Oct 28th 2020
How to maintain security when employees work remotely
As a business, you want to do all you can to keep your employees and information safe while working remotely. During the coronavirus pandemic, your business may require your employees to work from home, whether this is for a period of time or indefinitely. While remote working may not be new to your organisation, it is likely that you will have to implement remote policies and procedures on a much larger scale. That is why it is important that your cyber security strategy is robust.
Home and remote working offers great benefits but carries risks that need to be addressed and managed. When employees work remotely, devices that remain protected within your organisation’s environment open up further cyber risks to your network. Your existing security controls may not provide the same level of protection to your assets remotely. Implementing sufficient cyber security measures and practices will help to reduce the risk caused by employees working remotely.
It is likely that your business already uses cloud and Software as a Service (SaaS) applications to ensure your team can collaborate. When working remotely, you may be required to review your existing software and ensure it is sufficient for a larger number of users. You may have to introduce new software and applications to your business so your employees can remain productive at home. It is important that these applications are configured appropriately to prevent vulnerabilities in your IT infrastructure.
What are the risks that could occur because of remote working?
Working from home, employee behaviour and habits can be subject to change. Your staff may become more relaxed when it comes to security and the caution they apply to your systems and data. You should ensure your team members are clued up on the risks involved in remote working when it comes to cyber security.
Especially in the midst of the coronavirus pandemic, malicious actors are taking advantage of rushed changes to remote corporate infrastructure. Cyber criminals are looking for gaps in security, particularly relating to the end-user, that they can exploit to achieve their objective or goal. There are risks surrounding GDPR and theft of devices if remote work is carried out in the presence of people that are not part of your organisation.
Phishing is a common tactic used by cyber criminals, and one that has occurred a lot during the pandemic. Criminals send emails claiming to be official organisations, enticing you to click on a link to a website that could negatively affect your device and the data it stores. These scams are taking advantage of people’s concerns and can be avoided with the right guidance to spot phishing attacks.
5 ways to maintain cyber security while working remotely:
1. Develop a remote working policy
Developing a remote working policy will ensure your employees understand your organisation’s expectations. The remote policy should cover Bring Your Own Device (BYOD), how to remotely access the network safely, passwords and authentication, removable media and encryption, and any other requirements relevant to your business.
You may want to support the remote working policy with guidance on the cyber security risks involved and how to mitigate them. Your cyber security policy should include the type of information that can be accessed on devices and the security controls set up on the device. Policies will help to maintain consistent processes across your organisation so you can manage your remote workers and security measures effectively.
2. Provide remote security training
Remote employees may be required to use devices and software they are unfamiliar with. Your employees should undertake appropriate training for the devices and software they are using to work remotely. While you may have had to switch to remote working with little preparation, conducting training sessions and sharing resources will ensure the transition is successful.
You could produce a series of ‘How to’ guides or demonstration videos to support employees’ remote setup. They can read these resources at any point they need help to ensure they can instantly access the appropriate advice. You could demonstrate how to access the devices and networks remotely, which data can and cannot be stored on devices, where to store data and how to secure it properly.
3. Ensure the use of multi-factor authentication
Implement multi-factor authentication across all of your services to provide an added layer of security for all users. If a device is lost or stolen, or a password is compromised, multi-factor authentication will help to prevent malicious actors from gaining access to sensitive data as they have to provide a second factor of authentication.
There are many types of multi-factor authentication you can implement on your accounts. This can include a strong password, code, combination or code word. You could also use a physical item such as a key, fob or token. The NCSC provides comprehensive guidance for implementing multi-factor authentication across all accounts.
4. Limit data access and implement encryption
Limiting user access will restrict users from accessing sensitive data stored on your networks and devices. You should only provide employees with the permissions they need to carry out their role to ensure the security of your information. For employees using administrative or high-privilege accounts, you should regularly review these users to ensure access is only granted to those who need it. You want to limit data access as much as possible so there is limited exposure if a malicious actor compromises a user.
Encrypting information stored on all devices will protect data should the device be lost or stolen. You should review all devices used for work purposes as encryption will need to be turned on and appropriately configured. You should use a Virtual Private Network (VPN) which allows remote employees to securely access your IT resources. VPNs ensure your users are authenticated before accessing the network and encrypts any data moving between the user and your network.
5. Develop reporting procedures and culture
Your employees should be able to report their security concerns immediately. While you may have reporting procedures in place, you should consider whether your employees feel comfortable to voice their issues. Creating a positive security culture will ensure your employees feel safe to raise their concerns about bad security practice and incidents, without fear of repercussion. You want to ensure there is sufficient communication to identify vulnerabilities and put measures in place to mitigate risks.
Create reporting procedures to outline how your employees can report security concerns. Detail the steps they need to follow if a device is lost or stolen and who to report it to. Managing these situations as soon as possible may help to reduce the risk to business data.
You should regularly check your cyber security controls with testing and review procedures. This will help you identify any vulnerabilities within your IT assets and help to improve your security posture. Sentrium’s cyber security solutions address your IT security challenges. Our testing and review services provide visibility and understanding of your weaknesses to help you make long-term improvements to your security posture and mitigate risks.