Enforcing Standard Cybersecurity Measures for Remote Work
Ready or not, the arrival of COVID-19 and local stay-at-home orders forced many employees out of the office and into their homes to work remotely. And while some organizations were able to adapt and transform their operations with relative ease, others have struggled to organize and maintain internal systems that fully support a remote team.
Whether your organization was ready for remote work or not—and as businesses continue to modify practices and normalize “work from anywhere” conditions—it’s not too late to check if your connections are truly secure, and to make sure your team is up to speed on cyber smart practices.
If you connect it, protect it.
October is National Cybersecurity Awareness Month, and throughout this month REDW is here to help you run weekly confidence checks. This week, REDW’s Senior Manager of Cybersecurity, Jennifer Moreno, shares six simple steps for establishing some baseline security measures.
1. Establish Remote Access Security
Working remotely is not as simple as letting employees take a work laptop home, or attempt to work from their personal devices. Sending your employees out of the building and into their respective homes without a secure way to connect to your company’s network can signal open season for hackers and cyberattacks. A vital first step to establish online safety for your company is to implement a secure way for remote workers to connect: Utilize either an encrypted Virtual Private Network (VPN) connection or Virtual Desktop Interfaces (VDIs) to secure remote access.
You may well be aware of this basic level of security, but it’s important to ensure your team is aware that connecting via a VPN or VDI is a crucial, elementary step in protecting your organization’s network. It is also important to review the remote connection logs or console regularly to confirm that only authorized users are connecting to your network.
2. Secure the Internet of Things (IoT)
An increasing number of IoT smart devices are put to use in our businesses and homes: HVAC systems, thermostats, refrigerators, printers, lighting systems, and even fish tank devices can now connect to the internet. Their connectivity provides ease of access, but they are often left vulnerable due to a lack of security controls. If you utilize these devices in your business or home environment, ensure that IoT devices have been secured so they cannot be compromised by a cyber-criminal and used as the entry point into an employee’s network.
3. Protect Social Media Privacy
Social media is a great tool to connect with business colleagues, friends and family, but we often don’t put much thought into the content we post and how it may affect our privacy, or to the risk of social media sites being infected with malware. If you’re allowing employees to access social media or to use their own computers for remote work, consider training them on these risk factors:
- Privacy Settings: Employees should review social media application privacy settings, keeping in mind that each platform’s settings may differ from the others. Investigate what types of personal data these sites store and share with other sites and applications.
- Social Logins: Educate employees to resist the temptation to use a social login feature to gain access to other websites. While this simplifies access to these other sites, if that particular social media profile is ever compromised, it can jeopardize their information on all connected sites. Social login features can also increase fraudulent account creations intended to impersonate an employee’s identity.
- Shared Personal Details: Encourage employees to be thoughtful about what personal details they provide in their profiles. Do these sites or the connections on them really need to know an employee’s specific job duties, or personal details like their hometown, alma mater and other interests that can compromise their security profile?
4. Website Security
Employees may be tempted to bypass websites with an expired certificate, because it’s a common (and seemingly neutral) reason a website can get flagged, but it’s highly important to verify that the websites they visit are using a Secure Socket Layer (SSL) protocol to keep data transmission encrypted. When utilized, websites will display a security padlock, usually located in the address bar of the web browser, and the website address will start with “HTTPS.”
Google’s release of Chrome 68 identifies websites that have not adopted HTTPS as not secure in order to alert the user that the connection is not private and that their personal data may be at risk.
5. Implement Multi-factor Authentication
Cyber criminals have perfected techniques to obtain user credentials. Make hacking into your accounts more challenging for them by implementing multi-factor authentication for remote access, email, social media and bank accounts.
If breached, cyber criminals may have your user name and password, but they won’t find something only you know—like a security token or an authentication code.
6. Use Endpoint Security
Secure your business and home computers: install good malware / anti-virus software on all devices. (Free anti-virus solutions can limit your real-time protection and aren’t reliable to update on a daily basis. Avoid them.)
Create an additional level of protection and remove administrator access on workstations. Without an administrator user ID and password, installation of malicious software from infected websites is prevented. Doing so can be inconvenient for both the user and IT department, but will help mitigate the risk of malware or Ransomware attacks, and provide one less vulnerability cyber criminals can use to their advantage.
How REDW’s Cybersecurity Advisors Can Help
From cybersecurity experts to auditors and assurance professionals, our team helps established IT practices to expand as needed—adapting to the digital world to better protect, elevate and empower your business. If you have questions or would like to further discuss how to strengthen your baseline security measures for your team’s remote or in-office setups, please contact Jennifer Moreno.
Look forward to next week’s blog touching on data breaches, security awareness training, and mobile threats. Until then, #BeCyberSmart!