7 essential remote worker security policies for IT departments
With the COVID-19 pandemic forcing so many to work remotely, IT admins need to update the security aspect of their organization's work-from-home policies to keep pace with this trend.
When COVID-19 first hit, organizations focused on enabling remote work for their employees, but the next step is to ensure that proper security policies keep work-from-home users' data secure.
While some data security policies remain the same whether workers are at the office or at home, remote work presents various new threats that IT departments need to reckon with. Reliance on home networks and an increase in the use of personal devices are just two factors that could alter an organization's remote worker security policy.
Learn these seven policies that organizations should consider with the changing landscape of remote worker security, including new technologies and device management policies and best practices for users.
1. Avoid public Wi-Fi whenever possible
Many users will have a remote work setup in their own home, so public Wi-Fi may not be a consistent issue. However, it's hard to guarantee where workers will work from during their day.
Public Wi-Fi presents major security risks. It enables anyone on the public Wi-Fi a view of the worker's web traffic -- if they know how to look for it. Hackers can launch blunt-force attacks as long as the worker's endpoint is connected to that public network. In addition, workers could be fooled into joining a hacker's own network because it is disguised as a typical guest Wi-Fi network.
The easiest way to prevent these types of issues with remote workers is to establish an organization-wide policy against using public Wi-Fi for any endpoint that has access to business data. However, it may not be realistic to expect users to follow the policy, especially with work email accessible from personal mobile devices or desktops.
Organizations that deploy smartphones or tablets can tell workers to use a hotspot for those situations when they might have to connect via public Wi-Fi. While this approach will lead to increased cellular data costs, it will keep corporate data a bit safer when users are working outside the home.
2. Secure all internet connections
Even a home Wi-Fi network isn't perfectly secure, especially compared to a corporate network in a traditional office setting. This is especially true if a home network has a simple password that's easy to guess. Once a hacker has access to a home network, they can view any ingoing and outgoing traffic from the user's Wi-Fi connected devices.
IT administrators can set a policy on the strength of Wi-Fi passcodes for users' home networks. While some users may bristle at this policy from a privacy perspective, simply setting password conditions such as a character count minimum and the use of capital letters shouldn't be too much to ask of them.
Additionally, IT can deploy secure web gateways to add a layer of security. This technology filters out suspicious content, blocks unencrypted sites, and flags and alerts IT of suspicious user behaviors.
3. Beef up authentication standards
With so many workers accessing corporate data from remote locations, it's critical to ensure that users accessing this data are who they say they are. Outside of the office, users could leave their work devices, including laptops and mobile devices, unattended or in public locations.
Users may live in places that have many people coming and going, such as large apartment buildings, which could put them at additional risk of device theft. Without the office as a central secure location, it's difficult to know who is logging on to a work device. Authentication technologies can mitigate this risk.
Organizations can turn to biometric authentication, location-based authentication, two-factor authentication (2FA), multi-factor authentication (MFA) or any combination of these technologies. In the past, organizations have relied on a single authentication factor: the password. However, malicious actors can guess passwords, especially if they are weak. Organizations have therefore turned to other authentication methods to further verify the identity of an employee.
Many organizations use 2FA or MFA to add a new authentication factor to the process. MFA refers to any use of multiple authentication factors, including two factors or more, whereas 2FA specifically refers to only two authentication factors in use. The factors that IT can add to supplement the password include biometric authentication -- a fingerprint or iris scan -- and location to ensure the laptop is in a recognized location when it logs in or accesses corporate systems.
4. Limit BYOD access to corporate data
The increase of remote work has led to more BYOD use for some organizations. More BYOD endpoints accessing corporate data means more devices that hackers could steal corporate data from. This increased vulnerability may be a necessary sacrifice to fully enable a remote workforce, so IT professionals may need to take steps to mitigate the potential for data loss.
Organizations can easily enroll all BYOD endpoints in a mobile device management (MDM) or unified endpoint management platform. This enables IT pros to encrypt company data and separate it from the rest of the device.
If a device is not enrolled in an MDM platform, securing the device becomes a bit more difficult. Organizations could approach corporate data security at the application level if they lack management capabilities for BYOD and force a 2FA login each time a user accesses the business application.
5. Restrict personal applications on work devices
For corporate-owned devices, organizations have a different problem: blocking personal applications. While a nonwork application could seem innocent, it could cause a significant amount of harm and corporate data loss. The personal application could pretend to be a certain type of software but be a piece of malicious software. Even if it is the safe software the user believes it to be, users could accidentally give the application permission to access sensitive information.
When devices are corporately owned, organizations can take direct control of end-user devices and block downloads of unapproved applications for desktops or mobile devices. If this is too restrictive, administrators can create a list of approved applications such as browsers and messaging applications. These applications may still present unnecessary risk, however, and the better option may be to lock down the endpoints fully.
6. Deploy encryption on business emails
Email encryption builds on the enhanced security established by some of the previous policies, and it is a good idea for any organization that handles sensitive data. The need for encryption only increases with remote workers sending emails from devices connected to their home networks instead of the corporate network.
Email messaging isn't inherently secure, so organizations must take steps to make it more difficult to intercept their communications. With email encryption, any mail client that would attempt to view a worker's emails won't be able to access them without the proper decryption key.
Organizations would likely have to purchase access to this technology, as DIY email encryption can be difficult to set up and transport layer security encryption only functions if the recipient and the sender have the proper encryption configurations. Typically, the best option for organizations is to subscribe to a service that offers end-to-end encryption without requiring the recipient to have the proper encryption configurations. Some examples of these offerings include CounterMail and Zoho Mail.
7. Set policy on securing business devices
While it may sound overly simplistic, organizations should set a user policy to keep work-related devices in safe locations at all times.
This would prevent devices from being in cars, hotel lobbies, cafes or other public places while unattended and would drastically lower the risk of device loss and the potential for major breaches. While IT can wipe stolen devices remotely -- and most devices are at least password protected -- a stolen device in the wrong hands could lead to major data and financial losses.
With so many workers accessing corporate data from remote locations, it's critical to ensure that users accessing this data are who they say they are.