With the coronavirus in the news, more businesses than ever are considering whether telework is a viable option for their company and employees. But with new cyber threats and data breaches constantly reported, business owners have to ask themselves,
How do I maintain my cyber security when my employees work remotely?
Whether you have one employee working on a mobile device while on a business trip or your entire staff telecommuting from home, your cyber security shouldn’t be sacrificed for convenience. By understanding your options and working with a quality IT services provider, you can safely navigate the cyber world and keep your business protected.
Cyber Security and Telework
Maintaining your cyber security while allowing your employees to work remotely can be a challenge, but it can be accomplished with minimal risk if you plan ahead and choose the right options for your business. If you don’t expect someone to infiltrate your network, you won’t be protected when someone tries. Always prepare for the worst-case scenario.
Assume that communications on external networks, which are outside the organization’s control, are susceptible to eavesdropping, interception, and modification.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)
How Do You Prepare for Telework?
Start by choosing the best telework option for your business’s needs and budget. There are four basic ways to secure your network while allowing remote access to employees.
- VPN Gateway:
Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working through the use of a portable device—a great advantage when travelling on business.
VPN gateways offer several great telework features, but while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. VPN gateways should only be used in conjunction with properly configured, company-owned hardware to maintain high security standards and minimize the risk to the internal network.
In this method, telework employees access company data and applications through a browser-based webpage or virtual desktop. All applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission. This is a good way to keep control over who is accessing your data and how it is used.
The danger with portals depends on what permissions the employee has while accessing the portal. If the portal allows an employee to access other areas of the internet while connected, it could provide an unintended avenue for criminals to access your network. It’s safer to restrict employees’ access to other programs while the portal is in use. The more access an employee has, the less secure the connection becomes.
- Remote Computer Access Service:
Remote computer access services allow an employee to remotely control a computer physically located at your business via an intermediate server or third-party software. When the two computers are connected, applications and data remain on your office computer, and your network’s cyber security measures are enforced. Your remote device acts as a display for the work performed on your office machine.
Due to the direct access, remote desktop connection is considered high risk in cyber security terms. Proper configuration is critical. When set up correctly, communication between the two computers is encrypted for the data’s protection, but it is also encrypted from the organization’s firewalls and threat detection. No matter how good your cyber security measures are, if the employee’s home computer doesn’t have the same protections as the office workstations, malicious data can slip into your network unnoticed during a remote desktop connection.
- Direct Application Access:
Direct application access is probably the lowest risk to your cyber security measures out of all the remote access methods because it is best used only with low-risk applications. In this method, employees can remote into a single application, usually located on the perimeter of your network, such as webmail. The employee doesn’t have access to the entire network, allowing them to work on select applications without exposing your internal network to danger.
Though there is much less danger posed by direct application access, it generally doesn’t allow for extensive work to be done. There is very little connection to data on your network, and little ability to take data to another application if needed. It is best used when traveling or on a mobile device where complete access to the network is not necessary.
The type of telework you offer may also depend on governmental regulations requiring a certain level of security. Those working in the healthcare sector should consult with their HIPAA Security Officer to make sure any telework is performed according to HIPAA guidelines.
Using company-owned and maintained hardware is the best option when working from home or on the go. Properly-maintained company laptops reduce the risk of unpatched or out-of-date software connecting to your network and often have more robust anti-virus/anti-malware protections than personal computers.
For many small and medium businesses (SMB) though, providing all employees company devices is not financially feasible or practical, especially if the need for remote work is temporary. The best choice for SMBs is either establishing a site-to-site VPN connection or using a secure remote desktop service to connect to their office computer. SMB should be aware of and willing to accept the added cyber security risks of using personal devices before implementing this type of work-from-home policy.
Telework isn’t the only way employees access your network. Mobile devices have become ubiquitous for work on-the-go, but if you fail to protect these devices, your business and clients may suffer. There are basic security recommendations for securing any mobile device, including thorough employee training in cyber security, strong encryption, keeping software up-to-date, and supplementing your security with third-party anti-malware/anti-virus software. While these fundamental methods keep the average device secure, if you’re dealing with sensitive or confidential data on your network you may need additional safeguards.
Given the similarity between the functions of mobile devices, particularly as they become more advanced, and PCs, organizations should strongly consider treating them similar to, or the same as, PCs.”—Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security (NIST 800-46r2)
NIST’s Guide to Enterprise Telework offers detailed suggestions for protecting any business when it comes to mobile and telework access, including:
- Turning off networking capabilities (such as Bluetooth) when not necessary for work.
- Turning on personal firewalls, if available.
- Requiring multi-factor authorization before accessing your business’s network.
- Restricting other applications allowed on the device.
Since loss or theft of hardware is far more likely with mobile devices, it is beneficial to use a mobile device management (MDM) solution to maintain control of a mobile device in case of theft or accidental loss. With an MDM, you can locate, lock, or remotely destroy any data on the mobile device. This way your sensitive information won’t fall into the wrong hands, even if the device itself can’t be recovered.
Best Practices for Maintaining Cyber Security
Regardless of the type of remote access you decide on, there are a number of opportunities to shore up your cyber security defenses:
- Establish a separate, external network dedicated solely to remote access. If something does infect the server, it won’t spread to other parts of your network.
- Establish a site-to-site VPN connection or use a secure remote service.
- Use encryption, multi-factor authentication, and session locking to protect your data.
- Keep your hardware and software patched and updated, including your employees’ remote computers.
- Enforce strong password policies and have employees use a password manager.
- Set up session time out on all teleworking connections and automatic screen locks on all computers.
- Manually configure employee computer firewalls and anti-malware/anti-virus software.
- Add additional security authentication layers to company data on mobile devices.
- Set up restrictions to keep unknown or unnecessary browser extensions from being installed. Many have tracking codes the user doesn’t know about, while others are used to spread malware. Stick with trusted and needed browser extensions only.
- If possible, physically secure computers with locking cables in any untrustworthy place, such as hotels or conference areas.
- Consider providing company-owned devices for employees to use that can be maintained and secured by in-house IT-staff or your MSP.
- Consider end-point detection and response or remote access logging to monitor what is happening on your IT systems.
Regardless of how many security protections are used, it is simply impossible to provide 100 percent protection against attacks because of the complexity of computing. A more realistic goal is to use security protections to give attackers as few opportunities as feasible to gain access to a device or to damage the device’s software or information.”—User’s Guide to Telework and Bring Your Own Device (BYOD) Security (NIST 800-114r1)
Privileges, Privileges, Privileges!
No telework operation should ignore the danger of not setting the correct privileges on employees working from home. This step is essential to maintaining a secure, partitioned IT environment.
Implementing accurate and reasonable privileges provides two major benefits to your company.
- It keeps employees from accessing data or programs that they shouldn’t have access to.
- It keeps cyber criminals from infiltrating your entire network through a single compromised machine or account.
There is no reason a sales rep needs the same access to your company data as the CEO, so why would you give them unrestricted access? Job-specific privileges keep company data safe from insider infiltration while providing each employee with the tools and data necessary to complete their work. The Zero Trust IT model utilizes segmented permissions as the core tenet of its security architecture.
When creating user privileges, keep in mind:
- Never allow users admin access. The only people who should have admin access to your systems are the IT personnel who maintain them, and even then, they should use an admin account only when performing work requiring it. All users should have a standard, limited user account that cannot alter system settings or privileges.This is especially important when employees work from home on their personal computers. Without the security of an enterprise hardware firewall and business-grade cyber security protections, employees’ personal computers are at a higher risk of being compromised. If their computer is infected and they have admin level access, cyber criminals can use that unrestricted access to infiltrate your entire system, change permissions, and steal or encrypt data for ransom.
- Need-to-know access only. It takes a bit of technical know-how to set up appropriate user access privileges, but it’s worth the effort. Besides keeping data secure within the company, segmentation of privileges also means that if a computer is infected with malware or an employee account is compromised, the access cyber criminals have to your company and its data remains limited.
- Use multi-factor authentication. It’s not enough to limit permissions, you need to verify the person signing in is who they say they are. A quick visit to Have I Been Pwned will show how many accounts are already compromised. Multi-factor authentication prevents a compromised account from being used by cyber criminals to access your systems. While security tokens and third-party authenticator apps like Yubikey or Google Authenticate are preferred, any type of multi-factor authentication (email, SMS) is better than no authentication.
Employees need to know more than just how to use the telework programs. Train your employees on cyber security before they go home to work. This is especially crucial if they use their personal computers to telecommute.
Employees should know how to spot and respond to unusual computer activity, which can be an indicator that malware is present. They should also be prepared for phishing and social engineering attempts to gain user account access. Train them on who to contact for IT support and how to verify the person asking for access to their computer is the correct person.
Your employees’ home computers will be the weakest link in your cyber security, so verify they know how to keep their computer safe and how to securely access your systems. Doing so protects them and your business from malicious actors.
Telework comes with risks, but with strong security policies and the right cyber security in place, it is worth the investment. A good managed IT services partner can walk you through the process and make sure your business is safe and productive anywhere. For help setting up a telework network, contact the experts at Anderson Technologies by email at firstname.lastname@example.org or by phone at 314.394.3001.
Looking for more guidance on how to keep your work from home systems secure? We’ve got some essential tips on a new blog post, “Working from Home Due to COVID-19: Keep Your Company Data Protected.”