Teleworker Security: Tips to Protect Your Remote Workforce
The dramatic expansion of remote work in response to the COVID-19 outbreak has raised concerns about teleworker security. According to KnowBe4, a leading security awareness platform, phishing attacks increased over 667% in March 2020. With many of our clients shifting to a remote workforce almost overnight, it became clear for all of us at ivision that connectivity and security would be at the forefront of business concerns.
While there is never a one-size-fits-all approach for every company, we’re addressing some of the most common pain points that we see – and their solutions. Whether it’s your technology or its users, securing your organization’s information should be a top priority.
Moving your workforce to their home networks – which are largely unmonitored and often consisting of vulnerable WiFi and IoT devices – creates a huge opportunity for cybercriminals. Users outside of the corporate infrastructure and perimeter have a higher exposure to network attacks and phishing. Not only that, but your employees are likely looking at freeware and unmanaged applications to make their lives easier. Those applications are outside of the corporate governance but are now being leveraged by corporate assets.
What’s more, many companies are realizing that their current tools were not designed to work over the internet or VPN. The tools that they rely on to monitor, log and update for security vulnerabilities aren’t performing within a disconnected infrastructure. We have a few simple recommendations that are useful for organization of any size:
- Use a Virtual Desktop Infrastructure (VDI) if possible when allowing connectivity to applications. Do not allow any data to pass between the virtual session and the home workstation. This means disabling shared drives or even access to the clipboard. VMware, Citrix, Amazon Workspace and Azure Windows Virtual Desktop are all excellent options for VDI.
- Develop a tiered level of remote access to limit risk. Permit controlled devices to have higher access and least-controlled devices to have minimal access when connected to the production infrastructure.
- Use Mobile Device Management tools to separate corporate data from personal data.
- Deploy Web Hygiene Protection tools to protect where users may travel on the internet.
- Use MFA for all connectivity to work applications. This includes SaaS applications that are not hosted in your corporate datacenter.
- Patch, Patch, Patch. Develop a patching strategy that stays on top of zero-day vulnerabilities. For your remote users, invest in tools and a process that will continue to analyze and patch your endpoints wherever they may be.
Training your users
It’s important to remember that even if you have the right technology, your users need to be educated on security. For example, a VPN will only secure the communication channel between the corporate network and the employee’s workstation. It does not protect from personal (and vulnerable) routers and wireless controllers that are maintained by the employee.
There is also an all-time high of COVID-19 social engineering and phishing attacks. It’s critical that you educate your users on how to properly identify these emails. This includes identifying attacks on personal email accounts your user may be reading on their corporate workstation.
If you have secure technology in place, the best thing you can do is enforce a teleworking policy with a focus on security. Take any available downtime to push Security Awareness Training. You may not be able to control the home office LAN, routers, wireless access points, printers, and the hundreds of IoT devices – but educating your users on security threats will more than pay for the cost of training.
ivision Security Checklist for Individual Users
Use a password management tool and proactively change all duplicated passwords.
Do not use Administrator accounts for daily use. Only elevate when purposely installing software. This will mitigate 94% of critical vulnerabilities that are patched by Microsoft.
Use the best possible protocol (usually WPA2) for your home wireless internet and frequently change the admin password. Do not leave the default password from setup.
Pay attention to bandwidth/connectivity issues and always look at what devices are connected to your Wi-Fi. If you don’t recognize a device and can’t identify what it is – remove it and update your Wi-Fi password.
Never let anyone else in the house use your device. They could potentially compromise its security by falling victim to phishing attacks or malicious sites. Your family members may simply want to check their email or browse the internet, but don’t let them.
Use your VPN when connecting to business applications. A VPN encrypts the connection from your machine to the office. It also allows for security updates that you might not normally receive when connecting over the internet.
Do not share your Wi-Fi password with anyone outside your home. If you have guests, it is best to set up a guest network for them to access the internet. Most routers/access points have this feature, and you can disable the guest network when it’s not in use.
Keep your router firmware updated with the latest releases. These devices have a long history of vulnerabilities. If available, enable auto-update.
Keep all operating systems and applications up to date. If this is not happening automatically on your corporate laptop, alert your company’s IT support team.
Disable automatic configuration via WPS (if your router supports it). Having it enabled allows unauthorized individuals the potential to gain access to your network.
Best Practices for Public Venues
While most of us are connecting to private home networks right now, we will be working in coffee shops and traveling through airports again in the future. Users should be aware of these two rules for working at a public venue.
Beware public hotspots
Rule number one: don’t connect to an unsecured, public network. Never trust the obvious hotspots such as “Free Public Wi-Fi.” In some cases, like at an airport, it might say “<Airport Name> Public Wi-Fi.”
If you must connect to public Wi-Fi, always use your company VPN. If possible, use your cellular network – which generally requires a service plan with a cellular provider – instead of public hotspots to connect to the internet. Turn off Bluetooth when you don’t need it, though, as that is another way someone could gain access to your machine.
If connecting to Wi-Fi at a coffee shop, library, or other venue, always ask for the connection information from an employee. Even if it’s written on a blackboard, ask them to confirm. That way, you know you’re connecting to the correct Wi-Fi.
Watch your devices
Don’t leave your laptop or other device unattended. Not only could someone gain access to your machine, they could steal the entire device. Even if you are only walking a few feet away to pick up your coffee or meal, always lock your device if you aren’t taking it with you.
Never let anyone else use your device. This is especially true for corporate-owned devices, which should not be used by anyone other than the employee they were issued to.
Most importantly, use good judgment. Be aware of your surroundings. Situational awareness in public areas is key for making sure that your online experience remains secure.
Keep your teleworkers secure
It’s critical that you make secure teleworking a priority right now. For additional guidance, be sure to review the below resources from trusted sources:
- NIST- SP 800-46 Rev. 2- Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
- NIST – SP 800-114 Rev. 1 – User’s Guide to Telework and Bring Your Own Device (BYOD) Security
- SANS Security Awareness Work-from-Home Deployment Kit
As always, let us know if there are any challenges within your teleworker security that require assistance. We are here to help keep your systems running smoothly and securely – no matter where your users are.