Military personnel talk about how dangerous life can be outside the wire. But what about your organization’s employees working from home—from outside the wall, as it were—during the coronavirus pandemic?
Your employees probably aren’t in any sort of imminent physical danger while typing away from their home offices. But the same can’t necessarily be said for your data, which must negotiate an obstacle course of potential risk factors from unsecured personal devices to residential WiFi networks. That hacking, phishing and spam activity has notably increased in lockstep with the coronavirus-fueled work-from-home movement, according to industry watchers, has only added to the worries keeping executives up at night.
So what are some best practices organizations can put in place right now to protect their data when everyone’s working from home?
Prioritize User Training and Security Policies
Even though criminal cyberattacks are often the cause of data breaches, human error by otherwise well-meaning employees account for 36% of incidents, according to one 2018 study. Phishing remains a favorite vehicle for hackers, with the most recent being a “massive” Excel-based campaign disguised as a COVID-19 report. But with everyone working from home, unsecured personal devices, routers and residential WiFi networks have also become notable risk factors.
That’s why employees need appropriate training on basic cybersecurity principles and practices to keep data secure: Don’t click suspicious links; ensure your system, antivirus and applications are patched and updated regularly; don’t send sensitive work information through your personal email account; etc. Since you can’t put up posters in the lunchroom while everyone’s at home, it’s also important to establish, communicate and set expectations repeatedly around your organization’s cybersecurity policy. Because it’s simply not good enough to assume all your employees, many of whom probably don’t see data security as something they’re directly responsible for, will automatically do the right thing. Organizations will have no choice but to make security the responsibility of all employees.
Provide Secure Network Access
It almost goes without saying that remote employees who work in company systems need secure access. There are a few options on that front: Many organizations already have a virtual private network (VPN), so the easiest solution may be to ensure you have enough seats to cover everyone. The problem with VPNs, though, is that they’re based on pretty old technology—while the good ones are often relatively costly, they’re not easy to patch or propagate fixes across multiple devices. They’re also not very secure compared to newer technologies, because once an endpoint is connected to your system via VPN, any malicious files on that computer have a clear path to your systems.
Other, more modern possibilities include on-premises virtual desktop infrastructure (VDI) or cloud-based desktop-as-a-service (DaaS), which provide remote access to a non-physical desktop usually running as a virtual machine on a server. These setups can be effective, but are also often time-consuming to set up and onboard remote workers. As well, many lack critical features out of the box such as multi-factor authentication, anti-virus tools, secure channels, encryption, audit streams, firewalls and automated patches and updates.
Whatever solution you use, ensure it keeps you compliant with GDPR, CCPA, SOC 2 Type II and other industry regulations to secure data and systems. These haven’t gone away just because there’s a pandemic, and the fines for non-compliance can be significant.
Have a Zero-Trust Mindset
Like many of these best practices, this is one you should be doing anyway whether your employees are down the hall, down the street, or in another country; after all, the International Security Forum estimates that 54% of company security breaches are caused purposefully by internal actors. Zero trust means that organizations should never automatically trust anything or anyone, no matter if these entities are inside or outside the organization.
There are a few different ways to achieve such an environment. Multi-factor authentication (MFA) or two-factor authentication (2FA) means users need more than a password to log in to company systems; they must also jump through at least one more hoop to prove their identity, such as an email or SMS confirmation. Least privilege permissions also help with zero trust by only granting as much access to systems and applications as employees, partners or contractors need to do their jobs—and nothing more.
Encryption software can also go a long way in maintaining zero trust and keeping data secure. In many cases, you don’t even need to purchase extra software since well-known business apps including Acrobat and MS Office have built-in encryption for individual documents.
Keep Systems and Apps Updated Remotely
Firewalls, anti-virus software and malware protection is great to have, but they border on ineffective if not kept properly up to date (along with operating systems and applications) through regular updates and patches. But here’s the bad news: According to a recent UK survey, only 19% of remote workers indicated they keep their antivirus software up to date (a further 18% also said they performed company work on unsecured personal devices).
These are sobering numbers for organizations concerned about data security, to be sure. But keeping devices properly updated when people aren’t in the office—especially if your employees use their own devices—can be a huge challenge. One way to do it is through proactive reminders to staff. VDI software, which we mentioned earlier, can also be a big help by allowing administrators to automatically update VM images remotely.
No matter how long the current work-from-home push lasts—or whether, as many predict, it’s here to stay—organizations should follow these and other best practices to keep their data and systems secure when people are working remotely. There are solutions on the market today that help to remove the risks of home WiFi and personal devices; however, it’s important to do the research to find ones that best meet your business needs. Because even though doing things the right way can seem like a pain at times, it pales in comparison to the cost of an average data breach.