5 Security  Mistakes Your Remote Team is Making Right Now

Businesses across the globe are now facing a new reality: working from home. Secure remote access to company resources has never been more prevalent or more essential; teams are shifting from the office to their living rooms in droves to keep each other and their communities safe from the spread of COVID-19. While it’s essential those teams have the security tools they need, equally essential are the security policies your company enacts. The protocols you build around remote work are key to protecting your network resources, now more than ever.  

Working outside the security of the office can lead to bad habits on the part of your team; simple mistakes can cause massive risk. What mistakes is your remote team likely making right now—and how can your security policy address them?

They visit websites without verifying their security. Especially in the wake of COVID-19, hackers are employing more and more phishing attacks, preying on everyone’s fear and stress during this painful time. Employees might be extra careful at work, but at home, they may be less cautious when clicking links. Make sure they know that if their device becomes infected with malware, any company resources they have access to are also at risk. Educate your team on best practices for verifying a link before clicking on it; set a clear, companywide policy for dealing with unknown links—when in doubt, to err on the side of caution. Connect your employees with the IT team for support; a protocol of connection and communication with tech experts keeps everybody safer.

They’re sharing work devices—or using personal devices for work. When teams work from home, they’ll often work with their own personal devices. Even if that’s exclusively a desktop computer, this still presents a risk. With the right security measures this doesn’t have to be a problem, but the reality is many people treat their personal devices with much less caution than they do their work-issued laptops and phones, often allowing friends and family to access it. If they’re using personal devices, they themselves are likely surfing the web in unsafe ways and bringing risk to your network. 

But now that those personal devices are connected to your company network, it’s important that they understand: It’s time to treat every device like it’s a company device. Set a clear protocol in place, with potential discipline if that protocol isn’t followed, that no one is to share their devices with anyone outside of the company. Make sure you communicate these expectations clearly with your team. Even better, don’t allow your team to use their own devices. If you have the ability to distribute company devices, this is the best way to protect your network resources. You’ll still need a clear protocol in place as to how you expect those devices to be safeguarded while outside company property, but it will be easier for your team to separate their personal habits and work habits. That’s key to any security policy. 

They’re using weak passwords to access your company network. Twenty-five percent of employees use the same password for everything, which means it’s that much easier to hack. Your company policy should specify: Passwords need to be unique to every single account, sufficiently complex and varied, and long enough to maintain that complexity. Consider providing your team access to a password manager as part of this policy, and your company’s risk factor will be reduced significantly. Similarly, make sure your virtual private network requires two-step or multiple-factor authentication for an extra powerful layer of security upon login, and for even more security, set up your network to only allow devices with the proper security certificates to access it. That way, even if their password is stolen, hackers won’t be able to access their account.

They use an unsecured network with no VPN. One of the most common, and most dangerous, mistakes that remote employees make is working on unsecured Wi-Fi, especially without a VPN. If their home Wi-Fi is unsecured, and they sign on to their email or other remote work tools outside of your company VPN, then a hacker with access to the same Wi-Fi network will potentially be able to access your employee’s activity, especially if that employee visits HTTP (as opposed to HTTPS) sites. If they’re sending or receiving sensitive information, that information is at risk. Fortunately, you can require this security step for any employee wanting to access your network, so the solution here is simple: Make sure all network resources—including email and other tools—are only available in your virtual private network. Make sure your company VPN has a secure client for logging on, and don’t allow anyone to access your network without that client.

They’ve been granted too much access. Let’s be clear here: This is actually a mistake on the part of employers, not employees, but it’s simply too common not to include on this list. Too many companies simply give blanket access to the entire network to every remote employee, and that just isn’t necessary. Not only is it unnecessary, but it’s also explicitly putting your data at risk. The less data they have access to, the less your company is at risk if an employee’s device or account is compromised. Ultimately, very few employees need full access; they really only need access to the resources required to do their job. Your marketing team does not need access to the engineering team’s product development details, and your accounting team does not need access to the HR database. Limiting that access is not a reflection of trust or esteem; rather, it’s simply a reflection of reality. Breaches are bound to happen at some point, so if you limit access for each employee, you limit the extent of a breach. 

Your team’s sudden shift to remote work doesn’t have to mean a data breach. It takes the right tools and the right policies, but with connection, education and training, and a clearly defined security protocol, this shift could end up being incredibly positive for your company. Even after the crisis passes, there are so many benefits to remote work—including significantly lower costs, happier employees, lower turnover. You might find yourself never wanting to go back to the office at all. 

Francis Dinha

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard
Avatar photo

Francis Dinha

Francis Dinha is the founder and CEO of OpenVPN, a provider of next-generation secure and scalable communication services. With over 60 million downloads since 2002, OpenVPN’s award-winning open source VPN protocol has established itself as the de facto standard in the networking space. The company’s promotional product Access Server is designed for businesses, providing secure access to a private enterprise network, in the cloud or on-premise. Before he founded OpenVPN, Francis was the CEO at Iraq Development and Investment Projects where he played a principal role in architecting a joint venture to win the mobile communication license in Iraq. He has served as an architect and broadband system engineer at Ericsson, where he worked both in the U.S. and Sweden. Francis was also the founder and CTO of PacketStream, a company whose patented technology enabled dynamic Quality of Service provisioning of IP networks. Francis has a Master of Science in computer engineering from the University of Linkoping in Sweden.

francis-dinha has 2 posts and counting.See all posts by francis-dinha