Unless you already had a remote workforce before the COVID-19 pandemic, the way you set up your employees to work from home may have inadvertently exposed your company to security risks. While some risks emerged because your people are not working inside your corporate perimeter anymore, other risks have always been there, but their importance has increased.
Go over the following four areas of security with your IT team to discover if your remote workforce has created additional security weaknesses. What you find should help you improve your overall security situation for remote workers and make cybersecurity awareness a natural part of everyone’s workday.
1. Are Employees Cyber-Savvy?
Cybersecurity Awareness Training:
The best security strategy is made up of technical and non-technical layers, and the behavior of your people can be the weakest layer in your strategy. Employees should have ongoing training to learn how to recognize and respond to potential cyber-attacks and social engineering schemes.
One segment of cybersecurity awareness training is about password management. Having strong and unique passwords for different accounts seems like such a simple practice, yet it often gets neglected in the name of convenience. Locking the doors to your data and systems with effective passwords is one of the most effective ways to keep hackers out.
Included in your non-technical security layers are documented policies that govern access to data. These policies don’t do any good if they’re hidden away in your employee handbook. Employees should be trained on how to follow them, why they should follow them, and how they will be enforced.
Ask Your IT Team:
- Do we provide ongoing cybersecurity training for our employees?
- Has everyone been trained to follow security policies?
- How are we enforcing our policies?
2. How Are You Managing Devices?
Personal Devices Used for Work:
When employees use their personal smartphones and computers for work, it can be hard to decide how much control you could or should have. After all, you’re talking about your workers’ personal property. Even if your people give you permission, they might do so thinking that they don’t have a choice which could build resentment.
Assume that employees will be using their computers for their personal activities and more than one person in a household may need to access that machine. You may not know until it’s too late if what someone is doing on that particular computer compromises the security of your company data.
Up-to-Date Software and Operating Systems:
Whether employees are using personal or company owned equipment, it’s vital that all software and operating systems are up to date. This is a lot easier to manage on company devices. If personal equipment is lacking, you’ll have to decide how to upgrade and if investing in your employees' machines makes financial sense in the long run.
Firewalls, Anti-virus and Anti-malware:
Having technical layers of security on each device is just as important as having up-to-date software. You can scan employee computers to discover what security software they have, and again, if you need to upgrade, decide if it makes long-term sense or if it’s time to invest in additional company laptops.
Company and Personal Use Questions:
Even if you provide your employees with a laptop and smartphone, it’s best practice to have policies in place that determine acceptable use. Most people are willing to comply, but they need to be informed about policies, trained in how to follow them, and know how you’re going to enforce them.
Ask Your IT Team:
- Do we have minimal specifications for software and security on employee-owned smartphones and computers being used for business purposes?
- Are our policies sufficient to guide employees in the behavior that will keep data out of the wrong hands?
3. Are Home Networks Locked Down?
Home networks are a lot different than your corporate network and you can’t take it for granted that your employees have everything set up with security in mind. Routers have passwords that block unwanted traffic and these passwords should be created to thwart automated attempts to guess them.
Remote Desktop and VPN:
Remote desktops make it easy for employees to get to the programs and files that they need, but opening up the ports on your firewall to provide that access is not recommended. Remote desktop should always be used in conjunction with VPN (Virtual Private Network) to assure that internet traffic going to and from your corporate servers is protected from unwanted eyes or hijacking.
Connections to SmartThings:
Your employees may have one or more smart devices connected to their home network, such as a thermostat, appliance, security camera or even children’s toys. If access to these devices is not secured with a password, this could be an avenue of entry for a hacker and could pose a threat to the integrity of your corporate network too.
Ask Your IT Team:
- Are we using VPN along with remote desktop?
- Have we scanned our employees' home networks to determine if they have adequate security?
4. Is Data Visible and Accessible?
File Sharing and Collaboration:
Unless you’ve provided your remote workers with a file sharing and collaboration tool like Microsoft Teams, your data may be getting spread around to places where IT can’t see or manage it. People will find workarounds to do what they need to do. For example, they might put the files they need in their personal Dropbox account. Workers might also create extra work for themselves by emailing around different versions of a document that requires team input.
Files that IT can’t see, also can’t be backed up. Backup is an integral piece of your business continuity and disaster recovery strategy.
Policies Governing Access to Data:
Whether employees are in or out of the office, your security policies inform people about acceptable ways that company data can be stored and accessed. Again, policies are a vital piece of your security strategy along with training and enforcement.
Ask Your IT Team:
- Are employees storing data in places where IT can’t see it?
- What tools are we providing to streamline file access and enable collaboration?
- Do employees know our expectations for controlling access to data as detailed in our security policies?
Confidence in a Secure Remote Workforce
If you don’t have confidence that your remote workforce is set up to work without creating security risks, it’s time take a step back and build up your cyber defenses both in and outside of your corporate perimeter.
Contact us to schedule a security assessment. Finding out where you have security gaps is the first step towards better cyber risk management.