With increased remote work due to COVID-19 comes increased cybersecurity risks — work done outside of the company firewalls and networks complicates normal data security and IT controls, increasing the chances of an accidental leak or malicious attack.
To help reduce these risks, here are some data protection best practices to consider.
Navigating COVID-19
Find more essential business insights to help manage the current environment.
1. Ensure VPN setup in remote work environments.
Protective cybersecurity protocols may be in place in your office space, but that’s often far from the case at home. If your company is not using a VPN (virtual private network) with your work-from-home employees, your data is especially vulnerable to cyberattack.
VPNs act as private tunnels for information to be sent back and forth over the internet between remote workers’ devices and your central network. The connection is private, and the data is encapsulated and encrypted.
“Invest in a business-class VPN firewall or stand-alone, on-premise VPN server,” says Kris Nicolaou, founder and digital strategist at Brain Box Labs, a web applications company.
“A commercial VPN isn't sufficient," Nicolaou explains. "Set up a one-to-one, encrypted tunnel between your business’ network resources and remote workers’ devices.”
Also be aware of VPN security risks, advises Aaron Zander, head of IT at HackerOne, a vulnerability coordination and bug bounty platform.
"Ensure the security of your VPN or other remote networking infrastructure,” he says. “Triple check all network configurations, Access Control Lists (ACLs, that is allowed users) and firewall rules.”
2. Secure your company network.
Maintaining a secure network is vital to keeping remote work sites safe. Here are a few tips for securing your network:
- Limit access: "Only allow employees access to information they’re working on," says Nicolaou.
- Have two-factor authentication: Require two-factor authentication for all remote access paths like VPNs and internet-facing terminal servers. "Even better, control who can access your company network with multi-factor authentication (MfA)," says Dean Coclin at digital security certification company DigiCert.
- Update antivirus software: "Ensure antivirus and anti-malware subscriptions are current and virus definitions are up to date," advises Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics company.
- Use mobile device management programs (MDMs): “In the event of a breach, such programs allow you to disable entire devices or remove corporate information located on the devices," says Steven Teppler of the law firm Mandelbaum Salsburg. He chairs the firm’s Privacy and Cyber Security Practice Group.
- Use a cloud portal: “Centrally manage security software on remote and onsite devices through a cloud portal,” suggests Paul Lipman, CEO of the cybersecurity company BullGuard.
3. Enforce Bring Your Own Device (BYOD) cybersecurity safeguards.
The rapid move to remote work has resulted in many companies finding it necessary to allow employees to use their own devices, including home computers, laptops and cell phones. This creates the need for additional cybersecurity.
“If employees use their own devices, and particularly mobile devices, a VPN alone won't suffice,” says Nicolaou. “Enforce a bring-your-own-device policy that includes mandatory installation of business-provided endpoint security and management software.”
Cybercriminals are engineering schemes to take advantage of fear and uncertainty brought on by COVID-19, such as fraudulent health alerts.
— Steven Teppler, member, Mandelbaum Salsburg
Alternate cybersecurity solutions Nicolaou suggests for the BYOD scenario include using a secure cloud service as a middleman for company data access or investing in a terminal services solution that keeps company data in-house and entirely off user devices.
“To maintain control over employee remote workstations, offer to set up employee home networks. In many cases this can be done in a group remote meeting,” says cybersecurity professional Chelsea Brown, CEO and founder of Digital Mom Talk.
“Have employees install company approved antivirus software,” says Brown. "Also require all communications to be encrypted or completed within certain company approved programs.”
Verify that BYOD employees are running current, maintained versions of their computer operating systems, such as Mac OS Catalina and Windows 10. Older versions are security risks. Also ensure all pending updates have been installed.
Here are some basic cyber hygiene best practices for employees to follow:
- Use strong passwords and effective and reliable password managers.
- Disconnect from the company VPN when not in use.
- Ensure home routers are up-to-date and equipped with WPA2 or higher.
- Don't install new apps without approval from the IT department.
- Securely share online meeting IDs and URLs.
The key is to maintain as much control as possible over your employees' remote worksites. Stress that your requirements regarding home office setups are for the safety of the company and not open for discussion.
4. Consider having employees use company computers.
Even when you have a secure VPN, BYOD can be risky.
“Employees connecting to a company network with an infected device can allow hackers entry into sensitive company files,” says Brown.
Though issuing company-owned computers is a much safer option, doing so still poses risks.
“Employees tend to use business computers for personal use, resulting in hidden trojan viruses,” says Brown. “A device scan won't always clear the device. Certain viruses and malware only activate when connected to a live network.”
Given the cybersecurity risks of employees using company computers, it's suggested that you:
- Have employees sign a Non-Disclosure Agreement (NDA) about their responsibilities for keeping data safe, and consequences for failing to do so.
- Require sign-out of company equipment and adherence to guidelines for keeping the hardware in working order.
- Lock down computers so employees are unable to install programs or applications without IT administrator permission.
5. Educate employees about remote work cybersecurity.
Of course, cybersecurity safeguards are only effective when remote employees understand the risks and preventative measures. Many data breaches start when employees unknowingly click on phishing emails containing fraudlent attachments or links.
“Cybercriminals are engineering schemes to take advantage of fear and uncertainty brought on by COVID-19, such as fraudulent health alerts,” says Teppler. “When employees click on such links or open attachments, your network is exposed to malware, even if your system is protected.”
"Your best line of defense is regular security awareness training for employees and a company culture that encourages reporting suspected fraud," advises Pete Thurston, chief product and solutions officer at RevCult, a cybersecurity partner focusing on security and governance for enterprise companies using Salesforce.
"Hold instructional online meetings with employees about the latest cybersecurity threats," says Thurston. "For instance, show signs of fake emails, which include a mismatch between sender name and email address, typos and poor grammar, calls for urgent action and a non-legitimate website or one containing typos when you hover over the website link."
Read more articles on cybersecurity.
Photo: Getty Images