The COVID-19 pandemic reshaped our workplaces in the blink of an eye, with social distancing mandating many employees to take their work home with them. This quick shift forced IT teams to cobble together work-from-home policies aimed at securing business’ data and devices regardless of location, while still enabling employees to maintain productivity. Particularly for those new to any employees working remotely, this has been no easy task.
But effective policies aren’t just essential for navigating businesses through this current predicament. Many expect they’ll remain crucial to data security and productivity as distributed offices likely represent a new normal in the future.
As a longtime data and device encryption provider, Beachhead Solutions has seen firsthand how businesses get into trouble without a thorough security strategy. In this eWEEK Data Points article, VP Cam Roberson of Beachhead Solutions uses industry information he’s gathered to highlight five ways to put data security policies in place for the long-term WFH era.
Data Point No. 1: Ramp up employee training to teach workers self-defense in an environment that’s dangerous to data.
It remains unfortunate but accurate that employee behavior is the single greatest threat to a business’ data security. Whereas infiltrating systems through software exploits or similar avenues requires technological ingenuity to bypass security measures, the successful exploitation of an employee means they’ll simply (and usually unwittingly) prop open the door.
That’s not to say attacks targeting employees aren’t clever; phishing techniques have become quite sophisticated and difficult to detect. Even more dangerous are spearphishing attacks that leverage detailed information to more effectively target specific individuals. For example, an employee might receive what appears to be an email from his/her boss, directing them to divulge login credentials, or to refund a customer charge by wiring money. These attacks succeed often enough under normal circumstances. But they’re that much more potent under the current work-from-home conditions, where tricks can’t be sorted out with a simple desk-side conversation in the shared office.
Data Point No. 2: Beware the family.
Another risk area arises from computer sharing, where an employee will allow family members (often children) to use their business devices with credentials entered. This practice exponentially increases the risks to data and systems accessible from the device. Unfortunately, untrained employees with work devices in the home and kids to entertain find this high-risk convenience all too tempting. It’s also interesting to remember that criminal attackers are also more likely working from home, giving them experiences to draw from in refining their tactics and exploiting the specific vulnerabilities of work-from-home employees.
To counter these increased risks, organizations must implement more intensive employee training regimens–as well as more secure policies that disallow a single employee from unilaterally putting data or company funds in jeopardy. Available training management tools can be used to train and certify employees in recognizing phishing attacks. Some training solutions will even send employees benign spear-phishing emails to test their behavior in realistic scenarios. This focused training will make employees better caretakers of sensitive data, equipping them to weather the current influx of COVID-19 email scams.
Data Point No. 3: Utilize a VPN and other security tools to provide access that’s both seamless and secure.
The most common hesitation organizations have implementing a distributed office environment is concern over how to protect devices at large from becoming compromised (and thus opening them up to data breaches). However, safeguards to establish secure work-from-home environments are readily available.
First of all, businesses should introduce a VPN as part of its remote work policies to ensure that communications within the distributed office are secure. At the same time, be aware that recent infamous VPN software vulnerabilities have increased the risk of compromise. Make sure that your VPN of choice is fully up to date. Also verify that all employee-used remote work devices have the most recent security patches, and that anti-virus software is present and turned on.
Data Point No. 4: Harden systems by streamlining software down to what employees need, and nothing else.
Each piece of software running on an employee-used device carries a degree of risk. Applications that aren’t accessed frequently and don’t contribute to productivity should be removed to limit the attack surface to only the tools actually needed. Applications should also be kept up-to-date to ensure they have the latest security fixes.
Data Point No. 5: Protect data with encryption, remote access controls and remote deletion capabilities.
Data on employee-used devices – especially sensitive company data – must be protected by encryption that can immediately render it inaccessible to anyone without the proper credentials. That said, there are scenarios where encryption still isn’t enough to guarantee data security (employees sharing company computers with family members comes to mind). If a device is lost or stolen from a remote employee during an active session, or login credentials are compromised, then data may be as well. Organizations should have data encryption and access control tools--SimplySecure being one of them--in place. This strategy will ensure data security by remotely deleting data from devices if necessary.
Guided by these methods, businesses can make smoother transitions to running efficient distributed offices – where employees can work from home productively while keeping company data secure. Given that the return to the office may not come soon – and offices may in fact never be the same again – these security strategies and policies will set up a remote workforce for the long term.
Photo by Daria Shevtsova, Pexels
If you have a suggestion for an eWEEK Data Points article, email firstname.lastname@example.org.