Is your organization prepared to work from home due to the pandemic? Not just prepared for the change, but structurally prepared? Is your network designed to protect against the risks?
For offices around the world, the possibility of having to send employees home indefinitely as the virus spreads is becoming very real. If your organization hasn’t needed work-from-home policies in place before now, it’s time to start building them. Here are some considerations to ensure your technology & security are ready for the cyber risks that your network becomes exposed to when employees work from home.
In recent weeks, precautions have been published by national health authorities in response to the Coronavirus (COVID-19) outbreak, as the World Health Organization declared the virus an international public health emergency on January 31, 2020. The virus—a flu-like illness with a higher R0 score–has recently made its way to the U.S and Europe. This has caused a surge in organizations that are examining the risks involved with allowing employees to work from home.
Big corporations like Facebook and Microsoft are seeing the outbreak’s effects first and were some of the first to send employees out to work from home—closing down entire office locations in some areas to try and prevent the spread of the virus. But for smaller organizations and those that haven’t incorporated remote working before now, haphazardly trying to have all employees work from home is a serious security risk.
As CDC professionals work to get a handle on this human virus, Infogressive has spent more than a decade combating the types of computer viruses that will undoubtedly affect knowledge workers during the coming influx of work-from-home.
What are the cybersecurity risks of working from home?
- Home devices — more likely to already be infected with malware, viruses, keyloggers, or trojans.
- Unsecured wireless networks
- Exposing sensitive corporate data
- Wider attack vector for attackers
Preparing for the wave of “Work from Home”
A great first step is to think about (and protect) the endpoint from which the employee will be working.
Is it a laptop that belongs to your organization? Great! It should already be subject to your organization’s cyber protections, including security software, rules regarding local admin access, web filtering, and application control. If you don’t have those protections in place, this is where you need to start.
For endpoint security, we recommend focusing on implementing three key security solutions: Malware Prevention to stop computer viruses and malware threats, full-disk encryption to protect data in the case of lost or stolen devices, and Endpoint Detection & Response (EDR) to monitor for cyberattack activities on the endpoint device. In addition, we also recommend the following security configuration best practices:
- Multi-factor Authentication (MFA) on important accounts, especially your remote VPN
MFA is becoming more critical as organizations grow more digitally connected. Enabling MFA on user accounts, most-used online solutions, and other business tool accounts can ensure that a “hacked” password or a lucky guess isn’t the only layer of defense that stands between your accounts and a “bad guy” on the other end.
- Principle of Least Privilege
This is a good standard security strategy for your business network that would also provide a layer of protection when users are working at home. The idea is that access should be limited to only what is necessary. The majority of employees should not have admin access over their devices and accounts unless absolutely necessary. This also goes for access to specific areas within your corporate network, like critical servers or sensitive data. Additionally, it’s a good practice for admin users to work out of their standard accounts when working on a device or accessing the network from home.
If you’re not able to provide your employees with laptops or workstations they can take home, then you’ll need to make sure you have some way to protect their personal devices with standards similar to those of your corporate environment. This is vital, because there is a very real chance that some of your employees’ home devices may already be compromised. The majority of home users, despite expressing security concerns, fail to follow cybersecurity best practices in their digital lives outside of work. In addition, many home laptop and desktop computers remain unprotected from malware and computer viruses, with one estimate showing that about 1/3 of computers worldwide become infected with malware (750 million in 2018).
Consider making your company’s security software available for your employees to install on their home systems, with emphasis on your Malware Prevention or AV. While this incurs some additional cost and administrative overhead, it may protect you from an easily-exploited attack vector. For added visibility into endpoint activity and security, consider adding an Endpoint Detection & Response (EDR) solution to alert on abnormal device behavior and signs of malicious attack activity.
Be aware that having your teams work from home using personal computers can introduce security risk factors that are out of your control—by allowing personal device use for company work, you are accepting that risk.
How will you be providing access? Here are some factors to think about:
- Will you be using a remote desktop solution?
- Are you going to allow direct connectivity to your corporate servers from remote employees?
- Do most of your employees only require connectivity to a few cloud-based applications?
Your answers to these questions will dictate what sort of protections you need to put in place and what regulations to implement on the connectivity between your remote users and your internal infrastructure.
Ideally, you’ll want to put as many of the same protections in place for remote workers as you have for in-office workers. Make sure you’re scanning and logging all possible sessions including VPN (Virtual Private Network) and RDP (Remote Desktop Protocol) logins, web traffic, SMB (Server Message Block) protocol access, etc. If your firewall/VPN solution allows it, you should scan and log all sessions between your remote user and your internal systems, as well as restrict traffic to only what is necessary for each remote worker’s job role.
Whether your users will be working from company devices or whatever they’ve got at home, you want to ensure that you’re protected against data loss and theft as they access and share files across networks. This could mean implementing secure Remote Desktop solutions for users to work from and allowing users to use a corporate VPN to secure their connection when working from public or home wireless networks. If users’ traffic is as protected as possible, the risk of remote connectivity decreases significantly.
If possible, use web content filtering to continue to protect your remote employees from malicious websites and to preserve productivity.
Again, take advantage of two factor authentication everywhere possible. Specifically, protect your remote VPN, cloud applications, and admin sessions. While a token-based MFA solution like Google authenticator or FortiToken is best, any secondary authentication like SMS or email-based will be better than single factor logins.
Have a plan for supporting your remote users. Your IT staff will likely need some remote support tools and be familiar with them when the time comes—especially if your work force isn’t used to working remotely. The number of calls to your support desk will increase dramatically, so make sure you’re ready to handle the influx of users struggling with new technologies for the first time.
An organization with a well-designed security policy and disaster recovery plan may find they already have a lot of these solutions in place. Working from home need not be any less secure than your office environment – just be sure to do some planning, set up some policies, and put some effective measures in place.
In summary, here are some key Do’s and Don’ts for incorporating remote working into your organization:
- Let your users use their home devices, if possible
- Allow high-level asset access from remote users
- Leave port 3389 (RDP) open and unsecured to the internet
- Allow remote access to any administrative functions without requiring MFA. If possible, secure ALL remote connectivity with MFA.
- Log all remote access. If possible, log all sessions from VPN users to internal resources
- Use MFA on every platform that supports it
- Provide locked-down, encrypted systems (laptops, desktops or tablets) for your employees’ use
- Keep all remotely accessible systems fully patched and highly redundant
Have some security gaps to close in preparation for employees working from home this spring? Feel free to chat with one of our experts for help getting your plan in place. If additional IT resources are what you need, we partner with Managed Service Providers (MSPs) across the nation that we can recommend. We’re here to help.