11 Tips for Secure Remote Working
Pre-March 2020, remote working was like hitting the lottery jackpot. Maybe you had heard of friends who were allowed to work from home once a month or another person who could take their Friday afternoon meetings from their home office. But remote working was not something as basic and norm as PTO. According to US News & World Report, remote work now, in 2024, is “three to four times as prevalent as it was in 2019.” To further add to it, “the Bureau of Labor Statistics found last August [2023] that about 1 in 5 workers teleworked.”
Although most workers are not fully remote, many employers allow for hybrid work. With the newest generation entering the workforce, Newsweek reports that “74 percent of Gen Z workers said they preferred some type of hybrid work arrangement.” Four years after the beginning of the COVID-19 pandemic, it is estimated that 32.6 million Americans will work remotely by 2025.
Whether workers are full time on-site, fully remote, or a mix of both through hybrid work, a new set of cybersecurity risks has entered the workforce (and also throw in the mix of utilizing personal devices, whether that be mobile devices, personal laptops, personal computers, and more). With the state of work looking quite different than before, a new set of security measures must be discussed and created to address new potential security risks.
Not sure where to start in terms of cybersecurity best practices for remote work? Look no further. We’ve put together the following guidelines to help with the transition into a secure remote working situation.
11 Tips for Secure Remote Working
1. Identify user roles and access needs
In many cases, data breaches occur due to stolen credentials. Therefore, your first step should be to identify users by role, and ensure you are providing appropriate access to sensitive data. Just because someone works for your company, doesn’t mean they need access to all of the company data. Reducing the number of unnecessary people having access to the most sensitive data is one of the most important security controls you can implement. By minimizing user access to sensitive data, you are minimizing the risk that stolen credentials can lead to a data breach.
2. Ensure a Standard Operating Procedure (SOP)
Ensure you have a Standard Operating Procedure (SOP) for providing the appropriate access and you have a way to track which users have access. Ensure you are segmenting data and environments, rather than allowing everyone full access. This approach takes a bit of time, but it will protect your business and data over the longer term.
3. Set up multi-factor authentication (MFA)
Multi factor authentication (MFA) is a login method which requires the user to input more than one identification method to login. Why is this important? If a hacker has gotten access to someone’s login credentials or username and password, they still will not be able to access the desired system due to the additional factor(s) needed to login.
It is essential to only enable remote access to solutions, including SaaS apps, when multi factor authentication is in place. This can be enabled directly on many solutions.
4. Utilize Single Sign On (SSO)
Single Sign On (SSO) is the ideal way to approach MFA through a central authentication solution, like Okta. Solutions like this may be a bit pricier, but there are many free and low-cost ways to provide MFA to your users.
5. Hardware token
For the most restricted and sensitive information and users, a hardware token (like YubiKey) is essential. Hardware tokens are devices that utilize encryption algorithms, one time passwords, or a secure pin to complete a MFA request.
6. Update software and solutions regularly
Ensure your remote employees are doing regular software updates. Additionally, it is wise to have a strategy to roll out emergency patches should a new vulnerability arise.
7. Ensure you have auditing logs
Don’t wait before its too late – make sure you are auditing access. Malicious activity is very easy to hide with trusted users. Review access and logs proactively and search for anomalies.
8. Endpoint detection and response
Leverage your endpoint vendors and ensure you install some form of endpoint detection and response on any device that will be connecting to sensitive data and log and monitor the alerts from these endpoints.
9. Company-owned equipment
With the increase of remote workers, it is essential to reduce (if not eliminate) unmanaged personal devices. Sometimes it can be easier for an employee to use their own device or a family member’s device, but it is best to require employees to utilize work devices. If employees have any access to sensitive data and information, using company-owned equipment is that much more essential.
10. Security awareness training
Security awareness training should be required no matter the work format for all employees – whether they be in-person employees, remote workers, or hybrid. With remote work, new security risks are introduced, so it’s essential for employees to understand their organization’s security protocols and what is expected of them.
Whether employees are office based or utilize remote work environments, it’s essential to teach employees cybersecurity best practices and how to avoid risks. This can include using strong passwords (as well as unique passwords), how to identify phishing attacks and phishing scams, and more organization dependent choices like the use of a password manager, waiting rooms in virtual meeting software, a sliding webcam cover, and even what antivirus software to use.
Another important part to include in your security awareness training is how employees can reach out to the security teams at your company to flag any potential phishing attacks or security breach they may have come across. Creating a safe place for employees to discuss and share cybersecurity concerns can help remote workers feel more confident in cybersecurity.
11. Work through a VPN
Another way to increase remote working security is to ensure users are running all internet traffic through your virtual private network, or VPN. Virtual private networks (VPNs) ensure that wireless traffic cannot be sniffed through untrusted wireless access points. This includes mobile phones and tablets.
If you don’t have a company VPN, consider a commercial VPN solution.
Be prepared
Hackers have no morals. When they see an opportunity, they will strike. This means they will take advantage of the chaos that all organizations are experiencing at the present time. Please be vigilant and protect your data and infrastructure.
If you are looking for a trusted partner to help on your journey to cyber resilience, the experts at Cyber Defense Group can help. We are dedicated to delivering cybersecurity programs that are as dynamic and forward-thinking as the businesses we serve. Schedule a free consultation today to learn more.