Today, to remain productive, businesses and their employees are engaging in IT-related activities they never would have considered in the past — and at an accelerated rate. There are two sides to this coin: IT is more important than ever, enabling businesses that might otherwise be shut down to continue to operate; but, in the haste to empower home workers, security corners are being cut and risks are being taken.
Read on to Learn the 3 Key Rules For Working Securely From Home!
Corporate governance appears to be going out the window in many cases. It’s not just unsecured video calls, but sensitive corporate information sitting on unsecured networks, unsecured USB devices being plugged into the corporate network to bring files home, and private printouts being left unsecured on desks accessible to family members. That home printer itself is an unsecured device.
In the new #WFH reality, business continuity plans are being dusted off and put to the test, and some are being found lacking. In some cases, the result has been reactive, “knee-jerk IT support” in response to the crisis. Who has given any thought to who fixes tech problems when IT is itself in self-isolation or quarantined? Additionally, many organizations are finding that cloud solutions make working from home simpler, but they are being implemented without the oversight required, and with little concern for security, cost or business impact.
Never has it been truer that security vulnerabilities are not based on technology, but people and their behaviours. Many employees trying to find their footing in this new norm are either too cautious or far too relaxed. They may be fatigued, distracted, or feel invincible. (“It’ll never happen to me.”)
IT security is always a delicate balance between cost, convenience and protection. Today, as organizations strive to find balance, many are steering into dangerous territory. Here are three simple rules you can follow to make working from home more secure:
Rule #1: Don’t break the rules
Unprecedented times require flexibility, of that there’s no doubt, but a strong security posture must be maintained. Hackers and criminals are not taking a break and are, in fact, increasing efforts by taking advantage of coronavirus/COVID-19 anxiety. Phishing attacks are on the rise, giving further credence to the fact employee behaviour is the weakest link in the cybersecurity chain.
At the same time, IT is often being asked to sidestep rules for “efficiency.” When an employee is having trouble accessing the network or setting up a device, IT is being urged, “Just give them administrative access.” Absolutely not. The rules were put in place for a reason and, more than ever, need to extend across the entire corporate network — which now includes employee homes.
Rule #2: Define the rules
As counter-intuitive as it might feel, staying consistent with existing corporate rules, regulations and policy is crucial as employees move from cubicles to make-shift kitchen table offices. These are often implicit in the office environment but must be spelled out explicitly to new home workers so there is no room for uncertainty. Employees and managers will use the excuse that they were not told unless it is spelled out for them.
Rules that must be now clarified might include (but are not limited to):
- Don’t copy sensitive files to unsecured personal devices. No excuses.
- Don’t copy data to your local machine meant to reside on the server. There could be unknown regulations being breached.
- Control access to your computer, make sure it is locked — even from family.
- Maintain backups. Office 365 provides access to documents. It is not a backup.
Many requests to break the rules are to overcome annoyances and not for business-critical activities or reasons. Most of the time the critical nature of tasks is being artificially escalated. Ask yourself: Is getting a printer installed for an employee to print from home important enough to give them administrative access and break the entire corporate security policy? (The answer is almost always no.)
Rule #3: See Rule #1
With employees working from home, the network is now extended into areas it has never or rarely been. Typical homes have an unwieldy number of unsecured, consumer-grade computers, mobile smartphones and IoT (Internet of Things) devices that haven’t been patched for months or years. It’s important to set up this new corporate environment following the same procedures as the traditional one.
- Obtain business-grade hardware. Employees should not be using unsecured personal laptops, workstations and printers unless they have been previously set up for teleworking. Follow standard procurement methods to ensure the devices meet all criteria.
- Ensure malware prevention — firewalls, antivirus software and anti-phishing tools — are in place. Updates must occur on a regular basis, just as they would be in the regular office. Default Windows security will not suffice for corporate machines.
- Monitor the entire network. Security is more than just ensuring patches and policies; IT must be able to see what’s going on across a now expanded network of devices. Unless IT has a simple way to monitor what’s going on in this new area of the corporate network, you can assume it is not secure.
- Set up and train end-users. Training is at the heart of ensuring teleworkers find the right balance between efficiency and security, so they are neither too lax nor too cautious they can get little done. Make sure employees understand their responsibilities and the risks around their privacy settings, browsing (on corporate machines), and that they engage in safe downloading and strong passwords.
“But COVID-19 is an exceptional situation,” you or your employees may claim. From the perspective of teleworking, it’s not exceptional. The technology is nothing new, and many businesses have had remote digital workplaces in place for years. The only exception is that these are not employees used to working from home. A sense of urgency is often taking precedence over logic.
Employees may be working in yoga pants and hoodies, but now more than ever corporate security must be button-down.
If you would like to learn more about Appsonnet’s secure #WFH solutions, contact us at 416-362-8867.
