Rushing to make decisions that have security consequences is never ideal. Equally, there are times when we get thrown a curve ball and must act quickly.
If home-working is new for your company, and you need to get policies and systems in place fast, you’ll want to know the cybersecurity risks and how to reduce them. Start here to make sure your staff are securely set up to work from home as soon as possible.
Home internet connections can be vulnerable
When your employees work in the office on the local network, your security solutions handle data exchange processes. But when employees work from home, there’s an extra variable – internet service providers (ISPs). You can’t control their ISP’s security, which may mean their home connection is vulnerable to attack.
The solution: A reliable virtual private network (VPN)
For your employees to connect remotely to corporate resources, set them up with a reliable virtual private network (VPN). This makes a secure channel between their workstation and your infrastructure. You’ll also need to disallow connections to corporate resources from external networks without a VPN.
Behavior changes make attacks harder to spot
When people work from home, their routines change. Telecommuters can’t just walk over to a colleague to talk about something. Expect an increase in correspondence, including new participants – people with whom communication used to be purely verbal. These changes give attackers more opportunity, in particular for Business Email Compromise (BEC) attacks – for example, using an account with an address similar to the victim’s.
Amid a swelling sea of corporate correspondence, a small phishing boat is hard to spot.
In other words, a fake message asking for data will not seem as unusual as it normally might. The more relaxing home environment can make many people less vigilant.
The solution: Using protected work email only, and staff knowing why
First, employees at home should use only work email. This makes it easier to spot a cybercriminal’s attempt to impersonate a colleague from an account on another domain.
Use of leaky collaboration tools can rise
Without face-to-face contact, employees may start using other ways to collaborate. Some might not be the most reliable – and must be set up correctly. For example, a Google Docs document with certain access permission configurations may be indexed by a search engine, leaking corporate data.
The same thing can happen to data in cloud storage. A collaboration environment like Slack can also leak, and a randomly added outsider could get access to the whole history of files and messages.
The solution: Choose a better collaboration environment
Choose a collaboration environment with suitable security and features. Participants should need a corporate email address to register. It’s often worthwhile appointing a dedicated administrator to issue and revoke rights as needed.
Most important, before employees work from home, hold an awareness session – which could be remote. Insist they use only the approved collaboration system, and reiterate their responsibility for keeping corporate secrets safe.
Risks of home computer use
Generally speaking, not all employees have access to corporate laptops. And mobile phones are not suitable for all tasks. Employees might start using their home computers. This can pose a serious threat for companies with no Bring Your Own Device (BYOD) policy.
The solution: Protected corporate equipment or BYOD policy
If possible, give home-working employees appropriately protected corporate laptops and phones. These should be protected with solutions that allow remote wiping of corporate information, keep personal and corporate data separate, and restrict the ability to install applications. Make sure the devices also automatically check for the latest critical software and operating system (OS) updates.
If employees must use their own devices, introduce a BYOD policy for managing corporate data on those devices, for example, partitions for business and personal data. Insist employees install home antivirus software. Allow devices to connect to corporate networks only after confirming they have a security solution installed and an up-to-date OS.
Others accessing employees’ equipment
You don’t know who your employees live with; who might see their screen when they’ve gone for a cup of tea.
It’s one thing for employees to work at home alone during the day, but another if they go to a café or coworking space, where risks of leakage or compromise are far greater.
The solution: access policies and awareness
Security policies should require a password and automatic screen lock. And as with other cybersecurity issues in telecommuting, awareness training is a must to maintain overall vigilance.
This article was published in March, 2020.