computer should only be used by the person to whom it is issued. Someone who “just wants to check e-mail,” could trigger a Trojan horse virus. And with the advent of drive-by down-load attacks, in which just landing on a site can trigger an attack without clicking on anything, the risks of browsing the web are steeper than ever.
3. Ensure All Remote Access Programs are Disabled—Unless Specifically Needed.
Another strong point for issuing official work computers is to help ensure that potential targets are tightly locked down. It is important to disable all access to and use of remote access programs such as LogMeIn, TeamViewer, and AnyDesk—unless they have been specifically and securely setup for company use. This isn’t to say that any of the above are insecure when properly configured, it is just that all such access points should be turned off by default, and only used on a permitted basis with secure configuration and use assured. These are powerful tools, that are often used by Help Desk teams to remotely resolve issues for users. But that same remote access can be exploited by hackers and other bad actors.
4. Educate, Educate, Continue to Educate.
Nearly all of the security breaches that get splashed across the headlines—as well as the far greater number that go unreported—can be traced to social engineering in which an employee is tricked into clicking on a link in an e-mail, or fooled into going to a bogus website and entering sensitive information. In point 3, above, I spoke of how Help Desk teams can use remote access programs to resolve issues. Unfortunately, hackers are keenly aware of this and have used e-mails and phone calls to pose as Help Desk personnel to convince an employee that they need to download one of these applications so they can fix something on their computer. Social engineering is such an enormous source of security breaches that it should be discussed on an ongoing basis, as should reminders about not using public Wi-Fi, leaving a work computer unattended, and other basic—though often forgotten or ignored—precautions.
5. Protect Financial Functions with Additional Layers of Approvals and Validations.
While social engineering stories often focus on a generic employee, C-Level executives are targeted, too, in carefully crafted e-mails or other communications referred to as “CEO fraud phishing.” FedScoop carries the headline: “How one company lost $40M from an increasingly popular email scam.” The theft, which involved a phony e-mail that appeared to come from the company’s CEO, asked the company’s CFO to wire funds. It was all over in a matter of minutes. $40 million disappeared into thin air. Such fraud may be even easier to pull off within a world of remote workers, so additional layers of approvals, validations, and verifications should be added.
6. Deploy Robust Backup Systems, and Ensure they Are Used.
Ransomware attacks—including ransoms paid and the cost of recovery—exceeded $1 billion last year, according to a report in Help Net Security. One of the strongest defenses you can have is a robust backup and disaster recovery system—including online resources that can’t be touched from your infected network. Without such protection, companies can face the agony of learning that their backup systems were hit by the same malicious software that attacked the rest of their network. Step one is to deploy a robust backup system. The essential second step is to make sure it is being used by all employees. Requiring use of company supplied and configured computers should help, but emphasize the need to ensure all work is properly backed up.
7. Invest in Strong IT Security Operations.
With employees working from home, implementing, maintaining, and enhancing IT security becomes even more complex and challenging—at the same time that cybersecurity threats are growing. Your best protection is a very strong defense. If you don’t have a world-class IT security staff monitoring your resources 24×7 to detect attacks, respond to new security releases, and to ensure all systems are up to date—and backed up—you would do well to get help. Security talent is hard to find and can be expensive to hold onto. This underscores the value of working with a deeply experienced Managed Security Provider.
Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.