It’s interesting to think that not even six months ago, working from home was a benefit. With the COVID-19 pandemic, it’s a necessity. For that reason, it is even more essential to ensure safe security practices for the entire company. A remote workforce can present unique challenges to today’s cyber environment. By using a few techniques, you can overcome these challenges and drastically reduce the chances of a cyber incident.
Here are our 5 cyber security musts for your remote workforce:
1. Integrate Security into the Company Culture
Owners and management teams must be security champions. No matter the company size, businesses must have:
- Clearly documented policies, procedures, and expectations. Your IT department or specialists are your new best friends.
- Security training. Sometimes this task can be outsourced, especially if you aren’t staffed to do this work with existing resources.
- Consistency from the start. Everyone must be on the same page and committed. The “bad guys” are smart and look for holes and gaps.
- Different methodologies. There are several different ways to fend off cyber attacks, as described below.
- Someone in charge of making it fun. Lions, tigers, or bears with masks might be safe, fun graphics to use when you’re referring to the “bad guys” cyber criminals.
2. Learn and Follow Basic Controls for Home and Office
PASSWORDS: Have secure password policies and techniques. All password should have the following characteristics:
- At least 12 characters in length
- Made up of a complex character set. (Uppercase, lowercase, numbers and special characters)
- Random or phrased-based
- Unique (only used once, never use the same password for multiple sites)
By following these guidelines, you make it very difficult for an adversary to gain a foothold from a common brute force or ‘dictionary’ attacks. Dictionary attacks use a list of commonly used or previously compromised passwords. If one set of credentials does get compromised through a different means, you can limit the damage. And if you have a Multi-Factor Authentication or MFA (described next), you can prevent it altogether.
3. Use Multi-Factor Authentication
Multi-Factor Authentication (MFA) verifies a user’s identity by requiring two or more different factors for authentication. MFA should be enabled at every possible entry point into the network, such as Terminal Servers, administrative access points, VPN access, etc. Ideally, every entry point, server, or device that supports MFA should have it enabled. This will make it difficult for an adversary to access the network even if (usually a matter of when) an end user’s credentials are compromised.
4. Do Regular, Varied, and Duplicate Backups (and test them from time to time)
- Do backups at least once a day, although continuous is preferable.
- Require onsite and offsite backups.
- Use online and offline strategies.
- Utilize different and overlapping methodologies. As in b. and c. above, alternate among cloud-based, external hard drives, and removable backup drives stored remotely.
- Test by opening your backups and looking for the most recent data. Failed backups are a bummer.
5. Start Security Training & Simulated Testing
The majority of data breaches begin with email phishing as the attack method. The human element of networking has become the easiest to exploit, and thus needs attention. Below is an example of a phishing email sent to one of our team members attempting to get them to click on a link (which would give the hackers access to our data):
Regular security and email phish testing are essential to keep users aware of the threats that come through email and how to spot them. Automated testing of users will tell you those that need additional training.
End users should only be using secure, company-controlled devices to access network resources. In this way, the company monitors what the device is used for and who is using it. The company oversees what programs are installed and ensures that only authorized users trained in secure computing practices are allowed access to these devices.
Yearly Security Training is a good idea, but the “bad guys” don’t update their tactics just once a year. They’re on a relentless 24/7/365 work schedule. Therefore, it is safer to add regular updates and interim training to your security defense against the dark side’s schemes.
Aggressive Simulated Phishing seems a little underhanded to use on your employees, but it is better to be safe than sorry. Being a little sneaky is how you guard against the cyber attackers.
Reporting of threats. Where do you find these? Your IT department should have their finger on the pulse of known threats before they hit the front page of the online USA Today. By then, it’s often too late. If you’re a small business, it might be best to have someone on your team log into the National Security Agency, Central Security Service website once or twice a day.
Here is a list of just a few recommended resources:
Free Password Software (Cloud)
Lastpass | www.lastpass.com
Passpack | www.passpack.com
Free Password Software (Local)
Keepas | keepass.info/
Standard Antivirus Software:
Note: If you use Windows, the Windows Defender is good to use and comes with Windows.
Eset | www.eset.com/us/
Bitdefender | www.bitdefender.com
Next Generation Antivirus Software:
Crowdstrike | www.crowdstrike.com
Multi-Factor Authentication Software
Duo (Free for 10 users!) | www.Duo.com
If you are interested in learning more about solutions for your organization, including employee training, talk with us.