3/23/2020 9:00:00 AM
With recent events driving many organizations to expand their remote workforce, it has never been more essential to ensure that effective security controls are in place and functioning appropriately. It is equally important to remind your staff that the security and confidentiality of your information and data is crucial.
Employees must understand that your company's policies, procedures, and security best practices extend far beyond the office and remain in place whether at home or on the road. A combination of employee awareness and appropriate technical, operational, and administrative controls will ensure your remote workforce is not only productive but secure.
While there are many best practices to achieve a secure remote workforce, listed below are five to help you get started.
Employees who are aware of your remote connectivity methods, and well versed in their use, are less likely to veer off path. Without proper training and easy access to corporate systems, staff are more likely to attempt alternate, unapproved, methods to get work done, such as using personal email, instant messaging, or collaboration tools.
Many forms of remote access, such as VPN, Access Gateways, and Application Gateways, can be employed to provide a secure, encrypted connection. However, just having these solutions in place does not guarantee security. Adhere to industry standard controls, such as those offered by the National Institute of Standards and Technology (NIST), or the International Organization for Standardization (ISO).
Employees are your first line of defense, and a strong security awareness program will help them protect your systems and data. Provide cybersecurity and privacy training to your employees prior to on-boarding and no less than annually thereafter. Enhance this program with periodic reminders, information about current threats, and any changes to your security program.
Ensure you provide your employees, regardless of where they work, with simple methods for contacting your organization's IT and Information Security teams should they need assistance or want to report something suspicious or abnormal. Let employees know you value their input and urge them to always report anything out of the ordinary.
More importantly, your Helpdesk and IT staff are prime targets for phishing attempts. Educate them on ways to spot bad actors who are attempting to impersonate your own workforce to request username verification, password resets, or other sensitive information. Have in place a process to verify the identity of your employees before assisting them.
While employees must always be required to protect the security and confidentiality of information, it is even more crucial while working remotely. This is especially true when working from home where employees may feel they are in a less professional environment. Remind them that while they may be working with trusted friends or family nearby, these individuals are not employees and have no need to know your organization's information. Workspaces should be kept as private as possible, phone calls should be taken from a separate room, screens shouldn't be visible to others, and employees must ALWAYS lock their computers before stepping away. Additionally, when working in a public area, devices should never be left unattended. Finally, always urge employees to stay away from pubic Wi-Fi and instead use a personal hotspot.
Organizations may support remote access on a variety of devices, whether corporate or personal. Regardless of the device, centrally managed controls should be in place that cannot be modified by the end user. While this may be easier to achieve with corporate devices, Mobile Device Management (MDM), Mobile Application Management (MAM), and similar solutions can easily extend these protections to corporate and personal devices alike.
Regardless of the method, always utilize a defense-in-depth approach by layering your security controls. These controls typically include, but should not be limited to, next-generation firewalls, intrusion detection and prevention systems, antivirus, anti-malware, and behavioral analysis software, web filtering solutions, and patch and vulnerability management programs.
While there are many guidelines to what constitutes a strong password, one thing most agree on is that the greater the length and entropy, the stronger the password. It is equally vital that passwords be easy for the user to remember but hard for others to guess. An easy-to-remember password prevents the user from having to write it down or store it in an unsecured manner.
Follow industry standard best practices when developing requirements for password length, complexity, history, expiration, and lockout, and, most importantly, utilize Multi-Factor Authentication (MFA) from a reputable organization. Employing MFA significantly reduces a bad actor's ability to compromise your user's identity by requiring a second form of authentication, typically in the form of a one-time passcode, prior to gaining access to your systems and applications.
Working remotely was already becoming commonplace. Many companies are now accelerating the transition to a remote workforce. When doing so, do not let IT security be an afterthought. Adopting secure remote workforce practices today can save you a great deal of time and trouble tomorrow.