Because of the COVID-19 outbreak, many companies are ordering staff to work from home, including some that never even considered it before. That means they have no telecommuting policies in place and are thus unlikely to give due consideration to the increased risks of switching to remote working. We will attempt to close this gap and explain how to minimize the risks.
At first glance, the only change for office workers is the lack of face time with colleagues. But there’s a lot more to it than that. Consider, for example, communication channels, established routines, collaboration tools, equipment, and access to that equipment.
When your employees work in the office on the local network, your security solutions handle all data exchange processes. But having employees working from home throws an extra variable into the equation — in the shape of ISPs. You know nothing about, and have no control over, their security measures. In some cases, home Internet connections are accessible not only to your employee, but also to a potential attacker. In short, it is better not to share corporate secrets over such communication channels.
Solution: If your employees have to connect to corporate resources remotely, be sure to set them up with a reliable VPN to establish a secure channel between their workstation and your infrastructure and protect corporate data from outside interference. At the same time, prohibit connections to corporate resources from external networks without a VPN.
Telecommuters can’t just walk over to a colleague to discuss a work issue, so you can expect an increase in correspondence, including new participants (people with whom communication used to be purely verbal). In short, not having everyone in the office fundamentally alters employees’ routines. In theory, that gives an attacker more room to maneuver, and in particular to use BEC attacks. Amid the swelling sea of corporate correspondence, a small phishing boat, so to speak, will be hard to spot. In other words, a fake message asking for data will not seem as unusual or suspicious as it would in normal circumstances. What’s more, the more relaxing home environment is likely to make many people less vigilant.
Solution: First, even though they’re at home, all employees should use only work e-mail. This will at least make it easier to spot a cybercriminal’s attempt to impersonate a worker if they use an account on another domain. Second, make sure that your mail servers are protected by technologies able to detect attempts to change the message sender. Our solutions for both mail servers and Microsoft Office 365 provide such technologies. And third, before sending employees home, give them a crash course in cyberthreats.
Having lost face-to-face contact, employees might resort to other collaboration methods, some of which might not be the most reliable — and they need to be set up right. For example, a Google Docs document with improperly configured access permissions can be indexed by a search engine and become a source of corporate data leakage. The same thing can happen to data in cloud storage. A collaboration environment such as Slack can also spring a leak, and a randomly added outsider could gain access to the entire history of files and messages.
Solution: Naturally, it is in your interest to choose a collaboration environment that is suitable in terms of security and features. Ideally, registration should require a corporate e-mail address. What’s more, it is worth appointing a dedicated administrator to issue and revoke rights, as necessary. But most important, before allowing employees to work from home, hold an awareness session (it can be a remote one) and insist that they use only the collaboration system deployed in your company (or approved by you). It will also help to reiterate that they are responsible for keeping corporate secrets safe.
Generally speaking, not all employees have access to corporate laptops. And mobile phones are not suitable for all tasks. Therefore, employees might start using their home computers. For companies with no BYOD policy, this can pose a serious threat.
Solution: First, if employees have to work from home, provide them with corporate laptops and phones if possible. It should go without saying that the devices must be protected by appropriate security solutions. Moreover, those solutions should provide the ability to remotely wipe corporate information, keep personal and corporate data separate, and place restrictions on the installation of applications. Set them up to check for the latest critical software and OS updates automatically as well.
If for some reason employees have to use personal devices, it’s time to introduce a BYOD policy for managing corporate data on those devices — for example, by creating separate partitions for business and personal data. Furthermore, insist that all employees install home antivirus software, even if only a free solution. Ideally, you should allow such devices to connect to corporate networks only after ensuring that a security solution is installed and the operating system is up to date.
Access to equipment
You can never be sure where and with whom your employees live. You don’t know, for example, who might see their work screen when they’ve gone for a cup of tea. It’s one thing for employees to work in a home where they are essentially alone during the day, but another thing entirely if they decide to go to a café or coworking space, where the risks of leakage or compromise are far greater.
Solution: You can address most of these issues through security policies, which must stipulate the use of a password and automatic screen locking. And as with other cybersecurity issues particular to telecommuting, awareness training should help maintain overall vigilance.
Our experts are planning to hold a webinar on secure teleworking on March 18. We invite you to join the discussion by registering on BrightTalk.