Many companies have now completed the transition to working remotely. With this, comes security threats. While remote work offers many benefits to companies, it presents special security challenges that are not an issue in traditional office environments.
Consider the consequences of working from home in terms of systems access, access to internal IT infrastructure, bandwidth costs, and data repatriation. Simply put, when your employee accesses your data and/or databases remotely, the risks that face your data increase.
In an office environment the risk is only between the server, internal network and end-user machine. External working adds public internet, local networks and consumer-grade security systems to the risk mix.
Here are a few tips to help to minimise these risks:
1. Educate Employees About Basic Security
Employees working from home must be taught about basic security: beware of phishing emails, avoid use of public Wi-Fi, ensure their home Wi-Fi routers are sufficiently secure, and ensure that the security of their work devices is sufficient.
Employees should be reminded to avoid clicking links in emails from people they do not know, applications should be restricted to being installed from genuine app stores only, even on personal devices.
If the company has an emergency response team in place, employees should be informed about who to contact and the procedures involved in the event they notice a security anomaly.
2. Expect Threats
The simplest practice for securing remote access is to accept that threats exist. This can be a difficult mindset to get used to - especially for organisations that have high quality security on premises. The reality is that exposures almost certainly exist within the infrastructure and in applications that employees use to work remotely. IT teams should assume that the risks are present, even if they cannot see them yet.
3. Create and Enforce a Remote Work Security Policy
Setting clear rules to govern how employees work remotely is another basic step toward managing security threats. Companies should develop remote work policies that specify items such as:
Protocol is essential for alleviating security risks associated with remote access systems.
4) Encrypt Sensitive Data
Data encryption is essential from a security standpoint. It is even more critical when employees work remotely, due to the risk that devices could be lost or stolen outside of a corporate setting.
Ensure that all data exchanged between company-owned systems and remote work locations is encrypted whilst transferring over networks. A simple way to do this is to require employees to connect to remote systems using VPNs which provide built-in encryption.
5) Designate and Secure Remote Work Devices
Ideally, employees should use work-specific devices when working remotely – provided by the organisation. Such devices should be managed by the IT team to ensure that they are properly updated and do not contain any unnecessary software or data that could pose a security risk.
6) Implement User Authentication
When accessing company resources remotely, employees should be subject to strict access control, including multifactor authentication. Although it may be tempting to make resources like file servers accessible to anyone in order to simplify access, this is a major security risk.
A best practice is to adopt the principle of “least privilege”, which means that access for all users should be blocked by default and enabled only for the specific accounts that require it. This requires configuration but is well worth the added security benefits.
7) Set up a VPN
VPNs allow remote access that would otherwise be inaccessible from offsite locations, while also encrypting connections and providing some access control for corporate networks.
Setting up a VPN and requiring all remote connections to pass through it is a basic best practice for keeping resources secure when employees work remotely. That said, it’s important to note that a VPN is not the only security measure a company should invest in. Whilst it lessens the risks of some types of attacks, such as data sniffing, it does little to protect against threats like phishing and can contain its own set of vulnerabilities exploitable by attackers.
Think of a VPN as one layer of defence for remote-access security, but not a complete solution.
8) Protect Sensitive Data
Always secure sensitive data via both encryption and access control. When employees work remotely, it becomes critical to make sure that they handle sensitive data correctly.
Establish policies on whether and how employees can copy data onto remote devices in order to avoid scenarios where, for example, an employee copies customers’ personal data to a drive which later goes missing, leading to the potential exposure of sensitive information.
9) Use External Security Tools
Remote-access scenarios require thought-out collaboration with third-party tools. Ensure the chosen security tools are able to address threats as quickly as possible. Choosing tools that automate security is important for keeping risks manageable to an over-reliance on manual processes.