The situation with COVID19 is rapidly evolving and over the last week, an increasing number of companies and government agencies have announced mandatory work from home (WFH) policies for non-essential employees.
When thinking about the Coronavirus outbreak – and pandemics in general - the number one priority of employers needs to be the safety and security of employees and their families.
After that, it's important to consider the safety and security of the business itself.
How organizations are dealing with cybersecurity for remote workers
The first challenge most companies face when shifting to a work from home model is ensuring every employee has high speed internet access from their remote work environment.
Most employees will use their home Wi-Fi network, the Mi-Fi available via their cell phone/wireless carrier, or, if they are healthy and suffering from cabin fever, they will use public Wi-Fi at a coffee shop or café.
While this addresses the need for internet access, it does not address the need for security. Many organizations that do not already have a robust work from home culture may not have measures in place to deal with securing remote network access, and the threat vector posed will be multiplied by every single employee they send to work from home.
The result is a wide variety of cybersecurity policies and procedures, from companies that rely on the security of cloud-based platforms to run their business, to others that employ a combination of tools such as single sign on (SSO), two factor authentication (2FA), virtual private networks (VPNs), and password managers along with staff training and other policies to ensure compliance.
Here’s what a sample of executives we spoke with shared.
“HubSpot already has a thriving remote worker culture and we are provided a VPN which takes one click to utilize. We also are required to use two factor authentication (2fa).”
“I’ve been working from home, both as an agency owner and now as a solopreneur, for a long time. My wife and I are acutely aware of security, so I use encrypt.me for all online connections, and we use two factor authentication for all account logins. I change our Wi-Fi logins monthly, and while we don’t travel much, we take extra precautions when we do.”
“We already have a remote work culture in place. Most of our work is done directly on sites like HubSpot and social network sites as we're a marketing agency. As it is, little to no work is processed/stored on the machines, all in the cloud.”
“As a remote first company, we have opted into most 2FA, especially for email, which is the full Google Suite, as well as our password system (LastPass). Generally, the team works from home or an approved coworking space. We generally don't recommend (though don't disallow either) working from coffee shops or the like as internet connection isn't always reliable and meetings are prevalent.”
"We have a VPN. Also, we are moving to a secure internal only email and filing system. We will still use our public-facing email address for external communications, but will have a different one for internal and sensitive conversations. We will each literally have two email addresses!"
Anonymous, CMO, Crypto Exchange Company
“We’re a remote-friendly company (small, 15 people) but we have pretty strict security measures in place. We require single sign on (SSO) via Okta for all major systems containing sensitive company or customer data. We also require 2FA (I use Google Authenticator) and a password management tool (1Password). We’re an entirely SaaS-based tech stack which makes it a lot easier for our CTO to monitor and manage. Our product also helps us and our clients monitor their SaaS usage, especially with so many SaaS apps being adopted bottom up. Historically, there’s been no way for a security or IT team to know what SaaS is in use and what permissions may have been granted (ie. letting Facebook read and write data within our GSuite or Slack instance.) Intello solves that. I work from home, but occasionally work from coffee shops, etc. Most of our team are based in NYC and half of them work remotely 75% of the time or more. Because we’re entirely SaaS-based we just use secure login principles. We have regular training and tech practices (being SOC2 compliant) to regularly manage security beyond what I mentioned.”
“We have several remote employees on the sales team and I work remotely from time to time. It's always from home because of the nature of sales. We use G-suite and have Okta SSO to log into any systems that we use. You also need a VPN if you are accessing our products.”
“We are 100% remote. I mix working from home or a coffee shop (just depends if I need a change of scenery!). Our team is spread throughout the US. We use G-suite and secure login principles.”
In Attila’s case, we’ve always provided our employees with GoSilent Cubes and mandated that our team use them when working from home. This ensures that any communication between their devices and our corporate network is secure and encrypted and that our intellectual property is protected.
Cybersecurity best practices for securing remote workers
If your organization is suddenly faced with the need to send employees home to work and you’re wondering what cybersecurity measures you should put in place, we’ve put together some simple best practices to help you get started.
Ensure that any cloud-based platforms your team uses have multi-factor authentication (MFA) enabled
MFA is a security system that verifies a user’s identity by requiring that they present two or more pieces of evidence (factors) before granting them access. Generally, these factors fall into two categories: knowledge (something the user knows) and possession (something only that user has).
Examples of common factors that might be required under MFA include a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition. Because it requires multiple different forms of evidence, MFA is an effective way to protect against the use of unsafe passwords and brute force attacks by hackers.
To make it easier for users, set up a single sign on (SSO) solution
SSO enables users to securely authenticate their identity across multiple platforms using only one set of login credentials (rather than having to use individual logins for every platform).
There are a variety of SSO providers with solutions spanning small businesses to very large enterprises. They include Okta, OneLogin, RSA SecurID, Ping Identity, Idaptive, Azure AD and CA Technologies.
Require employees to use a password manager
Dedicated password manager apps such as 1Password or LastPass will ensure that your employees’ passwords are stored in an encrypted form. They will also help individual users to generate secure random passwords and will flag any cases where a duplicate password has been used.
Because these apps have browser extensions and mobile apps, they make it easy for users to access their passwords on the go.
Provide your employees with a VPN
A VPN allows you to create a secure connection from your device to a specific network, over the internet.
When you activate a VPN, it creates an encrypted tunnel between your device and a remote server. All of your data and communications are then routed through that tunnel, ensuring they are protected from malicious actors. VPNs can also mask (or obfuscate) your identity and location by routing your traffic through the VPN server.
There are both software and hardware VPNs (such as Attila’s GoSilent Cube) available from a large number of providers (too many to list here).
Install a firewall on users’ devices
Any time your users connect a device to the internet, they become the potential target for a variety of threats including hackers, keyloggers and Trojans that attack through unpatched security holes.
Firewalls function as a barrier between the user’s device and the internet by filtering packets to see if they meet certain criteria and blocking any traffic flagged as malicious.
Firewalls are built in to all modern operating systems, however some organizations choose to install their own firewall. Regardless of which approach you take, it is critical to ensure firewalls are enabled and kept up to date.
Make sure all of your users’ devices are patched and up to date
This one is tricky, because it extends beyond the devices that you as a company provide to your employees. You don’t know what’s running on your employee’s home wireless network, and your corporate network is only as strong as the weakest link.
For example, if one of your employees has an older wireless router and it doesn’t have up to date patches, they will be exposing all of the devices on their home network – and by extension, your corporate network -- to hacking.
In addition to the measures listed above, organizations should provide employees with behavioral guidance such as:
- Avoid public Wi-Fi
- Don’t leave devices in the car or any other unsecured locations
- Don’t plug in unknown thumb drives
- Use USB data blockers when charging devices at public charging stations
At the end of the day, the biggest vulnerability an organization has when employees work remotely is the employee themselves. There’s a saying that goes “every employee is their own CISO,” meaning that individual users will choose to use the IT and security solutions they like best.
The lesson here is that you can provide your employees with the best security in the world, but if they don’t like it, or find it difficult to use, they will seek another solution – so it’s critical to consider ease of use and training when putting your cybersecurity solutions in place.