Separate work and personal devices: If possible, staff should not use their work devices for personal use or vice versa. This will prevent cross-contamination of data and reduce the risk in the event of a data breach or the device being compromised by a third party. Companies can restrict this via policies and/or technical measures or reduce the risk by providing the employees with a remote access environment such as Office365 to avoid downloading or syncing files or emails to personal devices.
Physical protection: Employees should make sure they either shut down or lock their work devices when unattended and store them safely when not in use. This includes mobile phones or tablets if they are used to access business-related data such as emails.
Access controls: An important security aspect of remote working is guarding against unauthorised access. To achieve this, enforce the use of strong, unique passwords for all devices and online accounts, and implement MFA (Multi-Factor Authentication) where possible. Encourage staff to use a password manager if your organisation does not provide a Single-Sign-On service.
Corporate VPN: One way to secure data as it moves between your core systems and externally based employees is to deploy a VPN solution. It is imperative to make sure the VPN is fully patched and configured correctly. Additionally, the organisation should ensure they have sufficient licenses, capacity and bandwidth to provide this protection across their employee base. A scalable corporate VPN system such as Cisco ASA can help companies protect their resources across all devices while increasing productivity for staff who have unimpeded access to business data.
Home routers: Home routers should have their default credentials (used to access the router settings) changed to secure, strong username and password. Furthermore, home workers should ensure the WIFI is password protected, and the connection is encrypted with WPA2 encryption standard. The home routers should also be configured to block all unnecessary ports/services from being advertised to the Internet.
Updates/patching: An organisation should ensure they have a means to regularly patch and update all the software, applications, and operating systems for remote workers. Leaving unpatched software on a system leads to many vulnerabilities and ways an attacker could compromise the system and effectively the network. An up-to-date and supported operating system and firmware is essential for adequate system security and a requirement for certifications such as Cyber Essentials, Cyber Essentials Plus or IASME Governance.
Protection against malware: Protection against malware comes in different forms, and companies often employ a range of measures to protect devices from malware. These can include: installing powerful security tools, limit or completely forbid employees from installing additional applications, application sandboxing, restricting access from unauthorised devices, etc. Switching to a home working environment may deem it difficult for an organisation to provide the same level of protection, hence having a reliable and up-to-date security solution installed and active is a must. An example of a powerful multi-purpose solution which protects against malware is Cisco Umbrella. The tool unifies firewall, secure web gateway, DNS-layer security, cloud access security broker (CASB), and threat intelligence solutions into a single platform.
Training and cyber awareness: Working from home, particularly during these times can put us all at risk of being targeted by attackers. It is therefore essential to train employees on best practices and provide them with clear security guidelines, so they understand how to protect themselves and their data. Cybercriminals often use phishing to entice users to share data and login credentials, typically via emails. While IT security measures can help, phishing defence starts with the employees. Employees should be trained to look out for unusual emails with misspelt email addresses, fishy-looking links or strange requests.
Encryption: To protect business information, particularly in the event of a device being lost or stolen, organisations should encrypt data at rest. While many modern devices have encryption built-in, you should check whether this is turned on and configured. Another way to improve the security posture of your organisation while working from home is to consider encrypting or protecting sensitive information you send over the Internet (e.g via email)
Removable media: The use of removable media should be controlled by the organisation to avoid the transfer of unauthorised information, loss of data, spreading of malware, etc. This can be achieved by disabling/restricting removable media, encrypting the data on the device, only allowing the use of company-owned devices, use a software tool to scan the removable media for malware before being used.
Data storage and backups: It is crucial to provide employees with clear guidance surrounding data storage and backups while working remotely. This will help reduce the risk of data loss, information disclosure and data corruption. Make sure information contained on all of your devices is backed up with an appropriate level of protection and the backups tested.
Cloud services: Encourage the use of secure and approved cloud services for storing or exchanging company information, including instant messaging. It is also vital that any third-party cloud storage services used are verified for use by your security teams. This is particularly important when dealing with personal and special category data.