Remote working is in vogue these days due to the lockdowns that have come from the COVID-19 pandemic. Yet, as workers shift to their homes, new cybersecurity issues come into play. By moving critical data and infrastructure away from the office, companies are inadvertently exposing themselves to increased cybersecurity threats.
This is a dual threat — as people migrate outwards towards their own personal devices and networks they are faced with both more insecure and slower options to do work.
Here are a few condensed points on what particular threats exist, and what can be done to help mitigate them. The guide is meant to help you and any team members of yours work from home securely without suffering from performance slowing down. On one part, we suggest a number of items and links you can send team members in a consolidated guidelines document. On the other side, we also suggest tools and products you can use to ensure security and performance in these uncertain times.
1- Connection To The Internet
Getting access to sensitive corporate data comes with more risks now. Instead of going to the office and signing onto more protected corporate Internet, team members are now using home networks or even open public WiFi that might be unsecured and vulnerable to attacks.
If possible, providing a VPN connection to an office network would be ideal from a safety and performance perspective — as there will be bandwidth issues as well with personal networks clogged by the high number of people working from home.
You might consider using a bridge network or an implementation of Wireshark or similar VPN settings to ensure that the entire company is connecting to the most secure connection possible.
Discourage the use of open public Wifi such as you might find in a cafe or other public spaces, and provide suggestions for hygiene for personal Internet networks. For example, team members should reset their default router password. If possible, they should work with upgraded firmware/routers that take into consideration security issues. Most basic default routers ISPs will provide may be poorly secured against cybersecurity attacks.
For personal Wifi connections, there should be strong passwords for personal Wifi networks. These should now be treated like work networks as they will be used to access corporate data and networks.
- Look into a corporate VPN or bridge connection that uses Wireshark
- Discourage the use of open, unconnected Wifi
- Look into buying personal VPN solutions such as NordVPN for team members
- In a set of condensed guidelines, include the need for router security
2- Personal devices
Whatever policy and tools you have to protect corporate information is now exposed to different personal devices. You need to ensure that team members are keeping up-to-date on the latest personal updates (for example, MacOS updates on Mac personal devices) and that they have malware protection on their personal devices. This requires a degree of auditing of personal devices and some guidelines/training for team members. Their routers should also be secure for their home networks to be secure.
If your team members are on an Android device, consider telling them about security software such as Lookout. If your team members are using iOS devices, ask them to update to the latest secure version.
Personal devices are more susceptible to attackers and more alluring than they otherwise might be now that work has come home.
As a result, the attack surface for your company now also includes any connected devices from Alexa to smart bluetooth devices connected to the personal networks of team members. Everybody should make sure to update individual connected devices as well as monitor the overall security of their network.
- Ensure everybody is up-to-date on all OS updates
- If they’re on Android, get team members to use a mobile protection tool like Lookout.
- Ensure that all personal devices have basic anti-malware protection: for example, a product like Sophos Home for computers
Sensitive data and access are now delegated to personal devices. Having a password and/or PIN that is secure and that gates access to laptops and mobile phones for each person on your team is now critical. Instead of having a security guard or physical security preventing unwanted physical intrusion into corporate space, you have multiple devices laid out in a way where there is no centralized physical security.
Devices might be at different homes or they might be left in public spaces. There have to be guidelines for users to set passwords for personal devices to avoid theft of corporate data.
Team members should close down their personal devices entirely whenever they’re away from them for an extended period of time. This includes any devices left in the office, which should be shut down entirely. On the off chance that you need to work outside of the home, care should be taken to ensure that devices are protected as much as possible from theft.
- Put together in a consolidated guidelines document instructions for setting up passwords or PINs for physical access
- Train everybody on the importance of increased vigilance over their devices
4- Data access should be encrypted and backed up
You can ensure some security even if devices are physically accessed by an attacker with device encryption.
Team members should also have backup capability for personal devices working on corporate data. There should be cloud storage with secure options, something like NextCloud or Tresorit.
A small but perhaps important consideration is to take home physical items that contain passwords in the office. It’s important to maintain access to these personal items, and to protect against the possibility of intruders coming into the office. It’s better to shift towards password managers like 1Password, but for now, any physical artifacts such as notebooks or post-it notes that contain passwords should be taken home and “encrypted” by being uploaded virtually and destroyed, or secured by keeping them in a place without unauthorized access.
- Get encryption such as Bitlocker for hard drives that contain sensitive data.
- Teams should be able to back up data securely and seamlessly with a solution like Tresorit. You can combine cloud resources and encryption with the right provider, but you have to be very careful uploading anything to the cloud.
- Encourage team members to bring home with them any physical artifacts with passwords and sensitive data they might have in their office — for example, post-it notes with passwords.
5- Protect against phishing attacks and other virtual threats
Unfortunately, even if you’re working from home, cybercriminals are too. Phishing emails and hacks still continue. Clicking through urgent or tempting-sounding messages might happen even more often than usual in these times.
Make sure that team members are given phishing guidelines from verifying the domains behind emails to identifying and surfacing common attacks. You should also set your email settings so that phishing attacks have a lower chance to succeed. You could consider tools like Mimecast that make it easier to mark external emails. This reduces the attack surface of phishing in two ways: training team members to avoid attacks and ensuring there are less phishing attacks that show up in their inbox in the first place.
There should also be two-factor authentication rules set up, ideally away from SMS-based solutions which can be vulnerable to SIM swapping attacks.
These can be distributed as team guidelines or enforced through G Suite or Microsoft Teams policies (use of strong passwords or multi-factor authentication) in order to ensure compliance.
You should use a tool such as Authy or Google Authenticator that will allow you more secure two-factor authentication. For critical infrastructure, you may want to consider the use of physical security tools such as the Yubikey.
- In a document of consolidated guidelines, offer phishing guidelines and send examples of phishing attacks
- Set up your email settings, perhaps using a tool like Mimecast, to maximize the number of phishing attacks that land in spam and tag emails that come from external sources so your team members will be more cautious around them
- Work with your team to set up non-SMS based two-factor authentication using a tool like Google Authenticator or Authy. For really critical data or infrastructure, you might want to consider the use of hardware-based authentication keys such as Yubikeys. These hardware keys essentially will reduce your phishing risk for that particular access to near-zero as a team member has to physically toggle the key to gain access to an account, but it will require some training/onboarding.
6- Social media guidelines
Your team members will now be away from the office: they might spend more time on social media and other personal sites. This does have cybersecurity implications. Social media is commonly used by attackers to “scout” their targets by finding open-source map data and tracing out the organizational structure of a team and their methods of communication.
Consider mandating an enterprise-grade password security tool like 1Password to ensure that your team members are using safe, secure passwords across their social networks. Ensure you have guidelines in place for social media that minimize disclosing critical work information. You should also check on LinkedIn to make sure job descriptions contain the right mix of highlighting good work and keeping critical business processes confidential.
- Use an enterprise-level password authentication tool like 1Password so that team members with social media accounts use secure passwords by default.
- Put social media guidelines in a consolidated guidelines document
7 – Use encrypted communications when possible
The need to communicate virtually has become critical. You need to maintain standards that keep those communications secure and encrypted if possible. Something like Slack works great for group chats, but Keybase offers an encrypted version that stores files and text sent between different team members in an encrypted fashion by default, unlike Slack, which does not encrypt end-to-end by default.
With mobile communications and calls, you might want to consider using WhatsApp or Signal, which are encrypted end-to-end by default so only the sender and the recipient can read it. Other solutions such as Skype and Messenger do not have this feature. Commonly used videoconferencing solutions such as Zoom are not encrypted by default. There are also ways to try to minimize privacy and security problems in its usage as well if you are going to use Zoom.
- For sensitive work-related group communications, consider switching from unencrypted solutions like Slack to end-to-end encrypted solutions for files and chat such as Keybase.io.
- For sensitive personal communications, consider using Whatsapp and Signal, which are encrypted end-to-end rather than solutions such as Skype or Messenger.
- Make sure you are using video teleconferencing solutions like Zoom in a secure fashion.
8 – Ensure there’s a point person for security/performance
Many of the security issues that you’ll encounter will come about because team members are going to be working in a new context without much experience. Most of them will be used to working with security and performance provided for them — all they have to do is show up to the office and login.
Most team members will have little experience doing this. Make sure that somebody in your office is designated as a point person in order to deal with any speed or security issues that come up. This is especially important for phishing attacks: there should be a designated channel where people report attempted phishing attacks so that people know where to surface this behavior.
This could be a chat channel, or a designated security/admin person with some technology background. For most startups, this might be their CTO or senior developers. For businesses without a technical expert on-staff, you might want to consider hiring an external contractor or train up your HR/admin team to provide these guidelines.
- Ensure there is a point person or team to contact in case there are security or performance issues.
- For phishing attacks, you’ll want somebody who can have phishing attacks reported to and who is curating them and looking through and sending out when patterns of attacks have been detected, especially novel ones.
9 – Performance doesn’t have to be sacrificed for safety
Safety seems to be an additional burden. Guidelines for team members might become just another bureaucratic checklist, barely observed or regarded. Yet, security, properly implemented, doesn’t have to be a tradeoff with performance: well-architected products, including some of the ones we recommended, will make security easier for your team.
It’s important here to keep in mind that we should strive to balance both security and performance and optimize for both. Everybody will still want to get their work done as efficiently as possible — solving for performance helps ensure that they won’t be slowed down in the name of security and will help people adapt to new security environments.
Here are the guidelines and next steps in a condensed fashion:
- Get team members to use their personal networks instead of public ones and make sure their personal networks are as secure as possible
- Make sure you upgrade personal devices to the latest version
- Power off devices when they’re not in use, and set a PIN to access them
- Backup and encrypt all sensitive data
- Implement protections and guidelines for phishing
- Check over passwords and authentication as well as social media to minimize how much attackers can get
- Use end-to-end encryption enabled apps by default for communication such as Keybase and Signal. Avoid those that are not encrypted
- Make sure there’s a contact person or channel where team members can surface WFH issues or other security issues
- Combine performance with security so that team members can easily integrate security
Sample outline for condensed guidelines
- Intro and rationale
- Router/personal network security
- Personal devices guidelines
- Physical security/PIN guidelines
- Data guidelines
- Social media guidelines
- Phishing guidelines
- Who to report security issues to
- List of recommended tools