In the past, companies that were not set up for secure remote work simply did not undertake the task. The coronavirus pandemic changed all that. This year, companies that implemented an ad hoc work from home policy to stay productive during lockdown periods likely placed their data at risk unless it included a robust remote workforce security component.
Ensuring that remote work is happening safely and securely means protecting the individual devices employees use to access company data, as well as the data center and network infrastructure that stores and serves it. Companies must remember to extend infosec practices and policies to everyone accessing company assets, including any third-party vendors it uses.
It’s advisable to build security practices into an encompassing plan for supporting a remote workforce in an effort to keep it as productive as possible. Think of it as an essential component of managing a dispersed team successfully. We’ll discuss the tools and operations that companies employ to strengthen their security profile when they have team members working beyond the reaches of the company network.
Conduct a baseline assessment
Each company has unique security needs, and an important first step involves identifying and documenting what those needs are. This starts by answering a few basic questions about how employees access company data, and gathering specifics about the devices they are using.
- What devices are they using? Are employees using their own devices, or are they bringing home company-issued endpoints for work? A BYOD setup requires a few extra steps, but is not impossible to secure.
- What applications are in use? Ideally everyone at the company uses the same collaboration software. This simplifies roll out of educational materials and tutorials related to infosec best practices. Obviously not every employee needs access to every application in the company ecosystem; documenting who uses which applications helps eliminate loopholes regarding the scope of what needs to be secured.
- What network equipment do they use? Residential network equipment may introduce a range of security risks, so make sure employees are instructed about how their home network equipment can be configured for safety.
- Do employees manage any protected data? Organizations that handle data like health records and other data protected by privacy laws have extra steps for ensuring they are compliant with how this data is protected.
Secure access with 2FA on endpoints
Two factor authentication (2FA) provides a way to make logins more secure by involving a second means of identity verification. For example, when logging on to the company domain, employees input a username and password and then receive a password token on their cell phone, and enter it to complete the log on. You can implement 2FA a number of ways—using smart cards or key fobs, biometric capture, and endpoint security suites that roll 2FA into their offerings. You will find that many laptops for business users have fingerprint readers that are equipped to support 2FA policies for remote security.
Consider MDM solutions
Mobile device management (MDM) solutions allow an organization to control the devices that employees use for work. Administrators are able to enroll and monitor endpoints remotely. MDM solutions fit both a Bring Your Own Device (BYOD) environment as well as a Corporate Owned, Personally Enabled (COPE) setup, but it’s important to note specific MDM solutions might be more appropriate for one or the other, and dependent on scale and other business requirements.
Rolling out MDM solutions is generally easier in a COPE setting. Organizations may work through a cellular carrier or device manufacturers, many of whom offer device management solutions based on the authentication models they want to have in place.
If employees are BYOD at work, admins must discover which devices they are using, and choose a solution compatible with those devices. Policies for a BYOD workplaces can range from relaxed to restrictive. Users may have access to corporate resources but allow IT selective control over their personal device—PIN and 2FA requirements, for example. Or, users might set up a corporate profile on a device that restricts storing sensitive data on local drives of personal devices.
In general, MDM solutions have features that include remote monitoring, cloud-based updates, passcode enforcement, backup and restore functionality, website blacklisting, and other tools that help implement security policies to a dispersed workforce. There are dozens of MDM solutions available; some of the bigger names include Citrix XenMobile, VMware’s Airwatch, Microsoft Intune, among others.
Scaling up the VPN
Over the past 15 years, a virtual private network (VPN) has become standard practice for providing secure access to the company network and all the assets on it—from shared file storage to collaboration software and line of business applications. A remote access VPN works by encrypting the data connection between the employee and the company network. A user logs on using a VPN client on their device, which is used to connect to a network attached storage server or a set of servers in the data center.
Placing VPN logons behind 2FA authentication is always recommended. In the past, companies may have conducted a small amount of business over a VPN connection. The pandemic saw companies have to funnel their entire workload through the VPN, potentially overwhelming its capacity and sapping performance for users.
As a workaround, increasing network bandwidth between VPN servers and the wide area network (WAN) can improve performance. Using a split tunnel approach—wherein only sensitive, work-related data passes through the VPN into the company datacenter—can improve performance by reducing the load on company network infrastructure. To ensure secure operations, IT must also update VPN with security patches, and check logs regularly for any irregular patterns.
Use a password manager
Practicing good security hygiene isn’t always convenient for end users, and a password manager is a great way to make it a little easier. Specifically, password managers make it easy to create and remember unique, strong passwords for web applications. This helps remote workers assume a good security posture by reducing the level of effort tied to password habits. Many antivirus and security software suites include password management functionality.
Conduct anti-phishing user training
Security experts time and again emphasize how educating users with anti-phishing training safeguards company data better than any hardware can. In our own customer surveys, social engineering vulnerabilities are cited most often as the greatest security risk for their organizations. No matter how tight your e-mail and messaging firewalls are configured, spam finds a way. And no matter how obvious you think spam e-mails appear, people inevitably click on them.
Anti-Phishing training is a must-have if you handle any private or protected customer data – a remote customer service team, for example, might be highly susceptible to fake e-mails that spoof a customer’s correspondence. Technical solutions offer an incomplete fix. Conducting anti-phishing user training is the preferred method in the IT profession. The good news is companies can build out their own anti-phishing training solution relatively easily.