Due to the Coronavirus disruption, many businesses found themselves needing to quickly come up with remote work solutions so their productivity wouldn't plummet.
While some organizations had the infrastructure for a quick transition with minimal disruption, others had to implement "on-the-fly" solutions which, while they got the job done, perhaps weren't the solutions they would have chosen given adequate planning time.
As a result, there are millions of Americans out there with less than ideal remote workspaces from a security standpoint.
Before the COVID-19 pandemic, technology planning and design were traditionally focused on the workplace, with leadership asking questions such as:
- "What kinds of devices should the office get for the staff?"
- "What kind of local area network with wired and wireless access do we need?"
- "How do we right size our technology so that our investments meet productivity and performance goals?"
- "What security tools and processes should we utilize in order to protect ourselves?"
These challenges were often dealt with by technology experts and management who were used to making significant decisions about the company’s technology investments. End-users were mostly hands-off when it came to implement this technology.
However, in today's environment, end-users are playing a more active role in the technology used to do their jobs.
So how can you adhere to security best practices when you’re working out of your home? Here are a few things you can do to create a Secure Remote Workspace.
1. Basic Wireless Networking
Chances are that most, if not everyone, in your home is using a wireless connection to access the Internet, and by extension your organization’s systems and data. This is one of the most important places to focus your attention, because if your home networks aren’t private and secure, neither will the data that flows through it.
Make sure that you are using a relatively current, vendor supported wireless networking device. If your Internet Service Provider (ISP) is providing your wireless networking device, there’s a good chance that’s already happening as part of your service (although you shouldn’t take it for granted). But for many people including myself, they use their own equipment.
The vendor’s website should have documentation indicating which devices are still getting support and updates, and if you have the know-how to connect to the device, you can check this information from the device’s interface. If this is a little over your head, ask a knowledgeable resource to help you figure it out. The important part is that it’s a decent device. You don’t need the highest end, most state-of-the-art device, but it also can’t be a fossil.
#2: Your network (the SSID) should be password protected. There is really no reason why a wireless network should be open without some kind of barrier to entry. While most modern wireless devices make this kind of setup not too challenging, just like before you should consult an expert if this is too much for you to handle. And of course, just like your other passwords, you should change it every so often, and not use obvious words or other bad passwords.
To keep it simple, use a supportable, updatable wireless device, and make sure your wireless network has password protection before connecting.
2. Maintain ALL the Devices that Connect to Your Network
Maybe your company issued you a laptop for you to work from home, or you closely maintain and limit access to a specific device to connect to your company’s systems. That’s great, and of course you should maintain and manage these devices similarly to how you would in an office environment. But you must think about threats external to your device and network as well.
Consider an old, unsecured wireless device that has access to the same network on which you are doing your work. This device may be exploitable, allowing a bad guy to monitor network traffic coming off your relatively secure and controlled device you use for work.
This is even more important as the so-called Internet of Things (IoT) introduces more network devices like smart fridges or wireless personal assistants like Amazon Echo. When individuals launch cyber-attacks, they are generally trying to exploit the weakest links, and devices that are behind on security updates are low hanging fruit.
Most consumer grade devices will update themselves or have a very simple updating process…if you allow it to happen and the vendor still supports them. But it is important you do this in order to protect the flow of data through your personal networks.
3. Physical Security
Devices that are used to access company information should not be used by people outside of your company. A much greater burden has now been placed on the individual to protect the physical security of their devices. Most people also don’t have physical security like their office building might have.
Here are a few tips to maintain the physical security of your devices:
#1: Keep your device accessing company data away from other devices and people. If possible, lock up the device. Make it clear to children or others in your home that this device is not to be disturbed. I strongly recommend not using a shared family PC for this kind of work. A personal device is one thing, because you can control access to it. But shared PCs are inherently difficult to control and monitor.
#2: For management, consider taking an inventory of personal devices being used. Encourage staff to communicate what devices they are using to access company information. And if possible, use some of the same security tools, like Patch Management and Antivirus, that you might use at your company on those personal devices.
#3: Make sure that people know how to report if a device has been tampered with, lost, or stolen. Along with reporting security incidents like a malware infection or a suspected phishing attack, staff needs to know that if a physical security incident has occurred, they need to report and document it with management immediately.
4. Establish Rules and Follow Processes
Since the workforce is so decentralized right now, it’s important that you put in structure and create a positive culture when it comes to the use of technology, especially since the social reinforcement of the office environment is gone.
Here’s a short list of items to make sure you set clear expectations for remote workers:
- Identify what places/systems/applications are allowed for company data. Similarly, outline what devices and transmission methods are permitted. You must establish these workflow expectations.
- What constitutes particularly sensitive data and why? Staff should understand the importance of what they are working with and the liabilities to the organization.
- If personal devices are to be used, what are the requirements for those devices, and what accessories are needed to make work happen (i.e. webcams, Bluetooth mics)?
- What are the working hours, and by extension what flexibility is afforded with working from home? It’s important to know when people are typically working, because suspicious behavior often occurs outside working hours.
- How can staff communicate challenges and incidents getting their work done? You need to make sure that your team has a process for communicating any difficulties so they don’t go outside the process leading to a security risk.
- What is and is not to be expected in communications electronically? An important way to fight phishing and social engineering is for staff to know what their management would never ask for via email. If a message goes outside of those parameters, it could be a phishing attack.
Setting up a Secure Remote Workspace takes a lot of the major principles and designs we employ in an office environment and condenses them down to more fundamental basics. But the challenge is that many of these relatively simple tasks require much more discipline without the office culture and environment to reinforce the goals and limit risks.
While things are unpredictable right now, and there is no way to completely guarantee that security incidents won’t happen, if you try to follow some of these basic strategies, you can help minimize our exposure.
Want to talk to us more about setting up secure remote work spaces? Request a quick 10- to 15-minute with one of our Business Strategy Advisors: https://www.dpsolutions.com/contact/request-appointment