When working remotely, employees will be using a device to work—whether it’s a phone, tablet, laptop, or desktop. Does the device belong to the company, or is it a personal device? The answers shouldn’t change the security posture necessarily, but it does change what level of enforcement you may be able to achieve. If the laptop is a personal machine, will the employee be willing to have all traffic monitored or corporate software policies applied?
A good place to start is to consider where it is acceptable to have workplace data reside. If it’s challenging to apply corporate policies on a personal machine, then perhaps only allow some limited access from personal machines. As risk mitigation, guides for hardening personal machines could be linked or produced for companies where it is difficult to roll out laptops for every team member.
Once you’ve decided what you want to protect, you can start by applying some security policies to your systems. Microsoft security baselines can help provide the initial security posture for Windows-based systems, and Jamf provides useful guides on checklists for macOS. The NCSC offers many guides for the hardening of different client environments, including Ubuntu 18.04. These provide advice along the lines of keeping your software up to date and using antivirus software, but also actionable scripts and controls to check and use.
For mobile devices (depending on how you’re allowing access) mobile device management could help. Most major directory providers like Office 365 or G-Suite now offer some form of management. Consult their documentation to see the relative guarantees they give on how data can move from a device, between applications and how this is audited and can be revoked.
You should ensure your software is up to date and set to update automatically. Software patching and patch management isn’t the most glamorous security task, but vendors are constantly finding and fixing security vulnerabilities in your software, so getting on top of it is crucial.
On antivirus software, many vendors exist that provide great tools, including Windows Defender, ClamAV, Malwarebytes, and Eset, all available on many platforms. This needs to be part of your security posture, but it shouldn’t end here.
Authenticate all access
We’ve talked a lot about using secure passwords and multi-factor authentication, but remembering complex passwords is difficult. Using services like LastPass, OneLogin, Apple Keychain, Mozilla Lockwise, and others can help increase password complexity whilst retaining your employees’ sanity. Often these services provide password auditing and checking against common passphrases, and enterprise versions often offer auditing of the resources your organization is using.
Two-factors authentication tools in the past were expensive and awkward to deploy, but with standards like U2F and authenticator applications for many cloud services, such as Google Authenticator, these are easy to deploy and use with just the use of a mobile phone. They help mitigate credential stuffing and other attacks.
Verify the work and have a process
As a security professional, you know that keeping your company safe is a process, and as a result, it’s never done. You’ll want to re-examine your security posture regularly, audit what is happening and whether it’s doing what you need it to. Priorities change even if you do everything perfectly, so it’s important to revisit what you’re doing frequently. You’ll want to build this into your own processes, and consider looking at external assessments as well as internal ones. Plan, Do, Check, and Act. Consider your threat models and what you’re trying to protect.
Next steps
The advice we provide above is applicable no matter the tools you use or the vendors you go with, but if you’d like to hear more about our approach we recommend reaching out to our security team for advice—no strings attached. We can also offer a 30-day free trial for some immediate peace of mind. This includes:
- Individual human-centric security protecting the workforce regardless of location or network—whether they are remote or connected to the network.
- Checking the type of network, whether it’s WPA2, WPA2 Enterprise or an unsecured network.
- Ensuring users are not downloading potential unsanctioned applications without going through the correct channels whilst working at home.
- Protecting your data when opening up for remote access.
- Enforcing the use of company-approved cloud tools—and blocking data shared via prohibited cloud storage applications, personal email addresses, and USBs.
- Monitoring unwanted activities (gambling, games, streaming, etc.) during the day rather than working with the help of policies that helps you improve the organization’s cyber hygiene.
- Inspecting content to see who is opening sensitive files in browsers or other applications.
- Educating employees with incident-based training—specific to your Acceptable Use Policy (AUP), Information Security Policy (ISP), and more.
- Hardening advice for your remote workforce by our full-time threat hunters.
We hope this advice is useful to your workplace as we all adapt and help our colleagues move to a more remote way of working. Good luck, stay safe and stay secure.