7 Tips for Maintaining Security for Your Remote Work Team
When COVID-19 hit, companies across the globe were caught with their proverbial pants around their ankles. Practically nobody was prepared to suddenly transition their entire team offsite and onto home computers. Sure, security protocols were established, but how much attention did everyone really have to offer with the kids suddenly at home and the world on lockdown?
By now, you’ve got your basic tools and systems in place. On the whole, it probably feels like your team has a grip on how to keep things running without coming into the office. Everyone has finally figured out how to mute themselves on video calls and when not to hit reply-all. But how secure is your company’s data?
More likely than not, security training took a major backseat to just getting everything online. In the scramble to get everyone set up for remote work, things probably fell through the cracks. Most employees haven’t been trained to keep the company’s data secure. Does Jared in Accounting know that he needs to check a website’s certificate if he’s browsing on his home computer? Does Karen in HR know better than to click on a link in an email from an unfamiliar sender? Probably not.
We’ve compiled a list of tips for checking the status of your remote team’s security. While some of these might seem beyond your budget, they are still best practices to keep in mind as your company plans next steps in the transition to a post-COVID world.
1. Provide Company Laptops
It’s pretty unlikely that when operations were still in the office you asked your employees to bring in their home computers. Issuing desktop computers is pretty standard when people have desks to work from. It allows for uniformity, security and saves your IT department a whole lot of headaches. So, this should be obvious (but too often isn’t): if you’re asking people to work from home, you should provide them the equipment to work on.
Obviously, this is a major budgetary concern. If you didn’t have laptops to begin with, suddenly acquiring an army of them is a daunting undertaking. However, it’s also definitely a best practice. Having separate computers for work and for personal use is a major step toward ensuring data security. It alleviates the problem of conflicting operating systems, program versions and file compatibility. If your IT team sets up the computer, they’ll be able to access it remotely and troubleshoot much more easily. Fundamentally, providing laptops gives you more control, which means you’ll be better able to monitor the security of your remote network.
If providing laptops is truly off the table, there is another option: a Virtual Desktop Infrastructure (VDI). Essentially, VDIs function as remote computers for your team. Users can log in from a variety of devices and access a customized desktop hosted on your organization’s server. VDIs are less expensive than issuing individual computers, and they are similarly easier to manage for your IT team. However, it’s absolutely vital to have a comprehensive cybersecurity plan in place before deploying a VDI. A robust cybersecurity plan should provide a path to enforcing security controls and include: corporate edge security, multi-factor authentication (see below), encrypted connections, access controls and full auditing and reporting.
2. Administer A Virtual Private Network
Home networks are notoriously susceptible to breaches in security. Most hackers just can’t be bothered to sneak into Joe Suburb’s home computer to troll his Prime account. Now that everyone is working from home, however, it’s an increasingly tempting prospect for nefarious users. That’s why Virtual Private Networks (VPNs) are an essential element of data security for any remote work team.
VPNs act as a private tunnel between your employees’ computers and your network. Data is encrypted and hackers are kept at bay. With VPN services under the subscription model, the VPN also shields users from data and IP address tracking. So, your employees’ activities don’t end up fueling big data. No hackers, no corporate spies, no casual snooping by hostile governments. Everybody wins except the bad guys. And especially since costs have come down in recent years, there’s no good reason not to provide a VPN to any remote worker.
3. Set Up Multi-Factor Authentication
Yes, it’s mildly annoying to have to grab your phone and enter a code every time you want to check your bank account or log into the online service you use basically every day. And when the verification code for that one website inevitably ends up in your spam folder, it’s super exasperating. However, multi-factor authentication (MFA) is an increasingly common practice and a really important one to ensure data integrity and network security.
Identity theft happens all the time. It’s a low-risk and high-reward option for tech-savvy criminals. But cyber-attacks aren’t just targeted at individuals — stealing employee credentials is a key means for hackers to go after company data. Regardless of company-size, cyber-attacks are a real threat. And setting up MFA for your employees is another simple but effective defense strategy.
4. Transition to Cloud Spaces
So, once you’ve got your VPN and your MFA all squared away, and everyone is accessing the network securely, then you can transition to working in the cloud. More and more services are being offered through cloud-based platforms, and frankly, it makes a lot of sense. It’s better for remote access and better for security (if you’ve ensured your network access is secure). Working in the cloud typically allows for real-time updates, better collaboration and version control, and tighter security. Fewer uploads and downloads mean fewer opportunities for data breaches.
5. Update Training Materials
When everyone was in the office and working on company computers, they were probably better about following procedures. There’s something about sitting in a cubicle that reminds most people to be on their best behavior. But when they’ve been sitting on their couch for six hours and still haven’t changed out of their pajamas? Less likely to be vigilant. Also, if they aren’t using a VPN and MFA — which, seriously, they should be — it’s pretty likely they aren’t super up to date on best security practices. Beyond just the general tendency to get lax when you haven’t left the house in weeks, policies and procedures have likely changed since the last time workers were trained. Do your training materials address how to stay secure while working from home? How frequently are your employees required to review the training? Updating your security training to reflect your company’s new normal should be a top priority. Heck, you could even try to make it fun. (Good luck with that).
6. Perform Periodic Phishing Exercises
Once you’ve done all of the above and handed your employees the tools for success, then you should probably see if it actually worked. Phishing exercises are especially useful in making sure people aren’t getting lax on their email security. Compromised email resulted in nearly $2 billion in losses in 2019, and that was before everyone was stuck at home.
You may not want to discourage Troy in Finance from sending those daily cat videos — they boost morale, after all! — but you do want to make sure nobody clicks on random cat-related links that aren’t coming from Troy. In phishing exercises we’ve run in the past, we discovered that when people are cc’d on an email with several familiar names, even if the sender is unfamiliar, they are more likely to click on a suspicious link. If people do well avoiding a basic phishing trial, send a phishing email to 5-10 people on the same thread. These kinds of exercises are helpful reminders and educational opportunities that can go a long way to prevent disaster.
7. Quarterly Check-Ins
Finally, it’s always a good idea to check in with your end users. Identify a small group (5-7) of technologically savvy individuals who aren’t necessarily part of your IT or administrative team. Remember Diego in Purchasing who is stellar at Excel? Ask him. Aliyah in Marketing who’s great at Photoshop? Ask her. Maybe don’t ask Bernice in legal since she calls the help desk twice a week.
Once you’ve assembled a team, in a brief, 30-minute discussion, check in with them about any sorts of unusual or frustrating experiences they may have had this quarter. Their outside perspective can provide your IT team with really valuable insights. They very well might identify security gaps or opportunities for streamlining your processes that admins have overlooked. Feedback from those who are using the tools, rather than those who are building them, will always help improve the end result.
Have an IT or security challenge? Give it to us. Contact one of our On-Point™ experts today.