Phishing attempts are proliferating as quickly as the use of mobile devices — bringing malware onto smartphones along with it.
Working from home has suddenly become the new normal for many organizations, and IT departments have had to pivot to protect people and systems far away from the office. Here are eight tips for managing the risks of WFH staff.
1. Audit home network environments
In theory, the security of a home network shouldn’t matter because everything attached to it should be self-protecting. In practice, though, better security in the home network pays off with more reliable connections and a more aware user community.
The word “audit” isn’t what you want to use when communicating with end users, but the idea is the same: a quick checklist of things to help boost overall security. This should include:
- Verifying that their Wi-Fi has a password and that the security settings are WPA2 (or WPA3 for newer equipment). Anything older, including WEP or no-password Wi-Fi, should be addressed. If you can, encourage users to change their Wi-Fi passwords every six months or so.
- Checking that the router/modem is protected — that it does not have the default password and it can’t be managed from outside.
- Ensuring that home computers are all protected. If necessary, extend enterprise anti-malware licenses to include everything on the home network. Ask users to check that security patches are automatically applied to all systems on their home network, and remind them that a password (even a short one) is needed for any systems.
2. Step up security training and support resources
The biggest risk factor for security is always the human, and security teams need to be constantly (but gently) training users on the current threats and best practices. Now is the time to re-evaluate whether your information security training is up to date and consider providing bite-size reminders to users to help them spot and avoid common attack vectors, such as phishing attacks. Look at your options for delivering security training, with an eye toward remote staff — is your current security program meeting their needs?
At the same time, realize that remote workers have a more flexible schedule and may choose to start earlier in the morning or later in the day. Meet their needs by extending help desk hours as much as possible and by making sure that users know the help desk is there, even for home network problems. Yes, you might spend some help desk time and money fixing Xbox and Chromecast problems, but users need to feel that they have someone they can talk to if they have any security questions.
3. Check your logs
IT teams should be keeping an eye out for security events at all times, but having staff in the office made it easier to detect problems such as infected PCs when a user called for a re-image. Shifting staff outside of the office eliminates this parallel channel and makes the logs coming out of endpoint security and configuration management tools more valuable for catching problems early, before they affect productivity or security.
If users have company-provided devices, make sure that your configuration management tools are enforcing regular software updates — and logging when these updates fail. The same goes for endpoint security tools: Make sure that updates are enabled and happening. Use logs to discover systems that have fallen out of compliance and actively work to get them updated.
4. Review and update mobile device management policies
Enterprises with Bring Your Own Device (BYOD) or Choose Your Own Device (CYOD) programs should also take a look at their mobile device management (MDM) policies in light of the shift to working from home. Is the group structure for policy enforcement appropriate? Should work-from-home (WFH) staff have additional applications preloaded? As with other parts of the infrastructure, what can logs and reports tell you about devices that may be infected or out of compliance with policy?
This is also a good time to review MDM infrastructure and consider a shift toward cloud-based tools, such as Samsung’s Knox Manage. If you’ve got on-site MDM, but no one is on site anymore, the cloud is an economical alternative that can also get you out of the business of maintaining and updating MDM servers and applications.
5. Roll out multifactor authentication if you haven’t already
Multifactor authentication (MFA) is one of the most powerful tools security teams have for mitigating credential theft, one of the main goals of phishing attacks. The most effective MFA program design is still up for debate, but the bottom line is that even the weakest MFA is far better than password-only authentication systems, and it protects you against all but the most determined attackers. If you haven’t switched to MFA for all important applications, O/S logins and virtual private network (VPN) functions, now is the time. Don’t let analysis paralysis keep you from doing something to mitigate this severe threat.
Go mobile-only with Samsung DeX
Your comprehensive guide to rolling out a mobile-only solution for your workers. Download Now
If you have switched to MFA, step back and do a self-audit to make sure that all applications are covered and that the MFA is actually being used, especially by high-profile executives and privileged IT users. In the rush to deploy MFA, many organizations skip over smaller applications, such as interactive logins to network and security devices, to get the broadest coverage. Now is the time to drill down and make sure you are protected at every level.
6. Address increased recreational use of work devices
WFH means increased use of work devices for recreational activities, such as social media, streaming video, personal browsing and so on. This is an inevitability when someone is in a home environment, especially if they’re juggling childcare and other household responsibilities at the same time. Acknowledge this, but mitigate the risk to enterprise data by creating protected enclaves. For example, with mobile devices running Android Enterprise, you can create a work profile to prevent leaks of company data to personal applications.
This is another opportunity for staff education. Make sure that staff are not using insecure social media tools or personal accounts for communications with colleagues or customers.
7. Check the security of collaboration tools
Whether you’re using Google G Suite, Microsoft 365 or an assemble-it-yourself toolkit, ensure that people are using the tools you’ve selected and configured rather than falling back on personal accounts for videoconferencing, file sharing and messaging.
For example, if you discover that people are using their personal Dropbox instead of a corporate Google Drive, find out why. Is there a problem with your configuration, or an important missing capability that’s inhibiting collaboration?
8. Rethink workflows that are not 100% digital
Now is the time to look at processes that require personal handoffs, printed documents or wet signatures. You may have worked around these on an urgent basis at the beginning of the year, but that’s a stop-gap. Examine processes that had to be short-cut, and look to see how they can be moved to a more secure, 100 percent digital workflow. Cloud-based tools, such as SignNow and Paymo, can be used to re-engineer old processes and better support a WFH model.