CYBER SECURE: Remote work introduces new vulnerabilities to corporate networks
Working remotely may be the new normal, but it comes with digital risks. Follow these steps to minimize them
Apart from the challenges to teamwork and supervision, having employees work from home increases the risk of a digital security breach. Home wifi networks and devices tend to have lower barriers to entry than in-office systems, with weaker passwords and less secure configurations, says Kemar Wilks, senior digital forensic examiner for Richmond-based TCS Forensics, a cybersecurity and investigation firm. He advises companies to:
• Follow regular computer network and software patch management protocols and ensure that security versions with all computers and mobile devices employees use for work—including their own—are up to date.
• Instruct staff to use strong passwords and multi-factor authentication (MFA), which requires two or more steps to log into company networks and applications. (Microsoft’s Office 365 suite, for example, doesn’t use MFA as a default setting, so you have to add it.)
• Plan and organize remote vulnerability assessments or penetration testing on virtual private network (VPN) security and web applications. This usually involves hiring an external IT contractor—a “white-hat hacker”—to send phishing emails or try to break into the VPN portal to see how far they can get.
• Conduct virtual security awareness sessions with staff to help them recognize phishing emails, misuse of the organization’s intellectual property and other security issues.
If staff are using their own computers or mobile devices to access company email, networks and servers, Wilks further recommends that employers:
• Utilize mobile device management (MDM), which lets companies control their data even if it’s on an employee’s phone. If the device is lost or stolen, the data can be immediately wiped to protect it from getting into the wrong hands.
• Use geolocation restrictions. This means an employee can only access data when they’re physically located at certain places such as their home or on the company’s premises.
• Only allow access to devices that meet security requirements. In effect, an old unpatched phone with 1234 as the lock code shouldn’t have access to the company’s data because of the potential vulnerabilities. Some MDM services enforce this feature, but it’s important for the IT staff to ensure that it gets done.
• Get employees to review and minimize the permissions for any installed non-work-related apps. For example, a calculator app shouldn’t need to access your photos, videos, calls and messages.