Remote work is the undeniable future for most of America’s workers; as companies start to find their own perfect way to set employees up at home, the most important thing to consider is the security risks involved with remote work.
If you're enjoying our 6-part series on WFH, we hope this installment (#5) on user training will offer some information you didn't have, or validate information that you have been testing. Because, as a business owner or information technology professional, you certainly understand the necessity of secure connections and workers who know how to avoid and report security and data breaches.
Email Security Risks
“The problem with old email archives is that they were designed and deployed using very old hardware and software.” - Betanews
Emails have always been a massive gap in security that must be addressed; anyone can send you anything, as long as they have your email address and know how to avoid the spam filters. From a business perspective, email is a necessary evil - companies usually have internal servers that allow coworkers to send messages to one another and to document various tasks and procedures. The majority of security exploits and malware attacks occur within legacy platforms (early 2000s); if you or your business is still using a legacy email, it’s time to cut the ties.
User Training - Recognition
Perhaps the most effective way to prevent security breaches caused by email interactions is to thoroughly train your staff. Recognition of red flags will be your primary line of defense; if a rogue email makes it through your filtering system, you want to be sure that your employees are not going to fall for the bait and make payments or download attachments that will damage your business’s integrity.
Your company should have a system-wide spam filtering system for its email domain; if you don’t, you’re asking for trouble. Employees shouldn’t be providing their company-provided email address for anything other than work, but there will always be a few people who do. Additionally, if your email domain is public, hackers and phishers can easily guess at company email addresses based on your website and LinkedIn. By placing a spam filtering system in your infrastructure, you can eliminate a great deal of security threats.
Virus and Malware Scanning
In addition to spam filters, you can add scanning features to your email domains; these tools will help identify malicious email content, backlinks, and attachments before they become an issue. Should a phishing email or encryption virus make it through your spam filter, they can be identified and blocked before any of your employees see them.
Monitoring for Breaches
While these steps will help your company to greatly reduce the number of phishing and malware attacks, there may still be an employee or two that will be tricked by a cleverly-worded email. Even if you have complete trust in your team, you should still be monitoring your internal systems for compromises and hacks. Unfortunately, many breaches go days or weeks without being noticed, especially if the breach solely targets user machines.
User training comes into play here, again; inform your employees of what to look out for on their devices: general slowness, pop-up advertisements, demands for ransom, locked files, abnormal file extensions or thumbnails, memory dumps, etc.
Web Browsing Security Risks
For those of us who grew up in the years of infancy for the public internet, safe browsing is ingrained in our minds; modern tools have made it more difficult for invisible, malicious scripts and executables to remain inconspicuous, but that doesn’t mean that every webpage is now safe. Perhaps the most important step towards safe browsing is acknowledging that there is someone out there who could trick you. As you train your staff in this area, keep in mind that people will inevitably use their devices on sites other than company domain. Your job is to teach them how to protect the company they work for.
There’s a very good reason why web browsers update so frequently, and many of them automatically patch without anyone becoming the wiser. However, depending on your IT department’s permissions policies, some devices may not be able to run updates without admin approval. It is of the utmost importance that your employees’ browser software stays up to date - loopholes and backdoors are patched more often than everyone cares to admit.
Aside from on-prem, company infrastructure breaches, the two main routes for security compromise are emails and web browsing - both of which are employee-facilitated. These breaches will occur on devices that are used to access company resources, which means that any security vulnerability can be transferred to the corporate infrastructure.
In order to prevent this from occurring, it is highly recommended that each of the devices used to connect to work-related services be protected with ample antivirus and anti-malware measures. ESET is an affordable, highly effective, industry-standard option for businesses.
User Training - Recognition
Another component of maintaining safe end-user devices is to provide sufficient training to employees; by teaching employees how to safely browse the internet (on any device), you can protect your company from in-office and remote user breaches. Correctly identifying malicious web pages is a skill that everyone should have.
Applications for BYOD and Company-Provided Devices
Since the current direction of employment has been accelerating towards remote work, it’s important to consider what this means for the number of employee-owned devices that will be connecting to your business infrastructure. Will you be providing devices for your employees to use at home? Both options have significant pros and cons; whatever you choose, there will be hurdles and settings to optimize.
When your employees are working from a single, centralized office, they are all connected to the company wifi or ethernet. With remote workers, hundreds of separate connections must be monitored and optimized - this is impossible for your business to maintain entirely on its own, so it’s best to address bandwidth maintenance with your team. In addition to this, we highly recommend the use of VPN connections so that your employee’s direct connection to company infrastructure isn’t intermingled with the rest of their family’s traffic.
If we’re all being honest, this is something we could each improve upon. Discuss with your employees the importance of (at least) using separate, unrelated passwords for their personal and employment affairs. This way, should a repetitive password in use for personal accounts be hacked or input logged, their accounts for access to your company infrastructure are not also in question.
If your employees will be using a home computer for remote work, they should create a separate profile for work use. While this won’t necessarily stop all malware and viruses from spreading across to the work user, it can help separate an employee’s workspace and help them stay on task throughout the day. The most optimal scenario, of course, is for remote employees to have separate devices for personal use and work-related use.
As with user training for any other segment, consider device use from the standpoint of the employee. Choose training platforms that are constantly evolving and updating their training modules, since malware and phishing are evolving every day. Our favorite security training platform is KnowBe4, an industry leader in helping your employees avoid security breaches for their employers.
IT Security Trifecta: Updates, User Training and Antivirus
At the end of the day, there are three components that every business should be implementing for their employees - remote or traditional. As mentioned, loopholes and backdoors are patched more often than everyone cares to admit so updates are critical. Antivirus and antimalware are an equally important branch of security for your employees; these tools help protect your business’s integrity in the event of user error. Perhaps most important, however, is the proper and continued training of your employees. After all, an ounce of prevention is truly worth a pound of cure.
Here at Source 1 Solutions, we’ve seen countless businesses struggle with internet security, even without the complications that come from allowing workers to telecommute. As our expectations shift and evolve to fit the new normal involving remote work, we must also alter our mindset in regards to security.
Our goal as business owners is not only to keep our infrastructure safe from intrusion, but also to educate our workers on how they can contribute to a safer work environment for themselves, their families, and their peers. If you have any questions or concerns about your internet security protocols, feel free to reach out to us.