As COVID-19 continues to spread and affect businesses worldwide, more and more companies are requiring that their employees work from home. Unfortunately, while working from home will hopefully help prevent the virus from spreading, it does present a host of potential security pitfalls that many companies may not be prepared to deal with. If your organization falls into this category–or even if you just want to cross-check the precautions you already have in place–we recommend that you review the following steps toward ensuring total security for your employees at home.
Most at-home work environments are not equipped with the same security mechanisms that company environments are. Because of that, when employees work from home, they may unintentionally compromise organizational data without even realizing it. In order to prevent that compromise, it’s important that company IT teams “harden” any company devices that will be used outside the workplace–including laptops, smartphones, and tablets–to ensure that data remains secure. Among other things, hardening may involve:
- Installing a firewall
- Installing anti-virus software
- Disabling automatic logins
- Disabling scripting host
- Disabling file sharing
- Disabling remote access
- Disabling cookies
- Installing company approved applications (email, word processing, spreadsheet, etc.)
- Enabling automatic systems updates
- Enabling encryption
- Setting up file backups
- Setting up a password manager
Additionally, if individuals need to use personal devices for work purposes, they should be instructed to follow certain security procedures to harden those devices:
- Installing anti-virus software
- Making sure that default passwords are changed, and that strong passwords/passcodes are used in their place (including multi-factor authentication)
- Setting up a locked-down, role-based account that only they have access to
Note: Because utilizing personal devices for work poses more inherent difficulties and risks when it comes to protecting data, the company Information Security Policy (ISP) should lay out specific guidelines and limitations for their use.
Finally, the IT department should ensure that all devices that are going to be used from home for company purposes are documented in an asset tracking system so that they can be properly managed.
Unsecured networks pose one of the biggest threats to organizational data. Unfortunately, once you send devices out of a locked-down office environment and into a home or other outside workspace, you lose some control over what networks are used, and how. However, there are security protocols that can be enforced on both company and personal devices to help mitigate that risk:
- Provide employees with an ethernet cable, and encourage them to use that rather than connecting to a WiFi network
- Install a Virtual Private Network (VPN) on all laptops, and require that employees turn it on whenever they do need to connect to WiFi
- Forbid use of a company device or access to any company data on an unsecured public network
- Be aware of “smart” devices that may exist in an employee’s home, and provide instructions for how to secure those devices. If smart devices are at-risk or not properly updated, they should be disabled and removed from the network. Additionally, many devices, such as digital assistants, can “listen” to conversations–to ensure confidentiality, they should also be turned off during working hours
Transitioning to remote work also provides a perfect opportunity to examine what data is being stored on users’ devices, and securely disposing of anything that’s no longer needed. Per GDPR, this should be done regularly to ensure that no information is being stored unnecessarily–it simply makes sense to take this action prior to releasing data and devices into a remote environment. Your ISP should already dictate the necessary steps for performing data cleanup; if not, review GDPR’s recommendations and proceed accordingly. In many cases, employees can perform some of the steps for removing unneeded data themselves: if you don’t have the time for a full overhaul, start there.
Working from home can also present unique physical challenges to data and devices. Keeping private documents or other information secure against unauthorized eyes may prove tricky; additionally, devices themselves might be in more danger of being damaged or tampered with, especially where children or pets are involved. Some of these threats simply require additional care and caution on the part of the employee. However, as an employer, you can provide tools like privacy screens and locked cases to help facilitate.
There’s no doubt that this transition creates additional work and increases threats to organizational security. However, it can also provide opportunities for our organizations to become more thoughtful about security, and even to implement security measures that may have been lacking before. As we revisit how our devices are configured, consider what precautions they’re equipped with, or even take these slower work weeks to implement some much-needed Security Awareness Training, we might just exit this strange and difficult time stronger and more secure than ever before.
For additional information about working from home, including our free, new resources in response to COVID-19, please visit our website.