12 Security tips for the ‘work from home’ enterprise
If you or your employees are working from home, you’ll need this advice to secure your enterprise.
If you or your employees are working from home while our governments lurch awkwardly through the current crisis, then there are several security considerations that must be explored.
Your enterprise outside the wall
Enterprises must consider the consequences of working from home in terms of systems access, access to internal IT infrastructure, bandwidth costs and data repatriation.
What this means, basically, is that when your worker accesses your data and/or databases remotely, then the risk to that data grows.
While at normal times the risk is only between the server, internal network and end user machine, external working adds public internet, local networks and consumer-grade security systems to the risk mix.
Here are some of the approaches to take to minimize these risks.
1. Provide employees with basic security knowledge
People working from home must be provided with basic security advice: to beware of phishing emails, to avoid use of public Wi-Fi, to ensure home Wi-Fi routers are sufficiently secured and to verify the security of the devices that they use to get work done.
It is likely that attempts to subvert security using phishing attacks will increase at this time.
Employees should be particularly reminded to avoid clicking links in emails from people they do not know, and installation of third-party apps should be confined to bona fide app stores, even on personal devices.
Your people need to be in possession of basic security advice, and it is also important that your company has an emergency response team in place. People need to know who to contact in the event they detect a security anomaly.
2. Provide your people with VPN access
One way to secure data as it moves between your core systems and externally based employees is to deploy a VPN. These services provide an additional layer of security, which (in simplified terms) provides the following:
- Hiding the user’s IP address
- Encrypting data transfers in transit
- Masking the user’s location
Most larger organizations already have a VPN service in place and should check they have sufficient seats to provide this protection across their employee base. Smaller enterprises may need to appoint a VPN provider.
There are lots of VPN service providers, but not all of them can be trusted. (Especially avoid the free services.) ExpressVPN and NordVPN appear to be good choices, but it is in your best interest to do your own due diligence before selecting a provider for your company.
Once chosen, you should ensure that all remote employees are provided with access to the service, and that they use it for all business-related activity.
3. Provision security protection
Make sure up-to-date security protection is installed and active on any devices that will be used for work. That means virus checkers, firewalls, device encryption should all be in palace. I have two articles which should help with some of this:
- The macOS security guide
- The iOS security guide
4. Run a password audit
Your company needs to audit employee passcodes.
That doesn’t mean requesting people’s personal details, but does mean passcodes used to access any enterprise services are reset and redefined in line with stringent security policy.
Alphanumeric codes, use of two-factor authentication should become mandatory, and you should ask your people to apply the toughest possible protection across all their devices. You should also ensure all your business-critical passwords are securely stored in the event anything happens to key personnel. An enterprise-focused password manager such as LastPass may help here.
5. Ensure that software is updated
Encourage your teams to upgrade their software to the latest version supported under the company’s security policy. (Some enterprises lag the release schedule for Apple software, though most don’t.) Activate automatic updating on all your devices.
6. Encourage the use of (secure, approved) cloud services
One way to protect your employee end points is to ensure your confidential information is not stored locally.
Content storage should be cloud-based where possible, and employees should be encouraged to use cloud-based apps (such as Office 365). It’s also important that any third-party cloud storage services used are verified for use by your security teams.
NB: This is particularly important if your business requires use of critical personal data.
7. Reset default Wi-Fi router passwords
Not every employee will have reset the default password for their Wi-Fi router.
If you have an IT support team, then providing telephone guidance to secure home routers should become a priority. You do not want your information being subjected to man in the middle, data sniffing or any other form of attack.
You may also need to make arrangements to pay for any excess bandwidth used, as not every broadband connection is equal. Some providers (most recently, AT&T) are making positive sounds around extending available data packages in the current crisis. Employees should be told to avoid public Wi-Fi, though doing so is made a little more secure if used with a VPN.
8. Mandatory backups
It will be useful to ensure that online backup services are used, if available.
Otherwise, employees should be encouraged to use external drives to back up computers. If you use a mobile device mananagement (MDM) or enterprise mobility management (EMM) service, then it is possible you’ll be able to initiate automated backups via your system’s management console.
(NB: I’m a little concerned about backup to local storage in employee homes, as this simply becomes another potential security problem.)
9. Avoid the use of USB sticks
Don’t use USB sticks at all if you can avoid it. There have been too many examples of such devices being infested with malware. The Department of Homeland Security has a page about this.
10. Use an MDM/EMM solution
It may make sense to deploy an MDM or EMM system at this time.
This will make it much easier to provision and manage your fleet of devices while also separating corporate from personal data. It also ensures device and Mac security can be better controlled.
This is a whole topic in itself, but the experts at companies such as Jamf, Addigy or even your Apple business advisor should be able to provide useful advice.
11. Develop contingency plans now
Triage your teams. Ensure that management responsibilities are shared between teams and ensure you put contingency plans in place now in case key personnel get sick. Tech support, password and security management, essential codes and failsafe roles should all be assigned and duplicated.
12. Foster community and care for employees
The reason many people are working from home is because there is a health pandemic. The grim truth is that your employees may get sick, or worse, during this crisis.
With this in mind, community chat, including group video chat using tools such as FaceTime or Zoom, will become increasingly important to preserving mental health, particularly for anyone enduring quarantine.
Encourage your people to talk with each other, run group competitions to nurture online interaction, and identify local mental health and grief counsellors who may help if the crisis becomes more extreme.
I have heard of one group of people working remotely that are using a home exercise app and Group FaceTime to exercise together during the day, which they think helps boost team feeling even while working remotely.
The bottom line is that your people are likely to be under a great deal of personal stress, so it makes sense to raise each other up through this journey.