(The following is an excerpt from recently published piece on Salestechstar.com).
Many organizations had to quickly adapt to a work from home model as a result of the COVID-19 pandemic. Even though some employers are beginning to lay plans for a return to the office, it is undeniable that working remotely is here to stay. Also here to stay are the bad actors and scammers who will continue to take advantage of the new infiltration points presented by home networks. The following tips may help you mitigate the risks that come from a remote work set up.1. Security Training, Training and More Training
Employees are a leading entry point for a cyber attack. Therefore you should arm them with tools to identify, prevent, and respond to attacks or accidents accordingly. Whether your business is remote or on site, it is always a good idea to refresh your security awareness training. The training should include threats to look out for, such as phishing, smishing, whaling, and other social engineering attacks. It should also include corporate guidance on what is considered acceptable use of company assets, tips on good security hygiene, and instructions on how to report incidents. The training should also empower employees to be diligent and cautious as they navigate their new work environment.2. Test Your Incident Response Plan
Dust off your incident response plan and test it against a realistic scenario such as theft of a laptop or a phishing trap. Empower your employees to report incidents without ramification, and communicate that you support them.3. Mobile Device Management (MDM)
MDM tools are a good investment - they allow you to centrally manage a variety of security measures on your company-owned mobile devices. Examples of these measures are screen lockouts, inability to download non-approved software, remote wiping, and disabling USB drives. You don't necessarily need to turn on every bell and whistle, but it isn’t a bad idea. If you are not yet ready to invest in a MDM solution, then address data loss related risks with both an Acceptable Use Policy and with training.4. BYOD AND BYO-SW Policies
If you do not offer corporate laptops and employees can access your network with their own devices, then you will need a Bring Your Own Device (BYOD) Policy. Your employees must formally acknowledge that they will adhere to this Policy. The contents of this policy should align with your risk landscape. For example, if you are either in a high risk industry or you service a high risk industry, you may require that a certain antivirus/malware solution be installed on your employee’s device. You could also include a clause that no other individuals in a household may access the computer, that it is locked in a cabinet or room when not in use, and that it is backed up on a set schedule.
You may also want to incorporate a Bring Your Own Software Policy. This is especially useful in the startup world, or for organizations that utilize third-party contractors. You may want to discourage (or disallow) the use of applications or tools that are not centrally managed or approved, depending on the risks that you have identified.5. IT ‘Hygiene’ at Home
Offering your remote staff the tools, guidance, and solutions to secure their home network will pay off. A plethora of tips abound on the internet. Here at Strike Graph, we encourage all employees to disable automatic network connections on our home Wifis, and to use WPA3 if devices are compatible, or "WPA2/WPA3 Transitional" if we have both older and newer devices at home. Consider what would be reasonable for your employees and communicate it via training, a newsletter, a companywide guidance email, or all three.6. Revisit Logical Access Policy and Procedures
Another policy to dust off is your Logical Access or User Access Policy. Review it through the lense of a remote workforce to assess whether it needs revision. Ensure that it covers the concept of least privilege (users only have the access they require and no more), that passwords shall not be shared, and that privileged access is restricted. Then perform a user access review on all critical (and even not so critical) assets. Ensure that there are no shared accounts and that the level of access is appropriate for each user.
If you have not already, immediately increase the password setting to 10 or 12 characters in all possible places. The current advice from the Federal Trade Commission and from Microsoft (to name a few) is that passwords should be long rather than frequently changed. Requiring folks to change their password too often can lead to the sticky note under the keyboard. If you can enable MFA, do so. Encourage pass-phrases rather than passwords. Include any new advice in your security training.7. Antivirus/Malware Tools
Whether or not you can centrally manage this, activate an antivirus and malware solution on all devices that can access your network. Because an infection on an end user device can lead to an infiltration of your network, consider requiring its installation on employee-owned devices in your BYOD Policy.8. Segment Your Network
Only provide access to the areas of your network that are necessary based on risk profile and user need-to-know. Your finance team does not need to access the same area of your network as your engineering team. Know where the sensitive data or processes live, and secure them more stringently than other areas. When a remote user logs in, they should only be able to see and access what they need in order to do their job. Reduce the potential damage that a bad actor could inflict if they were to get into your network.9. Secure Your Communications
Depending on your risk profile, consider implementing VPN or even a secure messaging app. Note that some commonly used solutions, like O365, already offer a layer of encryption and may be sufficient for your risk profile. Before spending more money, determine whether the tools you currently use are sufficient to address your risks.