Published On January 17, 2023For organizations now supporting large numbers of remote workers, there are new cybersecurity challenges to address.
For organizations that aren’t experienced with supporting large numbers of remote or global workers, there are significant new cybersecurity challenges to consider. With many experts predicting that remote work populations will be with us for the foreseeable future, there are some basic steps every organization needs to take to cope with this disruption. Here’s what you need to know.
Define your BYOD policy and Update Asset Inventory
Even organizations that do a good job of accounting for equipment they provide, employees may not be prepared to handle a sudden influx of home computers, tablets and connected phones. Employees who have employer-provided computers should only use those devices to access approved applications.
Today, most organizations have issued bring your own device (BYOD) policies that address how employees may use their personal devices for work-related communications. Where that isn’t possible, IT should collect information about the devices people are using as well as to identify information such as IP and MAC addresses. These actions will cut down on false alarms when unknown devices connect to the network.
Patch and Protect
Typically, only work-issued laptops and mobile devices are authorized to access an organization’s network unless the user has an approved security exception. These devices are patched and monitored by an organization’s IT group to ensure they are up-to-date on required patches.
For personal use computers or other devices, ensure they are equipped with the latest patches and protections, including at least one layer of antivirus software and a firewall. If your organization hasn’t provided antivirus software or a firewall for personal devices, “most internet service providers offer free or low-cost security software,” says Larry Jarvis, Chief Information Security Officer at Iron Mountain.
Implement Multi-factor Authentication (MFA)
Most of us encounter a two-stage process of logging on to a website. After entering our username and password, the site sends a text message to a mobile phone or requires the use of a third-party authenticator app. Businesses are now rapidly ramping up their adoption of MFA.
If your company doesn’t use MFA to protect its network, there’s never been a better time to start. Cybercriminals are taking advantage of pandemic-related confusion to step up their attacks, and password-guessing software is constantly improving. What’s more, many people still use easily guessed passwords like birth dates and the names of family members. MFA is not only more effective but often more convenient than asking people to remember long strings of random characters.
Update Acceptable Use Policies (AUPs)
These are written policies that define what people should and shouldn’t do with the devices they use for work. Policies typically cover such topics as acceptable makes and models of equipment, authorized software and services, best security practices and standards for online behavior, and types of third-party applications that are permitted or not permitted for use, such as messaging apps.
AUPs are especially important now because employees may adopt cloud services that aren’t supported by the IT organization for such purposes as document storage, videoconferencing, and messaging. An AUP guides them toward secure and supported services as well as offers advice on how to ensure that sensitive information isn’t inadvertently disclosed. Jarvis’s advice: “Only use services that are allowed under AUPs.”
Double Down on User Training
Schedule half-hour video training sessions or record an instructional video that covers best practices to keep employees safe from malicious messages.
Remote devices are a gold mine for purveyors of phishing attacks, which are deceptive email messages that contain malicious links or attachments. Phishing is the cause of more than 90% of corporate breaches, and recipients anxious for financial and healthcare advice are considered prime targets.
“Law enforcement and companies are reporting a notable uptick related to phishing emails, text messages, and phone calls,” Jarvis says.
The best defense against phishing attacks is skepticism; remind people never to click on links or download attachments unless they’re certain of their validity. Never trust alias names in “from:” fields, which can easily be spoofed. Your IT organization might want to set up an email account where users can send suspicious emails for verification.
Users should also be wary of emails that request personal information like passwords, credit cards, or bank account numbers or prompt them to log in to their account on a website. Legitimate organizations never should request details by email. Attackers sometimes set up fake webpages that look like the real thing but are intended to fool people into entering login credentials. Best advice: Check the website URL before proceeding.
Limit VPN use
A virtual private network is a secure, encrypted “tunnel” between remote devices and the corporate network, but it can be a security threat when an endpoint is compromised. If a user connected to a VPN inadvertently clicks on a malicious link it can unleash malware that rides on top of the VPN to invade the corporate network. Best advice: Log off the VPN when you don’t absolutely need it.
“Most employees don’t need the VPN if they’re just using Google Workspace services like email and meeting videos,” Jarvis said. “They should only need it to log in to VPN for certain applications that are hosted inside of the company.”
Beware of Rogue Wi-Fi Hotspots
More people are starting to work from coffee shops, hotels, and airports again, so they need to be cautious when using free Wi-Fi or hotspots. Perhaps it’s to save usage fees on mobile phones or to hop on a neighbor’s speedier network, but threat actors will try to lure people to Wi-Fi access points with seemingly legitimate names. The owner of an access point can name it whatever he or she wants, so the fact that the ID is “Marriott” doesn’t mean it has anything to do with a hotel.
Attackers may try to lure people into a false sense of security by pretending to require a password when none is needed.
To keep your employees safe when working remotely and from personal devices, work with your IT and Information Governance teams to build the framework within which these decisions are made.
Blog post updated: 2023