This year an unprecedented proportion of the world's workforces have transitioned to full-time remote work, a shift dictated by facts on the ground rather than by careful planning.
And while it's true that as facts on the ground continue to change some will return to their offices, it also seems clear that many others won't.
In cybersecurity terms, companies are now preparing to deploy or are already deploying new long-term security policies, infrastructure, and practices to account for—and to protect—remote work and remote workers.
Getting Employees Involved
Yet there's more to be done if remote work is to be secure—because for remote work to be secure, remote environments and practices must also be secure.
For better or for worse, most employees aren't cybersecurity experts. Without being told, they're not likely to know offhand what they ought to be doing to support organizational security while working remotely.
For this reason, companies should consider it a best practice to provide remote employees with a checklist of security hygiene items that they can and should attend to with care.
Such a list might look something like this.
Security Hygiene Checklist: Premises
Remote employees should:
-
Avoid working in fully public places. Instead, work in locations where there is at least some predictability about the number and identity of people likely to be present.
-
Secure work environs. Lock doors and windows, entrances and exits to areas where work equipment will be used or, even more importantly, stored.
-
Educate and instruct your co-residents. Explain to roommates, family members, or other regularly co-present individuals that work equipment and accounts are private and not to be shared, even innocently.
Security Hygiene Checklist: Network
Remote employees should:
-
Use your own Wi-Fi. Avoid public wireless networks and the sharing of networks with neighbors or other community members.
-
Keep network equipment updated. Carriers often manage this, but if a retail-purchased router is in place, ensure that it's configured to regularly run updates.
-
Require authorization. Ensure that wireless connections are set to use WPA/WPA2 encryption.
-
Change default passwords or passphrases. Ensure that the default password for router login and the default passphrase for WPA/WPA2 connections have been changed from their defaults.
-
Close all public-facing network ports. End the operation of any at-home servers that require port forwarding or public-facing network ports to be open. Move any such needed services to professional hosting platforms.
Security Hygiene Checklist: Devices
Remote employees should:
-
Lock proactively. Lock your screen whenever you pause work on a device, even for just a few minutes. Shut down and stow any equipment you're not actively using.
-
Avoid walking away from or losing track of equipment. Keep work equipment with you at all times during work, rather than leaving it unattended for breaks, and stored appropriately during non-work hours.
-
Run your updates. Avoid the use of out-of-date devices or devices with out-of-date system software or applications. Run updates promptly when offered, and check for them proactively.
-
Avoid unauthorized uses or installations. Avoid installing software on work systems that haven't been vetted, approved, and delivered by work IT staff, even if you appear to have the ability to do so.
-
Ban malware. Ensure that devices have anti-malware tools involved and active on them where available, and end all malware-risky practices. Yes, this means no cracked Windows applications, no direct-download Android APKs, and so on—even on other personal devices that merely happen to share the home network with work systems.
-
Encrypt your data. Enable filesystem encryption on devices when plausible and available, or create separate encrypted volumes for the storage and manipulation of sensitive data.
Security Hygiene Checklist: Best Practices
Remote employees should:
-
Separate work from play if possible. Try to avoid mixing work and non-work hours, applications, and devices together. For example, maintain regular work-start and work-stop hours, and avoid doing personal work during work hours or on work devices.
-
Maintain password hygiene. Set different passwords for each used service or login—using a password manager if necessary. Ensure that passwords aren't predictable names, numbers, or dictionary words.
-
Develop extra vigilance about authentication tools. Become closely wedded to authentication devices—such as USB authenticators or mobile devices with authenticator apps—and ensure that they never leave your side or your sight.
-
Develop extra vigilance about unsolicited email. With IT staff and systems now far away, avoid clicking on links or following instructions received in any unsolicited email, to avoid being compromised by ubiquitous phishing attempts.
-
Be conservative at all times. If in doubt about a possible choice, operation, configuration, or activity, avoid doing anything novel and err on the side of caution until you're able to consult IT or security staff.
Deliver It Regularly
Given that the list above comprises things that many employees haven't regularly thought about in the past and may, despite themselves, not think frequently about in the future, it's also important to point to a list of this kind regularly. This could mean:
-
Posting it on the corporate intranet
-
Pointing prominent banners to it from multiple applications or locations
-
Sending it out as a monthly "security reminder" email
-
Requiring users to periodically visit, complete, and sign an online version of such a checklist
The particular way in which lists like this one are deployed will vary from company to company. That said, the existence and sharing of such lists is likely to become more and more common going forward.
After all, companies and organizations that successfully enroll the cooperation of their remote employees will fare better in remote workforce security than those who don't. That's the world in which we all now live. ■