Technology Risks and Solutions When Working At Home
When the Covid-19 pandemic struck the world, many employees moved rapidly to a working from home (WFH) model.
Most experts believe that public and private sector organizations will need to address numerous data breaches as a result of the extraordinary move to almost ubiquitous working from home within a few days and without much time for planning. I will try to address some of these concerns in this blog, and point to early examples to watch and resources available to help.
One of the first challenges users face is the technology used.
Were you issued a laptop computer from your company? If not, and home computers are used, do those personal computers have the right protections in places, such as security policies, backups of data that are tested for reliability, antivirus and anti-malware tools installed and encrypted data on the hard drive, in case the laptop is stolen or lost?
If your business has a policy that allows the use of personal equipment, are policies being followed?
Once the decision is made that employees can use personal devices for remote work, the security of each personal device should be established before access is granted One way to do this is to provide a checklist (see example below) for employees to complete an inventory of the security of their systems, along with instructions of how to acquire this information.
Employees should follow security best practices when using work devices, or when accessing the organization’s network with their personal devices. It is up to each organization whether to make it a policy requirement for remote workers accessing your network or simply provide it as guidance. As stated earlier, policies may differ depending on the access and data that the employee is given. Not only should the employee follow security best practices, but it is essential that anyone with an account on the same device does as well.
Best practices to consider for inclusion are:
- Enable full device encryption, if sensitive data or communications will be on the device.
- Automatically update the operating system software.
- Automatically update application software (e.g. anti-malware software, office productivity software, browsers, email, and communication clients). When an auto-update is not possible, do a weekly check.
- Enable the Windows lock screen after a set time of inactivity.
- Disable file sharing.
- Disable network sharing.
- Disable unnecessary or risky services.
- Do not connect unknown devices to the system.
IT or trained Help Desk staff should be available to assist remote workers with any questions they have about implementing security on their systems. If additional support is needed for remote workers, it may require re-allocation of resources.
If multiple users do have access to the computing system, the following are imperative:
- User accounts are not shared.
- Each account is secured with a unique strong password.
- System administration functions are only performed in a separate system administration account, to which only the employee has access.
- For family member accounts, encourage employees to talk with their Internet Service Provider (ISP) to determine what security controls are available including parental controls.
Lastly, watch out for phishing attempts related to Covid-19 and other hot topics. Unlike natural disasters which typically last for a few days or possibly a week as a global top story, the coronavirus facts are changing daily and new warnings and alerts can be expected for weeks if not many months.
Global public- and private-sector organizations need to act quickly to establish relevant communication with their employees, partners, and customers surrounding key coronavirus messages. One key goal should be to ensure that trusted channels are established and reinforced via the right messengers — such as top executives. Depending upon what your role and business function include, your actions will vary. However, the need to educated staff, partners, family, wider Internet users, and friends is universal.
Second, visit this blog *. Here are some topics covered in detail:
1) Provide effective, attractive security awareness training.
Security awareness training regarding phishing can be fun. [Note: provide specific coronavirus guidance about phishing and other threats that have been seen by your business or partners.] Make training brief, frequent, and focused. Teach staff practical things about phishing campaigns they don’t already know, and let them practice with real examples that are meaningful. …
2) Encourage reporting of phish.
Do your employees know what to do when they receive a phish (in any form)? Not clicking or deleting is certainly better than clicking, but reporting is also essential. You want honesty when employees do click, so you can respond quickly and effectively. …
3) Ensure that phishing is about more than just email.
Do staff understand that phishing can come from a telephone call or a text message? As discussed earlier, the person sitting next to them can even “phish” for your password.
Third, on the wider issue of building sustainable cyber solutions that will last, you can visit this article on building an enterprise culture of security.
By Dan Lohrmann
Chief Security Officer at Security Mentor, Inc.