Articles & E-Books

 

5 steps to strong cybersecurity for remote employees

Mar 15, 2020

To err is human, and employees are prone to lax security practices — even in highly supervised office IT environments.

When employees work remotely, the stage is set for potentially serious breaches. Remote workers were responsible for security incidents at 36% of the organizations surveyed in a March 2019 poll of 250 IT leaders, and 54% of respondents believed that remote workers posed a greater security risk than on-site employees.

Even so, you can maintain the integrity of your data and systems under remote work conditions — with the right cybersecurity practices. Here are the key steps to make sure that your sensitive information stays safe while your employees are working from home.

Step 1: Provide clear policies and training

Employees need to understand what standards of equipment and behavior their remote work demands. Whatever your approach is, it needs to be codified and clearly communicated to all your employees. Then they need to be trained on these polices so that even the least technically savvy among them can consistently apply all the preventive cybersecurity measures you expect them to take.

Step 2: Set standards for the devices they can use

If you can afford to do so, it’s best for remote employees to use company-issued laptops and phones that you can manage directly. This prevents a host of risks, including using outdated (and thus potentially insecure) hardware and software, unencrypted devices and devices that are configured in ways that leave them open to attacks.

If you must let employees use their own devices, you can limit risk by setting minimum standards for them. Clearly define types — and versions — of operating systems, browsers and the like that can be used to conduct company business and connect to company systems and set clear requirements for data encryption and password protection. Also set clear rules about how employees should store and transfer data when outside the office. Otherwise, they may set up insecure “shadow IT” like personal Dropbox accounts using obvious passwords.

Step 3: Deploy the right security software

When your employees work outside your office and the security defenses on your corporate network, you need to make sure they’re using strong security software. Enterprise-grade antivirus and antimalware protection, ideally including the capability to perform a remote wipe of a device if it is lost or stolen, are crucial.

Also consider upgrading to an endpoint detection and response (EDR) solution for your remote workers. EDR doesn’t just block threats, it logs system event data and monitors these logs, looking for indicators of compromise within your company’s systems so that your IT team can spot threats as they develop and respond to them.

Step 4: Give your employees the right tools and ensure they use them

All employees, in any work environment, should use certain basic tools that become even more critical when working remotely.

  • A password manager is a powerfully encrypted application that generates and stores unique, strong (read: random and complex) passwords for each site an employee visits. Keeping a unique password for the password manager itself is enough to let you automatically manage login credentials for every other site or app. Free managers are available for individual use, but many offer paid corporate subscriptions that enable you to store, manage and share credentials across all devices used by a given employee.
  • Two-factor authentication requires employees to enter a code, typically sent to their phone or email address, in addition to their login credentials when signing in. A hacker attempting to break into your network is unlikely to also have access to the user’s phone, so this authentication helps to prevent the successful use of stolen passwords. 

Step 5: Set up a remote-access virtual private network (VPN)

Your properly trained and equipped employees need something secure to connect to your corporate network when they’re working remotely. And that means a setting up a virtual private network (VPN) for remote-access. Instead of connecting your company’s servers or desktop computers directly to the internet, where computers and data transfers are vulnerable to attack, your employees use a VPN’s client software to guide all traffic through a single secure, encrypted tunnel. Their client connects to a network access server with login credentials, and all data is transferred through that secure tunnel to and from your company’s systems. (Pair your VPN with two-factor authentication for even greater security.)

Be prepared to manage incidents when out of the office

One last point to consider is whether your organization is prepared to respond to cyber incidents when the incident response team is also working remotely. Do you have a plan to move to a different messaging and productivity platform if the company intranet is down, so that decisions can be made and acted upon? Now is the time to make one. Also have contingency plans in place for using local resources to repair or replace the devices of employees who can’t visit the company IT department. If you’re prepared, a dispersed workforce that isn’t tied to a single location can be an asset, instead of a liability. A little preparation can make remote work a smooth continuation of regular operations.

Author(s)

Tom Wojcinski
Tom Wojcinski, CISA, CRISC
Director
View Profile

COVID-19 resource center | Wipfli