For many people around the world, a new, unexpected phase in their working career begins this week – working from home. Now under normal circumstances, the decision to work from home, or the development of a corporate policy that allows employees to work from home, come after all addressing and documenting all potential issues/concerns. Sadly, thanks to the Coronavirus Pandemic, we are not living under ordinary circumstances; therefore, the move to work from home may put your company and employees on uneasy footing. Since a majority of the workforce may already be working remotely, you may think it is too late to roll out a new IT policy, but in the immortal words of Yogi Berra, “it ain’t over ’till it’s over.” Here are three simple, yet essential policy steps you should rollout out asap to your staff.
Before we discuss the policies, let’s talk about what your employees are probably facing when working from home:
- The security measures implemented in the company network, such as the corporate firewall and anti-phishing security controls, are not present when working from home
- The router the employee connects through at home is most probably not secured and may contain vulnerabilities since no one monitors it for any scanning or any backdoors on a regular basis
- If the company does not issue a corporate laptop, the employee will use their personal computer. Their computer doesn’t contain security products used by the company, is not actively monitored by the company, and might already contain malware and exploits
- Working from home might cause a mix of saved passwords between the employee’s accounts and their company accounts.
If working from home is new to your employees, you need to make sure they understand that the corporate laptop is for work purposes only. Of course, you don’t need to worry about the employee getting weather or news updates on the computer, that is normal, but what you don’t want to find out is that their 14-year-old son used it to stream FIFA 2020 on Twitch from midnight to 4 am. While he may have no malicious intent, his use of the computer opens up the potential for an attacker to entice him to click on a link or open a document that could silently install a malicious application. Now the attacker has struck gold with a backdoor into a broader corporate environment. It is worth noting here that an endpoint security product can mitigate this risk as it has the built-in ability to analyse and prevent malicious files from reaching a computer’s hard drive without any connection to the corporate environment. The remedy here is an easy, non-technical one. Grab a large sticky note and write in big, bold letters – WORK COMPUTER – DO NOT TOUCH – and affix to screen.
VPN to the very end
In the age of the cloud, we are routinely used to accessing essential company data via cloud apps. Our task management, product development, and other productivity tools are cloud-based. It is so common today that we think nothing of it when working in the office. However, when we leave the safe confines of our corporate network, it’s easy for employees to forget that it’s a dangerous world out there. Ensure every employee knows to use their Virtual Private Network (VPN) when working from home.
In some cases, the need for a VPN will be evident since, in certain situations, the apps/data themselves will be inaccessible without the VPN connection. Still, in other cases, employees could be sending sensitive company information into the wild without the VPN active. The answer is simple, when in doubt, VPN.
Clear the set
Good computer hygiene dictates closing off any company assets accessed on your laptop during your typical day. This practice remains in effect whether the employee is in the office or working from their kitchen table. Even if your workforce has scattered to the wind, make sure they continue to clear their cache regularly. On a related note, it’s not uncommon for many employees to take advantage of convenient features in their favourite web browser to store their login credentials for any sites they visit. While this may be something they do with their home computers, it is not something you want them to do with their corporate asset. If you can, deploy a password storage solution across the workforce.
Honourable mention: The phisher king
Recently we have noticed an uptick in new phishing campaigns targeting employees eager for the latest information on the Coronavirus outbreak. These phishing emails promise to offer information on new testing facilities, infection maps, or information on new closings in the employee’s area. The attacks go something like this:
The employee will receive an email from what they think is a trusted source, such as a local news organisation or even a trusted friend. The email aims to look legitimate in style and design, often using a trusted logo in the header. The email body will be short (by design), and the attacker will be assuming the employee will initially review the email on their phone. Seeing the subject line related to the outbreak, the employee will eagerly read the email and, without hesitation, click on a link offering the information noted in the subject line. Unfortunately, instead of getting up-to-date outbreak information, malicious applications may be installed silently on the computer, or the attacker may gain a foothold into the machine to use at a later date.
The moral of this story – make sure all employees, whether in the office or now working remotely, keep their guard up at all times.
Finally, it’s essential to provide employees with a simple to follow checklist for do’s and don’ts when working from home:
- Only connect to trusted Wi-Fi connections and networks
- Only install approved applications on your corporate laptop
- Maintain communication between your co-workers and manager
- Inform IT immediately if you see any suspicious activity on your computer
- Ensure that the only VPN that you are connected to is that of your workplace
- Make sure there is an endpoint security tool installed on your computer. Ensure that it is updated and configured correctly
- Share your corporate laptops with anyone, even family members
- Don’t connect to a Public Wi-Fi
- Don’t save any company confidential information to your personal accounts
- Don’t leave your computer unlocked at any time, even when at home
- Don’t save any company passwords to your personal web browser
- If you receive a suspicious email, do not open any links or download any attachment
Stephen Salinas, Head of Product Marketing, Deep Instinct