Remote work security is suddenly a major concern as businesses have shifted to remote work during the COVID-19 pandemic. Shelter-in-place orders and businesses closing offices created millions of new remote workers overnight—and all the security concerns that come with it. Truthfully, we should have had work from home security policies in place long before the current crisis. People don’t just work remotely during times like these, they also work remotely:
- At conferences
- While at the coffee shop
- On transit
- From hotel rooms
- Anytime and anywhere an employee has a mobile device
You need a remote work security policy for right now as well as a longer term solution for all the times people work remotely that you didn’t think about until now. Use the work from home security policy below as a start for now, and keep using it once we get past this pandemic for ongoing remote work security.
Remote work security starts with strong passwords
It has been said time and again: you must secure your work accounts with strong passwords. Here are the password best practices you need for your remote work security policy:
- Passwords must be a minimum of 12 characters long, but more characters is better
- Do not use any of the most common passwords
- Require upper and lowercase letters, numbers, and symbols
- Emphasize that passwords should not be reused for other accounts to minimize credential reuse attacks
- Encourage password management tools. Now is a good time to deploy a company-wide app
- Users should change their passwords periodically. A mobile device management (MDM) tool can force password changes, ensure passwords meet minimum standards, and limit reuse
Weak passwords are easily defeated by dictionary attacks that guess thousands of passwords per second until the right one is found. Strong password protocols are the only way to protect remote workers from the easiest of hacks.
Strong passwords are a good start. The next step is using two-factor authentication (2FA), or even multi-factor authentication (MFA), where possible—especially on critical systems. MFA and 2FA add extra layers of security to accounts by requiring a second “password” to continue logging into a system.
Good examples are setting up 2FA on your LinkedIn account, Facebook, and other social media accounts. It may not be practical to put it on every single account, but it’s essential for the most critical accounts (e.g. email, server access, ecommerce systems).
Here are a few ways to set up two-factor and multi-factor authentication:
- Choose from this list of tools that already have 2FA built into them. You may find that tools you’re already using have two-factor authentication you can turn on.
- Use authenticator apps such as Google Authenticator, Authy, and Microsoft Authenticator.
- Purchase USB authenticator keys such as Yubico’s YubiKey 5 NFC, the Thetis Fido2, or Google’s Titan Key. These tools are considered to be more secure than traditional two-factor authentication which use SMS messages.
All three of the options above will increase your remote work security. Pick the option that works best for your team, and explore implementing the more secure options for people with access to the most important data and servers.
Using VPNs and establishing communication channels
Businesses have been using virtual private networks (VPNs) for decades. VPNs allow employees to securely connect to a work server from any regular internet connection. VPNs encrypt the entire connection so all data transmitted back and forth between the remote worker’s device and internal systems and servers is secure.
Here are a few VPN provider suggestions:
There are a number of other options out there, but not all of them have business pricing plans like those above. A tool like Perimeter 81 also has certain features which make it ideal for business, so be sure to do your due diligence and choose the right provider.
Secure your communication channels
A VPN can only protect you so much. For example, VPNs do absolutely nothing to protect your team from email phishing attacks when an attacker pretends to be someone that the receiver will trust, but is in fact trying to steal information from them.
Prevent phishing by establishing secure communication channels and procedures with your team:
- Education: Ongoing education is necessary. Be sure to inform your employees about common types of communications fraud. I suggest highlighting fraudulent links in emails, malware being downloaded from emails, and fraudulent invoices being sent through email.
- DMARC: Install DMARC. This free tool offers email authentication for better protection from fraudulent emails.
- Verify: Email will always be vulnerable to phishing and various other attacks. Whenever an employee is suspicious something isn’t quite right, make sure they know how to follow up over a separate communication channel. This can include simply making a phone call, using a tool like Microsoft Teams, or even sending an SMS message directly to someone to verify what was asked.
- Update contact lists: Employees need to know how they are going to be contacted. Make sure everyone knows the correct email addresses, phone numbers, and other contact tools that will be used to get hold of them while working remotely.
These precautions all add extra layers of security for your communications. Having a VPN securing connections isn’t enough. You need layers of security and awareness and can’t rely on one method.
Secure all endpoints
An endpoint means any device which requests and then displays digital data. Smartphones, tablets, laptops, desktops, even “smart” thermostats and speakers all apply here. The endpoints of your business are a crucial security risk, and account for a large number of data breaches.
Mobile Device Management (MDM)
The point of mobile device management (MDM) software is to offer endpoint protection, some people call it Unified Endpoint Management (UEM) as a more all encompassing term. MDM software offers security in the following ways:
- Data deletion: When an endpoint has been lost and cannot be recovered, and MDM can delete all of the content on it. This is done from a dashboard with a few clicks of a mouse. Lost devices are one of the biggest remote working security risks as it is the leading cause of data theft: 25.3%, according to a Bitglass report.
- Location: With so many devices out of the office, finding them when they are lost becomes paramount. An MDM will show you the exact location of the device.
- Policy enforcement: Telling your employees that they must have passcode standards is one thing, but being able to enforce that is the job of an MDM. This tool forces employees to follow your passcode requirements.
- Standardized apps: MDMs make sure everyone has the same apps for communication and productivity. An MDM will automatically set everyone up with the same communication apps.
- Insider breach: Another common form of data loss happens when someone leaves the company, but you do not revoke their access to data quickly. When people have sensitive data on their mobile devices it is even more serious. MDMs let you quickly “offboard” someone and their devices just like if the device were lost.
When it comes to securing mobile devices in a remote work world, there is no substitute for an MDM. With device theft still the number one cause of data breaches you can’t afford to not have one on hand to quickly solve this large problem.
Install updates regularly
The majority of updates sent out are not for pretty design features; they are for security. Zero-day attacks have to be stopped in their tracks, and the only way to do this is with constant updates. Windows is famous for their “Patch Tuesdays” when they send out updates:
You must be sure your employees do this as part of your work from home security policy, but an MDM can force those updates if they don’t. You need to take care of your business and be sure it is protected, and forcing updates on company-related software is a way to do this.
Device lock screens
Requiring all devices to have lock screens not only prevents data theft when an attacker picks up a device while someone is away, but often also enables full device encryption on the device as well.
Not all device locks are created equal though. Read about the options and educate your employees:
- Passcode: Most phones require a minimum of 4 characters, but enterprise-grade MDMs—like SKY WORK—require a minimum of 6 characters. Passcodes are the most basic security for devices and should be used.
- Pattern: Users like them because they’re simple to remember, but they are vulnerable. It is very easy to see a pattern over someone’s shoulder and duplicate it. A study has shown that people can memorize a pattern unlock from 6 feet away. You should not encourage their use.
- Fingerprints: This is a biometric I’ll look at separately from other forms. While we all have unique fingerprints, hackers can easily replicate them using photographs. If you use fingerprints for security—and they are replicated—you can’t get new fingerprints like you can get a new passcode.
- Other biometrics: The most common are Apple’s Face ID and iris scanning. There are ways to trick them as well, but it’s easy to argue that they are more secure options than fingerprints. They should be used as part of a 2FA or MFA strategy with passcodes.
Which device lock screen authentication you choose is up to you, but the information above should steer you towards using a minimum 6 character passcode.
Securing the home and other environments
This work from home security policy applies anywhere you are working remotely, not just working from home. Most people show up at work and assume that their workplace is secure. There is no such guarantee anywhere outside of the office. Have your team look at:
- Firewalls and antivirus: Most commercial antivirus includes a firewall, that’s why they are listed together. Antivirus software should be considered the last layer of defense. You don’t want your team to rely on it, or think that they can do whatever they want because they have antivirus and a firewall. They must still be cautious.
- Router: Help your employees secure their home routers by making sure that they use WPA2 on their Wi-Fi, and that they change the default router login credentials. Disabling remote management in their router settings can also close another vulnerability. Some ISPs make it hard for non-technical people to apply basic security, so you might have to help navigate settings.
- Devices: Home speakers like Alexa, smart TVs, and other tools are vulnerable to data theft. Make sure that your employees have these in another room away from their work so that they cannot be used by hackers to spy on what they say out loud.
The video below shows a white hat hacker communicating with a Nest camera user through their device. This could be so easy—and valuable—for a black hat hacker to do against someone on your team with valuable data who is home often. All they have to do is listen.
Backing up data
A cornerstone of remote work security is making sure that one device is not a weak point, especially when it comes to data backups. You don’t want to keep critical data on only one device because that device can be lost, stolen, or used as a frisbee by your employee’s child while working from home.
There are three basic ways to back up data for your business:
- External hard drives: This is the most basic way to back up data, and also the most difficult for multi-person businesses. They can easily fail and be unrecoverable, are easy to lose, and require you to remember to use them to back up data manually. I only recommend them as a backup to other back up options, and then only for data which is not often accessed and changed.
- On-premise solutions: Many turn to solutions like Microsoft’s System Center for this. An on-premise server backs up your data in your building. Having your back up on site is common for a business, but may not be as practical for a situation like we’re in now…few are actually at work. In normal times, you also have to consider what happens if there’s a fire at your workplace and your main data storage and backup data storage solutions are in the same place—you lose both!
- Cloud storage: The term cloud just means “a server somewhere else”. What you’re doing is allowing another company to store your data offsite. This is the best solution because it automatically backs data up, stores it in multiple locations, and security practices in place are high with the right provider. Check out OneDrive for Business, IBM Cloud Backup, and Zoolz BigMIND for Business.
No matter which choice you go with, be sure to meet data storage requirements for your industry and region. Here is a primer on a number of regulations to be aware of. Be sure to check your local requirements.
Minimize remote work security risks
There is no one magical piece of software or hardware that solves all your remote working security risks. Modern computing and networking is just too complex for one solution, and it’s even more difficult when the human element comes into play.
Look at the tactics above and work through them methodically. If you need it boiled down into the most essential tasks to look at:
- A reliable VPN to encrypt communications
- MDM to enforce password policies, locate and wipe lost devices, and push updates
- Backup storage for all critical data
Those are up to you as the employer. The rest is all about creating policies and educating your employees on them, which will be an ongoing task.
As remote work continues to become more popular—and even mandatory as we work through this pandemic—your team can remain secure and productive with the right policies and tools in place.