Guide to Remote Work Security

Plans, Policies and Procedures

• Cyber-Incident Response Plan. Does your organization have a documented Cyber-Incident Response Plan? And, if you do have one, when was the last time you updated it? And if you have, when’s the last time you and your team went over it together?
• Cybersecurity Policies and Procedures. If COVID-19 hasn’t changed your cybersecurity policies and procedures, it should have. Look for gaps that indicate your exposure to work-from-home cyber vulnerabilities.
• BYOD Policy. If you allow your employees to bring their own devices to work, and if you have that permission documented in a BYOD Policy, is that policy still accurate, now that employees are using devices at home that your current policy may not cover?
• Remote Working Policy. If you had remote workers before COVID-19 hit, you likely have a documented remote working policy. Now that a larger percentage of your workforce is working from home, is that policy still accurate and comprehensive enough to reflect the current situation?
• IT User Policy. You likely have a policy that governs acceptable uses of company-issued computers and devices. But is your acceptable use policy still relevant now that many of your workers are using their work computers at home? Plus, have all your WFH employees signed it?

Training

• Security Awareness Training. Does your cybersecurity training reflect the new WFH reality? If your organization is typical, most of your cybersecurity training concentrates on best practices to be used within the four walls of your corporate offices. But what about training that includes the new cyber threats your staff are facing at home?
• WFH Employee Awareness. Are your WFH staff aware of the increased threats posed by unsecured home networks, personal devices, phishing attacks and more? If you have not conducted any new or refresher training since the pandemic hit in 2020, your staff are likely in the dark, unaware of the threats they (and your corporate networks) face.

Compliance

• Security Standards. Are you subject to ISO 27001, NIST, CMMC, FAR/DFARS, HIPPA, CJIS, FINRA, or other security standards? Are you in compliance with those standards? Have those standards changed since COVID-19 arrived and your security posture changed?
• Data Privacy Regulations. Are you subject to GDPR, CCPA, PIPEDA or other data privacy regulations? Have any of those regulations changed in recent months to reflect the new reality of work from home? Plus, are you in compliance today?
• Supplier Policy. Your suppliers may present a weakness in your cybersecurity defenses. If you operate an ERP, supplier portal or other system that gives your suppliers access to your remote employees, and vice versa, have you checked that your suppliers meet your standards for WFH security?

Testing

• Vulnerability Scanning. When did you last conduct a vulnerability scan of your corporate network? Are you testing your networks frequently enough? Do your tests reflect the kinds of attacks that cybercriminals are mounting after breaching work-from-home employee accounts?
• Firewall Configuration Review. Is your corporate firewall configured to reflect the latest WFH threats? Have you reviewed your firewall configurations recently, and tested their validity and effectiveness?
• Remote Access Security Review. If you have remote workers, you have increased security vulnerabilities. If you have increased numbers of remote workers, you have increased numbers of vulnerabilities. Have you hunted for remote access vulnerabilities recently?
• Phishing Assessment. One of the greatest threats you face is phishing and spear phishing expeditions conducted against your WFH employees. When did you last go on a white-hat WFH phishing expedition to discover how alert your employees are to these attacks?

Safeguards

• Software. Some of the protections against WFH attacks involved people and training. Others involve software. Are your anti-virus and anti-malware software up to date, both on-premises and off-site, in your employees’ homes?
• MFA. How are you protecting your networks and data against attacks that are made possible through the theft or loss of login-credentials? For example, do you require WFH employees to use multi-factor authentication to access corporate networks?
• VPN. Are you operating a Virtual Private Network that enables your WFH employees to send and receive data across shared or public networks as if their computing devices are directly connected to your private network? Do you require your WFH staff to access corporate networks through your VPN?
• Encryption. Some threats come from portable devices (laptops) and removable storage devices (USB drives). Are you guarding against cyberattacks by insisting that all remote worker hard drives and USB drives are encrypted?
• Storage. Do you prevent WFH staff from saving sensitive documents to personal devices, devices that can get stolen from homes and cafes?

Secure Identity and Access

• Passwords. Ensure that WFH employees are using strong passwords. Strong passwords are hard to guess, by humans and by computers. Require that employee passwords contain a larger number of characters, and contain a mix of numbers-, upper- and lower-case letters, and special characters.
• MFA. Employ Multi-Factor Authentication so that WFH staff need more than a simple username and password to log in to corporate devices, accounts, and networks.
• Lost credentials. Protect against lost or stolen login credentials with MFA and self-serve password reset.

Secure Personal and Company-Owned Devices

• Devices. Require employees to keep all work documents and data on company-owned devices.
• Remote Desktop. Enable remote desktop access so that apps and data are no longer stored on WFH computers.
• Storage. Limit the diversity of storage repositories available to WFH employees to limit the number of avenues of attack.
• Apps. Prevent employees from using cloud-sharing applications that have not been vetted for privacy and security.
• Operating Systems. Ensure that employees secure their devices based on best practices for their operating system, whether Windows or Apple OS.

Safeguard Confidential Business and Customer Data

• VPN. Ensure that all WFH employees access corporate networks only through secure VPN connections.
• Backup. Backup data on remote devices to guard against loss or theft. Don’t allow employees to only backup data on local devices in their homes. Insist that another backup is also made to a device outside the home.
• Encryption Encrypt email communication and all sensitive documents so that any data intercepted in transit by cybercriminals is protected.

Protect Your Users Against Cyberthreats

• Training. Protect against accidental data leaks by training WFH staff how to recognize and avoid phishing attacks.
• Spoofing. Defend against impersonation and spoofing by using software that protects WFH employees against these threats (Defender for Office 365, for example).
• Malware. Deploy AI-powered malware scanning to detect malicious email attachments.
• Web content. Guard against malicious web content by filtering for offensive, inappropriate, and dangerous content.