Cybersecurity 101 in times of remote work
The COVID-19 related lockdown was a major driver for companies all over the world to embrace remote work. Although within the vast majority of countries the restrictions are being reduced the benefits of remote cooperation recognized during the past months increased the importance of such a model and growing number of companies decide to allow their employees to maintain working from home.
At the same time, remote work creates several challenges that have to be covered to make cooperation seamless. In this article, we want to focus on one of these – cybersecurity. Working from outside the office forces employees to relay on the external networks and internet connection to access company resources so it gives you fewer possibilities to guarantee security. But with a few golden rules applied you will be good go. That’s why we want to share with our experience, home working itself was nothing new within our company, and below you will find 10 fundamentals you should always cover and have in mind to make sure that all your company resources are safe as houses wherever your employees work from.
The first step to safe remote work is choosing the network you/your employees connect to. Whether it’s a private or public one or if its password protected. Whether it’s known and trusted it, or you log into it for the first time. All of these aspects can boost the security level but also decrease it. In the case of using a private home network, we can feel safer (of course, if we have configured it properly in advance) but if we’re forced to use open networks we can’t be sure if it’s configurated properly and how many vulnerabilities it has since we don’t know who supervises it and to what extent. In such situations, a more secure and recommended solution is to access the Internet using your mobile phone, especially nowadays since data plans and speed limits are at an acceptable level, even if you additionally use the VPN.
Even if you/your employees are using your personal home network, the primary channel for connecting to corporate resources from outside the office should always be the VPN. Virtual Private Network provides an encrypted tunnel between the device and the target server ensuring the desired confidentiality. VPN is one of the basic and well-known tools used in remote work environments such as the home office so rather than elaborate over it let’s cut to the chase – if your employees need to access company data using an unknown network it should be possible only through the selected VPN.
Anti-virus software and Firewalls may be considered as security guards for our terminal equipment connected to the Internet. The task of the Firewall is to filter the packets sent and downloaded, block services that seem suspicious, and determine which process or application has the right to access the connection. Nowadays, the Firewall itself is often insufficient to defend against all threats, so additional antivirus software appears to be necessary, being responsible for detecting, blocking, and removing malware. Remember that the principle of the effective performance of antivirus software is based on its current virus library, therefore it is recommended to update it as often as possible. And that leads us to the following point which is…
There is no doubt that system and software updates go hand in hand with security. To protect ourselves against attacks targeting various vulnerabilities our systems might have, we have to keep our hand on the pulse for system, software, and previously mentioned anti-viruses’ updates. Every system or application has security vulnerabilities and it is the updates that allow us to reduce their scale and therefore our exposure to attacks.
Nowadays most internal systems or networks cannot be accessed without individual logins and passwords which are a fundamental part of certifying our identity. As a result, these are often the target of hackers who want to get into our mail account, social media, company servers, or, above all, into the banking service. That makes password disclosure and following unauthorized access to data the lion’s share of cybercrime. Therefore, it is crucial to create and adopt strong password policies that cover at least:
- the necessary complexity including a minimum number of characters, digits, and special characters,
- frequency of required changes,
- safe storage of passwords,
- using the passwords only on trusted and protected equipment,
- never applying the same password to more than one system
Additionally, if you work with sensitive data it’s highly recommended to use a more advanced system such as MFA. This way even if the password and login leaks, hackers would still not be able to obtain access. The benefits of implementing such solution exceed the costs related so if you’re about to create a security todo’s remember to incorporate this as well. Selecting at which point to run the additional verification depends on the particular case, but you can implement this tool for example for logging into the corporate account or to the VPN.
Writing about cybersecurity we can’t forget about physical security, which might require more or less attention depending on where you work but under no circumstances can be omitted. Whether you/your employees work from the office, home or other location, everyone must remember to properly secure their device since the threat comes not only from the internet. Always lock the computer after leaving it and if there is even a slight risk that someone might take it, even by mistake, you should keep your eye on it. Additionally, if you work with sensitive data make sure that you don’t have someone looking at your screen over your shoulder.
Unfortunately, even if you do your best to keep the device, you’re using safe you might get robbed. And that’s when disc encryption comes to aid because it’s designed to protect data on the device so it can only be accessed by authorized persons. In case of theft of the whole device or the drive itself if it was encrypted, we can rest assured that the confidentiality of the data contained therein will not leak To encrypt the piece of hardware you can use either one of many available dedicated tools, but if you/your employees utilize Windows-powered computers the system offers an internal dedicated function that will do the trick. However even with this feature kept on and running, it’s best to store on personal drives only the data we need at a given moment. Everything else should be stored in dedicated places or systems of the organization. That makes the data not only better protected against loss of confidentiality, but also available in case of hardware failure. And that brings us directly to the next thing we want to describe…
Mobile devices’ hard drives will never guarantee the same level of data backup and security as the servers of an organization. Company data should be stored primarily in dedicated places such as network directories, systems, etc. They are subjected to well-developed data archiving policies, and the backups themselves are tested for quality and effectiveness. As we stated in the previous paragraph mobile devices drives should be used to store only the data needed at a given day or moment. This way whatever happens to the device, the result of the work would be safe and accessible.
Since we’re approaching the bottom line now comes the time for what has always been, is, and will be one of the best safeguards. The employees conscious of the risks and ways of mitigating these.
If your employees are not aware of the potential risks, they can unintentionally contribute to the leak of important data from the organization. For this reason, training or information campaigns should be conducted on the threats coming from outside and inside the network, both for newly recruited employees and those who you cooperate with for a long time. The training should include not only general information about security issues but also position-specific issues. Although long-term employees usually know their organization, its strengths, weaknesses and in particular their scope of work and the risks associated with it very well is best to keep them updated with all the changes and improvements regarding the security. Remember to inform your people about social engineering and ways of securing themselves from this thread. This kind of attacks target your employees directly and use them as a way into your resources. Sharing the knowledge about such danger and ways of identifying these is crucial for staying on the safe side.
What’s more, you should always stay in touch with the employees. Be open and talk with people on different seniority levels and over different topics. It is not unusual to learn from them about security gaps and vulnerabilities that were not detected during specialized audits or penetration tests. Remember that the final security level are people that use and have access to your systems, and at the end of the day, we all are responsible to keep our devices and data secure. Encourage your people to share with you all their thoughts about cybersecurity policies and potential vulnerabilities/fields for improvement so you can act rather than react.
Last but not least – be ready to act if things go south. Effective management of security incidents within the organization is of great importance when facing an increase in the number of threats, vulnerabilities, and their diversity – which is exactly what happened when “home office” has become a necessity. Security incident management is usually performed in the form of reporting these and then handling the incidents by specialized cells. Incidents can be reported by all employees of the organization, as well as by third parties. Without proper handling of information about security incidents or delaying the response, the organization exposes itself to additional risks.
Even after the implementation of extensive security standards, there will always be vulnerability that we do not yet know about. Therefore, information security incidents may directly or indirectly affect business processes and services provided. The key elements of any information security strategy should include:
- detecting and analysing security incidents,
- responding to information security incidents by activating appropriate safeguards,
- learning lessons for the future.
The main benefits for the organization include primarily risk reduction, providing a systemic solution for security incident management, and introducing transparent criteria for classifying events as information security incidents which as result make you ready to act once the incident would occur.
Distribute teams and maintain security
If you take care of everything we described, would you be completely secure? Regrettably not, if there would a be way to defend from all types of attacks cybercrime would become a bad memory. Best what we can do is to prepare as solid as possible. If you work with highly sensitive data you need to go even further. Although we have the best intents, we can’t share with you all our tricks like no good magician shares how he brings the magic to life so hackers would still not be able to lay their hands over our resources. However, taking care of all the mentioned aspects gives you a solid foundation for running your business remotely and securely at the same time. And if you’re looking for an external partner that holds your data as safe as possible – we’re ready to help and go through any security audit your company needs. It’s not being immodest – working with companies from financial sector for several years we have to maintain highest security standards, regularly improve our internal policies and can help you adopt these.