While over 70 percent of global employees work remotely at least once per week and full-time remote workers are increasingly common, there are still aren't a lot of resources that help address the cybersecurity risk introduced by remote work.
In the past, workplaces that weren't set up to work remotely, simply didn't. However, the coronavirus pandemic and resulting lockdown of many countries mean that many organizations and their employees are now in the unfamiliar territory of full-time working from home (WFH).
Business continuity planning means that we now need to find ways to protect our customer's sensitive data while allowing for location flexibility.
There is a lot that can be done at an infrastructure level and an individual level to keep customer data secure, but the truth is your company's confidential information is only as secure as the weakest link.
And as we will touch on later in this post, the weakest link may not even be inside your organization.
They may be a third-party service provider who is also remote working on public Wi-Fi network that is susceptible to a man-in-the-middle attack or an employee logging in from a personal device that still uses an outdated or unsupported operating system.
Given the circumstances, we wanted to share some security tips to help your organization and your staff stay secure during the COVID-19 pandemic. Not just to protect those working from home, but also to help the security, IT departments, and small businesses who suddenly need to secure their distributed workforce.
This article will start with the steps individual remote employees can take to safeguard your organization's sensitive information as well as their own personal information and protected health information (PHI), and then move on to what you can do as an organization.
While these security controls can be used at any time, they are even more important as employees are working from home networks that are often less secure than company networks.
Security tips for employees working from home
Secure your home office
Physical security shouldn't go out the window when you're working from home. Just as you lock the up the office when you leave for the day, do the same when working from home.
Laptops can be stolen from your backyard, living room or home office. Take your laptop inside when you go and make lunch, and lock the door to your home office. Keep your home workspace as secure as you keep your normal office.
Secure your home router
Cybercriminals look to exploit default passwords on home routers because of not many people bother to change it, leaving their home network vulnerable.
Changing your router's password from the default to something unique is a simple step you can take to protect your home network from malicious actors who want access to your devices.
This is a good first step, but there are additional actions you can take. For example, you should ensure firmware updates are installed as soon as possible so known vulnerabilities aren't exploitable.
Separate work and personal devices
It might be easier said than done, but it's important to carve out boundaries between your work life and home life, especially while working from home.
While it may seem cumbersome to constantly switch between devices to simple pay a bill or online shop, do your best to keep your work computer and home computer separate. You never know if one has been compromised.
If you can do the same for your mobile devices, even better.
This can help reduce the amount of sensitive data exposed if your personal device or work device has been compromised.
Encrypt your devices
If your employer hasn't already turned on encryption for you, you should turn it on as it plays an important part in reducing the security risk of lost or stolen devices, as it prevents strangers from accessing the contents of your device without the password, PIN, or biometrics.
For reference, encryption is the process of encoding information so only authorized parties can access it. While it doesn't prevent interference and man-in-the-middle attacks, it does deny intelligible content to the interceptor.
How you turn on encryption will depend on your device:
- Windows: Turn on BitLocker.
- macOS: Turn on FileVault.
- Linux: Use dm-crypt or similar.
- Android: Enabled by default since Android 6.
- iOS: Enabled by default since iOS 8.
Use a supported operating systems
New vulnerabilities and exploits are posted to CVE on a daily basis and they can often impact old versions of operating systems that are no longer supported by their developers. In general, operating system developers only support the last few major versions, as supporting all versions is costly and the majority of users do the right thing and upgrade.
Unsupported versions no longer receive security patches as vulnerabilities putting your device and sensitive data at risk.
In short, always use a supported operated system, and if your device allows it, the latest version.
Here's how to check if your operating system is still supported:
- Windows: Check the Windows lifecycle fact sheet
- macOS: Apple has no official policy for macOS. That said, Apple consistently supports the last three versions of macOS. So assuming Apple releases a new version of macOS each year, each release of macOS should be supported for roughly three years.
- Linux: Most active distributions are well supported.
- Android: Security updates target the current and last two major versions but you may need to check that your manufacturer/carrier is sending the security patches to your device. You can read more about Android security here.
- iOS: Like macOS, Apple has no official policy for iOS but security updates generally target the most recent major version and the three prior.
It's not always easy to determine if your operating system is supported, which is why its best to use the latest version as long as your device can handle it.
Keep your operating system up-to-date
Even if you are using a supported operating system, there can be significant delays between the disclosure of a vulnerability and its mitigation. Even if the window is open for only a few days, wormable zero-day exploits represent significant risk. Just look at how WannaCry's EternalBlue exploit resulted in hundreds of thousands of infections.
To minimize this risk, ensure all devices apply security patches as soon as possible, ideally via automatic updates.
Most modern devices will automatically apply updates by default but you may need to allow your computer to restart to complete the patching process.
Keep your software up-to-date
Operating systems aren't the only thing that can be exploited. Any software can, web browsers are a common target. For the same reasons outlined above, it's important to keep any installed applications up-to-date.
Most modern software will check for, and apply security patches automatically. For everything else, check for the latest versions periodically. That said, where possible consider using a secure SaaS application over installable software as it cannot become out of date and the management of security is in the hands of the provider rather than you.
Enable automatic locking
If you walk away from your device at your home office, coworking space, or a coffee shop, you should lock it. The issue is as humans, we forget. When we do, automatic locking is there to protect our unattended devices.
Make sure to configure an amount of time that while convenient is not unreasonably long, such as 30 seconds for mobile devices and five minutes for laptops.
Automatic locking is enabled by default on most modern devices.
Use a strong PIN/password on your device
All of the above doesn't matter if you don't use a strong password. Make sure to avoid anything that's easy to try, such as repeating numbers (e.g. 000000), sequences (e.g. 123456), or common passwords.
Additionally, don't use anything that is related to you, such as your date of birth, license plate, address, etc. A good pin/password should look random to anyone that's not you.
Use an antivirus
An antivirus software, as the name indicates, is a program that works against a virus. It detects or recognizes the virus, and then after detecting the presence of the virus, it works on removing it from the computer system. Antivirus software works as a prophylactic so that it not only eliminates a virus but also prevents any potential virus from infecting your computer in the future.
Invest in a password manager
If your company doesn't provide you with a password manager, consider investing in one. They help you create strong passwords and remember them, as well as share them with family members, employees, or friends securely.
They also make it easy to use a unique password for each website you use.
This is a big deal because if you reuse the same password and it is exposed in a data breach, which has happened to billions of people, your other accounts will remain safe.
Most password managers will also allow you to store secure notes, credit card details, and other types of sensitive information.
Enable two-factor authentication and use an authenticator app
Two-factor authentication is an authentication method where access is granted only after successfully presenting two pieces of evidence to an authentication mechanism.
Two-factor authentication can dramatically reduce the risk of successful phishing emails and malware infections because even if the attacker is able to get your password, they are unable to login because they do not have the second piece of evidence. To successfully login, they would need access to whatever is generating your one-time code, which should be an authenticator app or security key.
The first and most common evidence is a password. The second takes many forms but is typically a one-time code or push notification.
It's important to be aware that while convenient, SMS is not a good choice for the second factor.
In fact, NIST SP 800-63 Digital Identity Guidelines explicitly disapproves of its use because attackers have learned how to trick telecommunication companies into switching the phone number to a new sim card through social engineering.
Enable find my device and remote wipe
Being able to find and ideally remote your device is a crucial part of ensuring information security when a device is lost or stolen. Securely wiping a device makes it much harder to access your data, no matter how much time or determination an attacker has.
Here's how to enable find my device:
- Windows: Enable in Settings > Update & Security & Find my device.
- macOS: Setup iCloud on your device by going to Settings > Your Name > iCloud > Find My Mac.
- Linux: Not built into the operating system and requires a third-party app
- Android: Set up a Google account on the device and it will be enabled by default.
- iOS: Setup iCloud on your device by going to Settings > Your Name > iCloud > Find My iPhone/iPad.
Wipe any devices before you share, sell or dispose of
When lending, giving, selling, just throwing out an old device, make sure to return it to factory settings. This will prevent your data from being accessed after you no longer have control over your device, temporarily or permanently.
Before doing this, remember to back up or transfer any important information on the device.
Here's how to return your device to factory settings:
- Windows: Follow this guide from Microsoft and when asked click remove everything.
- MacOS: Follow Apple's guide.
- Linux: Follow Arch's guide then reinstall your distro.
- Android: Go to Settings > System > Reset options > Erase all data (factory reset).
- iOS: Follow Apple's guide.
Use a virtual private network (VPN)
A virtual private network (VPN) extends a private network across a public network, enabling you to send and receive data across shared or public networks as if you are directly connected to the private network. They do this by establishing a secure and encrypted connection to the network over the internet and routing your traffic through that.
This keeps you secure on public hotspots and allows for remote access to secure computing assets.
VPNs can reduce the risk of certain cyber attacks, like MITM attacks, as they make it difficult to snoop on your traffic and intercept what you are doing. They can also prevent websites from knowing your real location, or your internet provider from monitoring your activity.
Security tips for employers handling a remote workforce
Invest in cybersecurity awareness training
Unfortunately, teaching cybersecurity isn't something that can just be taught once and forgotten. Cybercriminals are constantly looking for new ways to circumvent security controls and psychology to gain access to sensitive information.
Teach your staff how to:
- Recognize phishing, spear phishing, and whaling attacks
- Avoid malicious email attachments and other email-based scams
- Identify domain hijacking and typosquatting attacks
- Use operations security on their social media accounts and public profiles to prevent data branches, cyber attacks, and corporate espionage
- Only install software if they need to and to prefer secure, well-established SaaS applications that are always up-to-date
- Avoid installing browser plugins that come from unknown or unidentified developers
Monitor your third-party vendors and service providers
Remember cybersecurity risk management must extend beyond your organization because the weakest link may actually be an outsourced service provider or vendor who may also have their employees working from home.
This means that continued investment in vendor risk management and your third-party risk management framework is very important. This why many companies are turning to security software to help them scale their programs while out of the office.
One popular example are security ratings. Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.
The higher the security rating, the better the organization's security posture.
Implement adequate email security practices
Email security refers to various cybersecurity measures to secure the access and content of an email account or service.
Proper email security can protect sensitive information in email communications, prevent phishing attacks, spear phishing and email spoofing and protect against unauthorized access, loss or compromise of one or more email addresses.
Email security is important because malicious email is a popular medium for spreading ransomware, spyware, worms, different types of malware, social engineering attacks like phishing or spear phishing emails and other cyber threats.
In general, you want to ensure you have adequate SPF, DKIM, and DMARC policies to prevent email spoofing.
Use access control
Implementing an adequate access control policy, such as role-based access control (RBAC), which assigned permissions to end-users based on their role within your organization, can reduce the risk of data breaches and data leaks that involved privileged escalation attacks.
Always follow the principle of least privilege when granting user permissions.
Invest in cyber hygiene
Cyber hygiene is the cybersecurity equivalent to the concept of personal hygiene in public health literature.
The European Union's Agency for Network and Information Security (ENISA) states that "cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors, and occasional checkups to make sure the organization's online health is in optimum condition".
In short, cyber hygiene encompasses your hardware, software, IT infrastructure, cybersecurity awareness training, and increasingly, your employee's own devices.
Ensure your web applications use HSTS
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that enables web sites to declare themselves accessible only via secure connections. This helps protect websites and users from protocol downgrade and cookie hijacking attacks.
Use security metrics to monitor your cybersecurity performance
Security metrics or cybersecurity metrics are a measurable value that demonstrates how well a company is achieving its cybersecurity risk reduction goals. Organizations use security metrics at multiple levels to evaluate how well they are meeting their security standards and information security management requirements.
With staff working from home, it's important to set up metrics that monitor how well your staff are adhering to your information security policies while working from home.
Enforce strong passwords on employee devices
Ensure that your staff must use strong passwords by enforcing password requirements on company devices.
Invest in organization-wide password management tools
Don't rely on your employees to invest in password managers.
A good way to ensure your employees don't reuse passwords is to make it easy for them to create, remember, and use strong passwords.
Encrypt all company devices
Encryption is the process of encoding information so only authorized parties can access it. While it doesn't prevent interference and man-in-the-middle attacks, it does deny intelligible content to the interceptor.
Ensure that all company devices are encrypted.
How UpGuard can improve your cybersecurity
UpGuard can continuously monitor both the internal and third-party attack surface to help organizations discover and remediate residual risks exposing their sensitive data.
UpGuard also supports compliance across a myriad of security frameworks, including the new requirements set by Biden's Cybersecurity Executive Order.