More than ever before, companies of all sizes are allowing employees to work remotely. Unfortunately, telecommuting can potentially put companies at an increased risk of a cyberattack, particularly for organizations that are not fully prepared for this sudden change to a remote workforce.
Many companies offer telecommuting options to their employees and have deployed company-owned and managed devices as well as robust security defenses to protect remote access. Until recently, some smaller organizations may have assumed that they did not need, or lacked the opportunity, to develop this type of infrastructure. With appropriate planning and prioritization, businesses of every size can take proactive steps to enhance their information security posture.
It is important to realize that the risks to information security and data privacy can change when employees are working from home, as compared to their normal working environment in an office. It is best to look at the challenge from three perspectives: confidentiality, data integrity and availability of corporate data.
Confidentiality means protecting data from unauthorized viewing and access. From a confidentiality standpoint, employers need to understand how they keep data safe while employees work remotely. Full disk encryption on company devices, including laptops and mobile phones, is one way to help keep data secure. Additionally, employees can help protect company confidentiality by: connecting to a corporate network through a VPN (virtual private network); using strong, unique passwords and multi-factor authentication; and operating on encrypted Wi-Fi connections only.
Employees should also be cognizant of who—or what—might overhear private conversations. Employees should consider their surroundings and the possibility that someone could be listening to a conversation. Equally important, they should also consider any voice-controlled smart speaker devices, such as Alexa and Google Home. To best protect company confidentiality, smart device microphones should be disabled and lockout features should be turned on after a short period of inactivity.
Data integrity refers to the trustworthiness and reliability of data throughout its lifecycle. Employers should ensure that important information can still be backed up while employees are working remotely. It is also critical to make sure that security patches can continue to be installed in a timely manner and that monitoring for security related events can still occur. Additional optional steps include reviewing levels of access for employees and geographic restrictions on VPN access.
Availability of Corporate Data
Availability means ensuring timely and uninterrupted access to corporate data. To that end, a company should ensure that they have adequate internet bandwidth, adequate capacity on their VPN server (including licenses and processing power), and sufficient numbers of corporate-owned laptops and mobile phones to issue to employees. It is also helpful to focus on further educating employees and requiring them to strengthen security settings and firewall configurations. For example, require strong passwords, preferably 8-20 characters with combinations of capital and lowercase letters, numbers and special characters. Password manager solutions can also be considered.
When working from home, individuals should exercise responsibility for their own personal electronic hardware, including Wi-Fi routers, cable modems, printers, scanners and portable devices. A backdoor into an employee’s home network may be a backdoor into the company network. Consider asking employees to follow company guidelines (or, if your company does not want to issue such guidelines, then the device manufacturer’s guidelines) for keeping their software and firmware up to date, using strong passwords and security settings, and patching device operating systems regularly.
While a company may be enticed by the prospect of cost savings, there are reasons why they may want to use caution before allowing employees to use personal devices for work:
- Security: Employee-owned devices can present security risks for the company, as they may not have full disk encryption or a strong pin/passphrase, could have malicious applications installed, or may not be running the latest operating system version. These security risks could allow sensitive company information to be leaked or shared with an unauthorized person. Companies may also have increased difficulty supporting these non-standardized devices and lack the ability to “wipe” the device if it gets lost or stolen, or if the employee leaves the company.
- Privacy: There are several privacy concerns with employee-owned devices. For example, there could be litigation around opening an employee’s device up to discovery. The perception of employee monitoring is a significant cause for concern, both via GPS and electronically via use of the device and internet. Additionally, privacy concerns around the company’s compliance functions, trade secret protection, nondisclosure agreements, record retention policies, subpoenas and legal processes are elevated with employee-owned devices.
If a company decides to use a bring your own device (BYOD) approach, it should be governed by a formal policy, and a mobile device management (MDM) solution. The policy should cover topics including acceptable use, reimbursement (if any), device support management, security enforcement, and additional risks or disclaimers that the employee should be aware of. The MDM solution should be in place to enforce security measures on these systems. It allows the company to enforce minimum security standards, prevent users from sharing information with unauthorized individuals and applications, compartmentalize company information away from personal information, remotely wipe a device and push out security updates.
No One-Size-Fits-All Solution
There is no one-size-fits-all solution for managing a remote workforce. Each company should consider the industry their business serves, the enterprise’s sensitive data, size of their workforce and overall risk tolerance before beginning to build a strategy for how employees will work remotely. The ultimate goals of information security are confidentiality, integrity and availability. Ensuring that remote communications are private and unaltered, that data integrity is maintained, and that resources including corporate data are available when needed are all critical success factors. By following these recommendations, you can help move your organization toward achieving those goals and creating a safer, more functional telecommuting environment.