The pandemic has many companies’ employees working remotely, and – in the rush to transition to work-from-home – not every company fully explored the resultant information security ramifications. Following are some steps companies can take to reduce the cybersecurity risk for those workers, helping protect against disruption or loss of control over sensitive information assets.
Secure computers where information is worked on and stored
Ideally, work should only be done on work computers, secured, monitored, and backed up by the company. In this scenario, home computers have a reduced role, being used to remotely access the work computers from which secure file storage and web applications are accessed. More common, but providing less security, computers are used to securely access web applications and centralized file storage, which at least can provide be used to provide access control and backups. Otherwise, the company must consider how it manage and minimize the risk of home computer operating system and web browser configurations, password practices, security updates, malware and ransomware, encryption, and backups. That applies both to home computers and mobile devices.
Manage the physical security of the work-from-home environment
The employee must manage the physical security of their home office, computer, and mobile devices. Access to printouts, a logged-in computer, flash drives, or an unlocked password manager entail risk, and must be especially protected from unauthorized access. If home computer access is shared with, or accessible by, family members or other visitors, there is greater risk of unauthorized access to company information.
Secure the connections
Ideally the company provides, and employees use for work, an encrypted virtual private network (VPN) that leverages multi-factor authentication. That way the computer is inside the company’s firewall and appropriate network controls, monitoring, and web filtering can be implemented. The VPN should always be used if using a public wireless access point, otherwise employees should always use wired or securely encrypted wireless connections. Ideally, computers – regardless of location -are protected by a modern cloud-based security solution.
Maintain security awareness
Even if a company has a robust set of up-to-date security policies which tell employees the steps they are expected to take in protecting the company’s information resources, employees will require regular training on those policies to maintain security awareness. Training on detecting email and text message phishing, social engineering, ransomware, and business email compromise is especially important as remote employees have been increasingly targeted by hackers using those techniques.
The pandemic, with its dramatic increase in home-based employees, has created an increased information security challenge. All employees have an important role to play, but it is the executive’s responsibility to ensure that response is coordinated and company standards are set at an appropriately high level to protect company data and ongoing operations.