Technology continues to transform the way we live, work and interact with one another. It also affects where we do those things. In fact, 70% of professionals globally work remotely at least one day per week. Every company should be actively pursuing ways to create a more secure remote workforce.
More companies are offering the option to work from home or another site—and that flexibility can benefit all parties involved. Removing geographical limitations to staffing in a boon for hiring. But with people working offsite, there is a greater chance that cyber security practices won’t be implemented correctly or consistently, which increases the possibility that your company could come under attack.
Make sure your company data stays secure. Employ the following tips with your remote workforce.
Train Employees to Be Aware of the Physical Environment
Let’s say an employee is working from a coffee shop one morning. Latte in hand, she sits down to work. Her seat is positioned so that her screen is facing part of the room. She makes travel arrangements for an upcoming conference and takes out the company credit card to book the flight. Unaware of the lingering eyes behind her, she just gave away some incredibly valuable information.
Think that wouldn’t happen? Okay, let’s say she sits so her screen is facing a wall, and she feels safe about opening her company laptop and reviewing sensitive information that belongs to a client. But, she gets up to use the restroom or grab a napkin. When she returns, the laptop is gone, including all the company and client data stored on the device.
Make sure your employees are always thinking about who could see or access their devices and where those devices are stored while outside of the office. Set up devices to require passwords every time someone logs on. Use privacy screens to keep prying eyes from seeing anything. Establish location tracking for any devices that hold company data and have the ability to remotely wipe them if necessary.
Prohibit the Use of Open Wi-Fi
Even if your employee makes sure her device and screen are safe while at that coffee shop, she still shouldn’t join their free Wi-Fi. Hackers can use public wireless internet to see what others are doing while connected. The two most common attack methods over open Wi-Fi are:
A man-in-the-middle (MITM) attack, where a hacker intercepts communications between two systems. While it can appear to be a normal exchange of information, the hacker is actually “eavesdropping” and can steal or alter the data that is being sent. These types of attacks are especially common over open Wi-Fi because the information transmitted is generally un-encrypted. Just being able to access emails can give malicious actors access to usernames and passwords.
An “Evil Twin hotspot” is a form of MITM attack where a hacker creates a false access point that looks legitimate. This fake Wi-Fi access is usually very similar looking to the genuine Wi-Fi that the café or other business is offering its guests. It may even use the same network name. When someone is tricked into connecting to an Evil Twin hotspot, cybercriminals gain access to the user’s activities and can redirect the victim to malware or phishing sites. The perpetrator can also view any credit card numbers the victim uses while connected to the hotspot, the files they download, and more.
The best way to combat potential attacks like these is to not allow employees on open Wi-Fi at all. But, if they must do so from time to time, make sure they know to verify the name of the network with staff at the coffee shop, hotel, or wherever they might be. Additionally, before leaving, employees should tell their devices to forget the network they were connected to. This way, an employee’s phone or laptop won’t automatically connect the next time he’s within range. But because hackers can still perform an attack over a verified Wi-Fi hotspot, it’s important that all remote employees use virtual private networks (VPNs).
Require VPN On All Devices
A virtual private network (VPN) enables a secure connection between a device and the internet. It essentially masks all of a user’s web activity. Even if a hacker tricks an employee into using an Evil Twin hotspot, his data is safe because it’s encrypted.
Ian Paul, a contributor to Tech Hive, describes VPNs as “a secure tunnel between your PC and destinations you visit on the internet.” When you’re “inside” the tunnel, it’s extremely difficult for anyone to snoop on a your web-browsing behaviors.
Install VPNs on all devices that contain company data and may be used outside of your internal company network. This extends the security around your data to anywhere your employees are. Avoid a common pitfall of giving unnecessary access to VPN users, and restrict VPN users only to the services they need. A comprehensive list of VPN options is detailed, and, of course, the Asylas team is happy to help your company choose the best one for your needs and get everything set up properly.
Follow Password Protocol
Password security is similar to fitness programs and diets in that different methods work better for different people. The one your employees will actually follow is the best one. And employees do need to follow one. In general, there are several password tips applicable to everyone, such as:
- Don’t reuse passwords across different accounts—especially those with different levels of trust. Don’t use the same password for Spotify that you do to access company files.
- Use uncommon, complex passwords, even if you change them only annually. These are better than changing simple passwords, like “password1” to “password2,” every 30 or 60 days. Consider requiring your employees to use five random words with numbers and symbols that would be nearly impossible for someone to guess. It can be helpful to use a password manager that randomly generates new passwords and stores them in a database. Try 1Password, LastPass, KeePass, or Dashlane. This way, your employees are only required to memorize and update one secure password—the one for their password manager.
- Say “no” when a browser plugin asks if you would like to save your username and password for a specific website. While doing so makes things more convenient for the user, it also puts that user’s data at risk. Some browsers let you (or, worse, a thief) view a list of saved login credentials, including the website name, username, and password. Typically, the less add-ons and plugins used, the more secure you are.
Follow the Principle of Least Privilege
This principle is considered a best practice for cyber security, especially for companies with remote employees. Remote computers and networks may not be as secure as those in the office. Least privilege means that a company provides users and systems with only the information and access they need to do their required job. For example, a programmer whose job is to update code doesn’t need access to the company’s financial data. Members in the same department with the same title might not even require access to the same documents.
Implementing least privilege limits the amount of potential damage a cyber criminal could do, should they gain access to a user’s computer or network.
When you are ready to set this up in your company, it’s best to involve representatives from all departments, as they will be able to best articulate who needs access to what within their specific departments. To ensure access permissions remain up to date, institute a review process at least once a year.
Train, Train, Train
Put strict cyber security protocols in place to keep remote employees’ company data safe. Then train and re-train your remote workforce often on what they should and shouldn’t do.
To learn about Asylas’ security assessments, penetration testing, consulting services, and more, visit https://www.asylas.com/services or give us a call at 615-622-4591.