Since the onset of the COVID-19 pandemic, malicious cyber activity has skyrocketed. Bad actors are trying to exploit remote workers, whose home setups usually have weaker cybersecurity than their corporate networks.
And the problem won’t be going away anytime soon. In a recent KPMG survey, 77% of CEOs said they plan to expand digital communication and collaboration going forward.
If your organization has an at-home workforce, it’s time to double-check your policies and practices for cybersecurity for remote workers.
To aid in that effort, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently published a Telework Essential Toolkit. We’d like to highlight some of the most important actions to take to safeguard remote workers against cyber attacks.
1. Define Strong Cybersecurity Policies for Remote Workers
Like so many best practices, good cybersecurity for remote workers starts with executive leadership. The C-suite needs to endorse meaningful cybersecurity policies — and put teeth into the consequences of violations.
Such policies should cover topics like:
- Network access requirements (VPN, strong passwords, two-factor authentication, etc.)
- Applications, including patches (business software, endpoint security tools, SIEM, etc.)
- Use of public Wi-Fi (generally should not be allowed)
- Restricting use of company resources to employees only (no sharing devices with family members)
- Physical access to devices (requiring automatic screen locks, forbidding use of unknown USB drives and public USB charging stations, prohibiting leaving devices unattended, etc.)
- Data use and back-up (forbidding the sharing of company data outside of authorized workspaces)
- Recognizing scams (phishing emails, callers requesting sensitive information, etc.)
These policies should be clear on the personal liability a worker would face for violations. Potential damages could be significant, so management should make sure remote workers clearly understand their obligations and risks.
In addition, vendors should be contractually obligated to adhere to the same cybersecurity standards and policies as employees.
2. Provide Cybersecurity Training for Remote Workers
Policies can fade in the minds of workers, so it’s important to reinforce them with practical training. (And that means periodic refreshers as well as upfront training.)
Cybersecurity training is especially important to help workers avoid attacks that exploit human error. Like phishing emails that manage to get through security software filters.
According to a Verizon report, 32% of data breaches last year involved phishing, making it the #1 breach threat. The report also notes that phishing was a factor in 78% of cyber-espionage incidents (including industrial espionage).
Workers should be reminded regularly how to recognize (and what to do with) any email that contains links, attachments, or requests for personal data. No matter who or what organization the email appears to be from.
- Don’t react to threats (e.g., “Your account will be suspended without immediate action”).
- Be skeptical of too-good-to-be-true promises (e.g., “Claim your $500 Walmart gift card”).
- Don’t assume a company logo means an email is legitimate (it‘s simple for phishers to simulate actual company emails).
- Hover your mouse over the sender’s displayed email address to see the actual underlying address.
- Look carefully at the address domains of suspect emails. Even if they include legitimate company names, look for things that aren’t quite right (e.g., [email protected]).
- Look for awkwardly phrased or grammatically incorrect subject lines and messages.
- Hover your mouse over any links to see the underlying URLs (and if there are any doubts at all, DO NOT CLICK)
- Never download (or click links in) email attachments unless you are 100% sure they are from a legitimate, trusted source.
Of course policies and training are not enough on their own. IT/security teams should also take concrete technical steps to maximize cybersecurity for remote workers.
Following are some of the most important technical actions to take.
3. Restrict Use of Company Resources/Devices
To conduct business remotely, workers should use only company-approved devices, including laptops and phones. Allowing non-employees (like family members) to use such devices should be strictly prohibited.
With company-approved devices for work-from-home (WFH) employees, IT teams can manage what applications, network tools, and security measures are installed. And of course that includes the enterprise’s standard antivirus and anti-spam software.
Limiting use of devices to WFM workers also means controlled software updates, which are essential for optimal cybersecurity. To state the obvious: software updates patch OS and application vulnerabilities, and plug security holes.
4. Ensure Remote Network Access is Secure
Company-issued devices also make it easier to set up and support virtual private networks (VPNs) for the WFM workforce. A VPN creates a secure, encrypted, dedicated path between the home and enterprise networks. It’s especially important for encrypting data. And it simplifies device monitoring as well.
IT teams should also assist work-from-home employees with securing their local networks. That may include setting up or reconfiguring internet modems, wireless routers, and/or firewalls.
Even more important, two-factor (2FA) or multi-factor authentication should be required. If 2FA is not available, strong passwords should be required for remote workers to access anything and everything: laptops, VPN, email, Wi-Fi.
5. Segment Remote Workers
Remote access to the corporate network should be limited only to what each employee needs. Remote workers should not be able to access any data that is not essential to their jobs.
The same applies to third-party contractors. (See our blog on lessons from the Target data breach.)
And your most valuable enterprise data should not be accessible remotely at all.
Segmenting remote workers can be managed through VPNs. Proper segmentation ensures that even if a home network or remote device is compromised, the damage the attacker can do will be limited.
6. Install Endpoint Security Software on Remote Devices
For maximum security, install Host Intrusion Detection (HID) or Host Intrusion Prevention (HIP) software on remote laptops. These applications analyze traffic and log anomalous behaviors — like exfiltration of large data files — for potential malicious activity.
Plus, HID/HIP software works hand-in-hand with Security and Event Management (SIEM) systems. Integrating these tools, security teams can monitor remote laptops, investigate potential attacks, and determine false positives/negatives.
A SIEM by itself won’t stop attacks, but it will aggregate data and correlate events to help analysts understand what’s happening, so the security/IT team can take appropriate corrective action.
7. Patch Often
It’s more challenging to update and patch remote devices than machines on the corporate network. IT teams deploy most patches overnight, but that’s not possible for remote devices, since they aren’t on the network 24/7.
Of course patches can be deployed during the day. But IT teams are (understandably) reluctant to do that with remote workers, since they don’t want to disrupt productivity.
Yet that makes it even more important to find the time for patches. Ignoring or postponing them will open the remote worker — and the home network — to greater cyber risk.
To schedule frequent patches for remote workers, use natural downtimes during the day, like lunchtime. Or run the patches immediately after normal working hours — say at 6:00 p.m. That will bolster cybersecurity for remote workers, with minimal inconvenience.
8. Encrypt Sensitive Email Data
By default, emails are sent in clear text. But labels can mark emails with different levels of sensitivity. So consider policies and procedures that require remote workers to label their emails, based on the data they include.
If nothing else, remote workers should label emails that contain the most sensitive data (internal analyses, plans, cost/price information, etc.) With a “most sensitive” marker, those emails can be automatically encrypted.
Not all email traffic should be encrypted, of course, as that would negatively impact processing overhead and speed.
To Learn More…
There are many other ways to improve cybersecurity for remote workers — and reduce cyber risk for your entire organization.
Other articles you might be interested in: