Remote Work Policies
When Covid happened 9 months ago no one really knew what to expect. I am not sure that anyone still knows what to expect, but it looks like that Work From Home (WFH) is here to stay.
Many companies have decided that it has not negatively impacted productivity and some even say that productivity is better.
Some companies have decided that it is a great employee benefit and helps with recruiting. It also allows companies to recruit talent anywhere in the country (although companies need to watch out for the potential impact of having to comply with personnel, privacy and tax laws in multiple states). Facebook, for example, has said that they anticipate that 60% of their employees will work from home forever.
But it does mean that we should consider security impact of WFH. Here are some thoughts.
#1 – Your employee’s computer, even if it is a company provided one, is operating in hostile territory. You have no control over the rest of the employee’s family, what their computing habits are, whether they ever patch anything, what web sites they go to and even if their wireless has been updated since, say 2013.
This means that you have to assume a zero trust environment. Your employee’s computer is likely operating in a war zone full of land mines and snipers. Are your computers’ protections up to the task?
#2 – If you allow your employees to use their own computers, it is even worse. Not do you not understand the security of your employee’s family’s computers (and phones and video games and IoT devices), but you don’t even know the security setup of your employee’s computer. For example, when was the last time it was patched. Not just the operating system but every application that is installed on the computer.
#3 – If employees have to VPN into your network or into a cloud network, do they have access to the entire network? Does every employee have access to the entire network? Do they need access to everything. This is where sub-netting and segmentation come into play.
#4 – Continue and enhance employee security training, phishing training and now, also, vishing training. Attacks are up and the environment is hostile. Attackers know that and are taking advantage of it.
Some things that you can do:
Provide employees a personal HARDWARE firewall that they are required to place between their computer and the rest of their home network. Not inexpensive, but highly effective. This firewall can establish a VPN tunnel between the employee’s computer and the company’s office or data center transparently.
Create policies about BYOD computers. It is a pain to enforce, but your company is at risk.
Implement network segmentation. It may mean that you need to buy, one time, some consulting expertise, but once it is done, your IT assets are much more secure.
For company owned computers make sure that patching remains a high priority and encourage employees to patch personally owned computers.
Ask employees to, if possible, connect via a network cable and not via wireless. Wireless connections are significantly more vulnerable to attack.
If employees have to use wireless connections, make sure the default router password has been changed and that the router has been patched.
If possible, implement a device management solution such as Microsoft Intune, JAMF for Mac or Airwatch.
The security situation is not going to get any better any time soon. You are in control of your company’s destiny as cyber is a key to protecting your company. I read stories every single day about companies that have been hit by cyber attacks of one form or another and how it is impacting their business. One company I read about today has been down for a month trying to recover. Another can’t ship products. A third has its online services offline. That is just today. Do not be the next news story. Please.