Technology continues to transform the way we live, work and interact with one another. It also affects where we do those things. In fact, just last year, 43 percent of Americans said they spent at least some time working remotely, according to Gallup’s State of the American Workplace report.
More companies are offering the option to work from home or another site—and that flexibility can benefit all parties involved since it can remove any geographical limitations to staffing. But with people working offsite, there is a greater chance that cybersecurity practices won’t be implemented correctly or consistently, which increases the possibility that your company could come under a cyber attack.
Make sure your company data stays secure. Employ these five tips with your remote workforce:
- Train employees to be aware of the physical environment.
Let’s say an employee is working from a coffee shop one morning. She gets her chai tea latte and sits down to get to work. She chooses a seat that has her screen facing part of the room, or, even worse, her screen facing a window. She makes travel arrangements for an upcoming conference and takes out the company credit card to book the flight. Unaware of the lingering eyes behind her, she just gave away some incredibly valuable information.
That wouldn’t happen, you say? Okay, let’s say she sits so her screen is facing a wall, and she feels safe about opening her company laptop and reviewing sensitive information that belongs to a client. But, she gets up to use the restroom – or even just to grab a napkin – and when she returns, the laptop is gone, including all the company and client data stored on the device.
Make sure your employees are always thinking about who could see or access their computers or other devices and where those devices are stored while outside of the office. Set up devices to require passwords every time someone logs on, and use privacy screens to keep prying eyes from seeing anything. Establish location tracking for any devices that hold company data, and have the ability to remotely wipe them if necessary.
- Prohibit the use of open Wi-Fi.
Even if your employee makes sure her device and screen are safe while at that coffee shop, she still shouldn’t hop on their free Wi-Fi. Hackers can use public wireless internet offerings to see what others are doing while connected. The two most common attack methods over open Wi-Fi are:
A man-in-the-middle (MITM) attack, where a hacker intercepts communications between two systems. While it can appear to be a normal exchange of information, the hacker is actually “eavesdropping” and can steal or alter the data that is being sent. These types of attacks are especially common over open Wi-Fi because the information transmitted is generally unencrypted. Just being able to access emails can give malicious actors access to usernames and passwords.
An “Evil Twin hotspot” is a form of an MITM attack where a hacker creates a false access point that looks legitimate. This fake Wi-Fi access is usually very similar looking to the genuine Wi-Fi that the café or other business is offering its guests, and it may even use the same network name. When someone is tricked into connecting to an Evil Twin hotspot, cybercriminals gain access to the user’s activities and can redirect the victim to malware or phishing sites. The perpetrator can also view any credit card numbers the victim uses while connected to the hotspot, the files they download and more.
The best way to combat potential attacks like these is to not allow employees on an open Wi-Fi at all. But, if they must do so from time to time, then make sure they know to verify the name of the network with staff at the coffee shop, hotel, airport or wherever they might be. Additionally, before leaving, employees should tell their devices to forget the network they were connected to. This way, an employee’s phone or laptop won’t automatically connect the next time he’s within range. But because hackers can still perform an attack over a verified Wi-Fi hotspot, it’s important that all remote employees use virtual private networks (VPNs).
- Require the use of virtual private networks on all devices.
A virtual private network (VPN) enables a secure connection between a device and the internet. It essentially masks all of a user’s web activity. So, even if a hacker tricks an employee into using an Evil Twin hotspot, his data is safe since it’s encrypted.
Ian Paul, a contributor to Tech Hive, describes VPNs as “a secure tunnel between your PC and destinations you visit on the internet.” When inside the tunnel, it’s extremely difficult for anyone to snoop on a user’s web-browsing behaviors.
Install VPNs on all devices that contain company data and may be used outside of your internal company network, thus extending the security around your data to anywhere your employees are. Avoid a common pitfall of giving unnecessary access to VPN users, and restrict VPN users only to the services they need (see tip #5 below). A comprehensive list of VPN options is detailed , and, of course, the Asylas team is happy to help your company choose the best one for your needs and get everything set up properly.
- Have all employees follow a password protocol.
Password security is similar to fitness programs and diets in that different methods work better for different people. The one your employees will actually follow is the best one. And employees do need to follow one. In general, there are several password tips applicable to everyone, such as:
- Don’t reuse passwords across different accounts—especially those with different levels of trust. That means, don’t use the same password for Spotify that you do to access company files.
- Use uncommon, complex passwords, even if you change them only annually, since they are better than changing simple passwords, like “password1” to “password2,” every 30 or 60 days. Consider requiring your employees to use five random words with numbers and symbols that would be nearly impossible for someone to guess. It can be helpful to use a password manager that randomly generates new passwords and stores them in a database, like 1Password (for Mac users), LastPass, KeePass or Dashlane. That way, your employees are only required to memorize and update one secure password—the one to their password manager.
- Say “no” when a browser plugin asks if you would like to save your username and password for a specific website. While doing so makes things more convenient for the user, it also puts that user’s data at risk. Some browsers let you (or, worse, a thief) view a list of saved login credentials, including the website name, username and password. Typically, the less add-ons and plugins used, the more secure it is.
Create and enforce a password policy. Update it regularly and share any changes with employees.
- Follow the principle of least privilege.
This principle is considered a best practice for cybersecurity, especially for companies with remote employees whose computers and networks may not be as secure as they are in the office. Least privilege means that a company provides users and systems with only the information and access they need to do their required job. For example, a programmer whose job is to update lines of code doesn’t need access to the company’s financial data. Members in the same department with the same title might not even require access to the same documents.
Implementing least privilege limits the amount of potential damage a cybercriminal could do, should he gain access to a user’s computer or network.
When you are ready to set this up in your company, it’s best to involve representatives from all departments, as they will be able to best articulate who needs access to what within their specific departments. To ensure access permissions remain up to date, institute a review process at least once a year.
Put strict cybersecurity protocols in place to keep remote employees’ company data safe. And train and re-train your remote workforce often on what they should and shouldn’t do.
To learn about Asylas’ security assessments, penetration testing, consulting services and more, visit https://www.asylas.com/services or give us a call at 615-499-7600.