Maintaining Security While Employees Work Remotely
The morning commute today consisted of walking out of the bedroom, making a quick stop in the kitchen for coffee, and firing up the Virtual Private Network (VPN) on my company’s laptop in my home office. Without a doubt, the Coronavirus pandemic has significantly impacted how we approach day-to-day work. Even the social norm of wearing pants is now optional. Thankfully, technology like VPNs and collaboration platforms such as Zoom, GoToMeeting, Google Hangouts, and Microsoft Teams are making working remotely possible in all industries and education sectors. While technology has made it easier to work from home, maintaining security while employees work remotely does come with an increased amount of risk. Risks include the lack of automated patches or updates, sending sensitive data through unencrypted email, and improperly securing collaboration software.
Security Basics for
Working Remotely
There are a few security concerns when working with company hardware outside of the confines of a corporate network. When a company machine is used at work, it is secured by a myriad of security measures such as group policy, firewall, and automatic updates. When a laptop is utilized outside of a corporate network from a remote location, these safety measures are significantly degraded or not even in place at all.
It is highly likely a home internet connection has less security than a hardened corporate network. This presents an opportunity for adversaries to hack a corporate device while it’s outside of a secure enclave. These attacks may not even surface until the device is back inside the network behind the firewall or other security measures. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security’s cyber agency, recently issued an alert pointing to specific cyber vulnerabilities around the security issues working remotely versus at the office.
Recommended measures to improve security while employees work remotely:
Ensure the latest software patches and security configurations are in place for devices being used to remotely into work environments.
- While this may be automated while inside the corporate network, users may need to check the status of Microsoft updates, anti-malware software updates, and collaboration software security settings.
- Some users may need cursory training on how to check the status of their specific devices.
Implement multi-factor authentication (MFA) for any corporate information system access.
- MFA is a security system that verifies a user’s identity by requiring two or more different factors to achieve authentication; or in other words, it is something you have and something you know (e.g. password or pin) and something you have (e.g. token or cell phone)
- Commercial examples of MFA include Google Authenticator, Microsoft Authenticator, and Yubikey.
If MFA is not implemented, require employees working remotely to use strong passwords.
- For a strong password example, use at a minimum, a case-sensitive, 15-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., DTwWoP29!).
- Alternatively, as brute force technology is getting more prevalent an article by SANS explains the use of passphrases as a substitute to passwords.
Utilize Virtual Private Network (VPN) to access corporate network resources.
- Not to be confused with personal VPN services like ExpressVPN, Private Internet Access, and SurfShark which are used to encrypt data from a public network to keep your activity private.
- Corporate VPNs are a secure tunnel that allow authorized teleworking employees to access internal company resources from essentially anywhere in the world.
Ensure IT security personnel test VPN limitations to prepare for mass usage.
- Moving from a handful of users to company-wide telework is a significant stress on the VPN, ensure you have the bandwidth and number of connections available.
Increased Security Issues with Email Phishing during COVID-19 Pandemic
Alert employees to an expected increase in phishing attempts. Coupling your home computer usage with your professional work equipment may also be more prevalent while working remotely. If you are using a corporate machine to check personal email and you fall victim to a phish on your personal email account, it will still affect the machine, and potentially the entire network if you connect to the VPN.
Totem’s Top 5 Rules
to Avoid Phishing Emails:
1. Beware of urgent calls for action – Phishers want to elicit an emotional response (the IRS is coming after you, your credit score is dropping, your bank account will be closed, etc.). Ignore them.
2. Check the spelling – One of the most obvious giveaways in a phishing email is incorrect spelling.
3. Be apprehensive of generic greetings – Any messages addressed generically, especially ones regarding financial transactions, are suspicious.
4. Unexpected attachments or hyperlinks should never be opened – attachments or hyperlinks downloading attachments can contain malware.
5. Hover before you click the hyperlink – This will reveal the true destination of the URL. Phishers often try to conceal URLs leading to malware this way.
Bottom line: increase your email vigilance and trust your gut–if it seems weird or urgent, don’t open it.
Email and Information Transmission Security
Despite logging into an email with a password, it does not make the email itself secure. When an email is sent, it often travels through the internet in clear-text or text that’s readable by a human. This leaves the information in the email vulnerable to undetectable disclosure by a would-be hacker.
Recommendations for information transmission security for employees working remotely:
Enable email encryption
- There are a variety of tools that be used to encrypt email. The most common is the Public Key Infrastructure (PKI), in most cases, a combination of a private key (known only by you) and a public key (known only to those you choose to distribute it to or even made publicly available)
- A sender of an encrypted email would use the recipient’s public key while intended recipients would use their own private key to decrypt those messages into a readable format. In the PKI model, anyone can use a public key to encrypt email, but each encrypted message can only be decrypted by a unique private key.
Use File Transfer Tools
- A more secure way to transfer sensitive information is through a file-sharing program; one example is ShareFile by Citrix
- Create an organization ShareFile account, upload files to it, and then tell ShareFile you authorize sharing files or folders with specified people. ShareFile will notify those people via email, and then they can then view and download those files. ShareFile and tools like it, use Transport Layer Security (TLS) versions 1.2 and 1.3 to create a secure “tunnel.” TLS is considered the best practice and is acceptable for most businesses.
Maintain Security while using Collaboration Tools
The market for collaboration tools has exploded since the Coronavirus outbreak began. By now, you’ve probably taken part in at least one conference call, class, or even a “happy hour” on the popular collaboration tool Zoom. However, there are incidents of “Zoom-bombing” where users are experiencing disruptive (but not necessarily criminal) behavior. Essentially, you have a few bored people dropping in on publicly viewable sessions and broadcasting the most vile acts imaginable to innocent bystanders. Enough users have complained that even Zoom itself has provided a blog with tips to better secure meetings within the tool.
Security recommendations for collaboration tools such as Zoom, Google Hangouts, Microsoft Teams, and GoToMeetings:
A public meeting link is public, so don’t share it with anyone you don’t want in the meeting.
- If you must make a public meeting, make sure it is only available to those who you trust and need to be in the meeting. Do not post the link on publicly viewable social media sites.
Manage participants by ensuring only signed-in participants can join the call.
- This ensures there is positive identification for those who you want in the meeting. That way you can filter out unwanted or uninvited guests.
- Adding two-factor authentication is an even better step for verification of invited guests.
Manage screen-sharing or file-sharing by ensuring you’re the only person in control of the meeting.
- Ensure the collaboration tool is set by default for “host-only” for screen-sharing or file-sharing.
Don’t let your Employees Fall Prey to Common Security Issues while Working Remotely
For more information on how you can make or bolster your cybersecurity program for your business, check out the Cybersecurity Best Practice Guide from the Totem team. Furthermore, you can always contact us directly to learn more about cybersecurity best practices or to get assistance in creating a cybersecurity program that works best for your business. One last tip (not related to security) for working remotely — please wear pants!