Let me start off by hoping every one of you reading this article is doing well and you are safe. These are definitely trying times, but EliteSec wishes everyone safety and safe recovery. This is an unprecedented time that we are facing, with countries declaring states of emergency, closing borders, and of course the usual political mud slinging.
During times of duress like these, it is important to remember that information security is just as vital, if not more so, than when things were more “normal”. Chances are that if you work in a technical role that you have been told to work from home, along with the rest of your organization. This may last for a few days, or it may be a few weeks, again depending on what your local governments and organizational leaders deem appropriate.
However, with changes to work environments comes new challenges, especially when looking at your newly grounded workforce. This post is intended to outline a few key points for this new reality to keep in mind in the hopes of ensuring that your workers and your business remain secure.
The Work-From-Home Checklist
Here’s a quick checklist of items to consider for your remote workers, especially for those who are not used to working from home:
- Ensure that anti-virus/anti-malware solutions are installed on their computers
- Enable host-based firewalls and configure appropriately
- Corporate assets should only be accessed via company-owned computers, such as laptops, etc.
- Use a VPN when connecting to a remote system that stores sensitive business information
- Home Wi-Fi networks should be secured with WPA2 encryption and use a strong password
- Home Wi-Fi routers should not have default credentials enabled, such as admin:admin for the username and password respectively
- Only employees should be using company-owned equipment, not other members of the household
- New 3rd party applications that people want to install should be reviewed by IT/Security before installation
- Remind employees that the Acceptable Use Policy remains in effect even when working from home
- Schedule regular check-in meetings with remote staff via video conferencing apps like Zoom, WebEx, etc.
That’s quite the list! Let me go through each of these items individually and describe them in more detail.
This is pretty standard, and chances are that you have this already in place. Just make sure you have the ability to review the alerts generated on your employee’s machines so you can jump in to deal with any issues that may occur. Free AV solutions don’t always have this, but nearly every enterprise-level solution I’ve come across has a central dashboard or administrator interface that can help. Chances are you will be seeing more alerts than normal.
Enable Host-Based Firewalls
In addition to AV solutions, using a host-based firewall can add another layer of protection for your corporate assets. Borrowing from the concept of zero-trust networking, you will want to treat your employees’ home networks as hostile, since you have not locked them down nor do you know what other machines are connected to it. This is no small task, however, and hopefully was done before all of this occurred. I wouldn’t necessarily suggest doing this live, but some of your more at-risk employees such as executives may be candidates here.
Corporate Assets Accessed from Corporate Machines
Software-as-a-Service (SaaS) solutions are very prevalent today, and as such, many users think that it doesn’t matter which computer they access these services from. Unfortunately the family computer is often not as well protected as the corporate laptop, so you will want to remind your employees that this is not acceptable behaviour. This is easier to enforce if you have a company-wide password manager that is pre-installed, pre-installed VPN software, or even an SSO solution that is tied to a particular machine. All of these would restrict the ability for your employees to use their own computers.
Use a VPN
This is a popular one that almost everyone is going on about. Use a VPN! Yes, using a VPN is vital, but it’s not always possible. The main reason is most VPN solutions that you may have installed likely don’t have enough capacity or licenses to handle all your employees at once! My suggestion is to provide guidelines on when the VPN should be used and when it should be turned off. Browsing the web? No VPN needed. Accessing something like Salesforce, payroll, etc.? Yes, you should be using a VPN.
I’m not a fan of users selecting and using their own personal VPNs. This will come up, but unless the VPN provider has been reviewed and vetted by your security department, I would strongly advise against using it. There are recent examples of fake VPN software stealing credentials, so feel free to share with your users on why it’s important to only use vetted VPN providers and clients.
If you need to setup your own VPN and just want to ensure secure communications for your employees, using a cloud-based option may be a fast way to set something up. This won’t let them access systems at your corporate offices, but it will provide a more secure connection to those systems (such as SaaS applications) that you don’t want other computers snooping on.
Securing Home Wi-Fi
Within your corporate offices you likely have a dedicated Network IT team or MSP who has locked down your network gear, installed X.509 certificates for Wi-Fi, and has all manner of firewall, IDS, IPS, DLP, and more gear installed. Now think of how many of your employees have simply gone to BestBuy to pick up a Linksys router, come home, and plugged it in. Pulling together some quick tips on how to secure their home router is going to pay dividends here. Ensuring strong encryption is turned on for Wi-Fi connections (WPA2 Personal is good here, provided they use a strong password), as well as ensuring that the administrative interface for the router is also protected with a strong (and different) password.
Most of these admin consoles are accessible via a web browser if you are connected to the home network, but sometimes people leave them open to the Internet to “help” troubleshoot the network when they are not at home. Having people check and update is definitely useful. I would also strongly suggest having some IT staff available to help diagnose things remotely for those who are more “technically challenged.”
Only Employees Use Company Equipment
For those homes that do not have a family computer, it can be pretty tempting for young children or spouses to use the laptop or desktop that came home with your employees. You need to remind your employees that corporate assets are for corporate employees only, and not let them share their machines freely.
New 3rd Party Applications Need To Be Reviewed By IT/Security
As people settle in to their new work environments, people will inevitably want to find new tools to help them work. Lots of experimentation will go on, which sadly means an increased risk of malware being installed. Remind your employees that while you want them to be productive, it’s not okay to just download whatever they want to help them do their job. A little review can go a long way, and you may just find that hidden gem from Bob in accounting that can help the rest of the company handle this transition.
Remind Employees About Your Acceptable Use Policy
Working from home means we can get comfortable in our surroundings. We may work in our pajamas, skip the morning workout, or take an early lunch. Others may think that it’s okay with just doing whatever they want on their computers as well. Similar to the points about not letting other people use your computer and not installing random 3rd party applications, it may be easier just to remind everyone that you have an Acceptable Use policy for your organization and you expect your employees to follow it, even if they work from home.
Check-in With Remote Employees Regularly
This is less technical and more social, but try to have regular meetings with staff to just have some human contact. Even if this is a simple video call to replace the daily “coffee break”, it can be a lifesaver. No agenda, no requirements to join, but schedule some time with your employees and encourage any people managers to do the same thing for their individual teams. Social isolation doesn’t mean a complete lack of contact. Trust me, this will go a long way to preventing issues with your employees, security-related and otherwise.
Whenever possible use video conferencing. I love Slack as much as the next person, but seeing a face and hearing a voice is so much better for morale.
These are trying times for sure, and all of us are trying to figure it out. Hopefully these tips can help. This post is all about dealing with the new reality. There are a few other things that I would recommend such as using password managers, ensuring full disk encryption is enabled, etc., but those are easier done when you can easily get physical access to the computer rather than leaving it to someone with less experience.
I wish you all well in these trying times, and I look forward to seeing you all back to your fully productive selves once this is over.
Looking for help with your own security program? EliteSec can help. Contact us today. We will sit down with you and discuss what makes the most sense for your organization. We offer a free 1 hour consultation to determine what’s best for you.