Closing the Home Office Security Gap

Closing the Home Office Security Gap

Working from home has long been a favorite dream of many office workers. Recent developments in cloud technology and video conferencing enabled companies to offer part-time or permanent remote options to some workers. Experts predicted this trend would increase, but no one expected a global pandemic to make the dream of working from home a reality for millions.

When COVID hit, companies quickly pivoted to remote operations. No one knew how long the situation would last, and the initial focus was on maintaining worker productivity. The new way of working allowed business to continue, but it came with some challenges, too. Remote work isn't going away any time soon, and it's time for companies to get serious about home office security.

With new ways of working come new ways for cybercriminals to attack. Hackers and other malicious cyber actors are attacking remote workers with three primary tactics:

  • Email & phishing scams - Hackers are taking advantage of the COVID-19 crisis to launch phishing attacks through email, texts, and social media. The fraudulent emails are often cleverly disguised as helpful information from company leadership or as requests from the company for personal information. Working in isolation from co-workers makes it harder for employees to discern whether emails about a company's COVID status or policies are real or fake.
  • Unsecured wi-fi network infiltration - Devices connected to unprotected home networks are an easy target for cybercriminals. They take advantage of this vulnerability to steal data and passwords and to intercept sensitive messages.
  • Personal computer hacks - A large percentage of workers admit to using their personal devices for work-related purposes. Employees often transfer company data to personal devices for convenience or other reasons. This makes the data vulnerable to attacks - especially since many people don't regularly install security updates on their devices, nor do those devices have all of the protective software that a business-owned device would.

What Can Business Leaders do?

Excellent cybersecurity starts with savvy leaders who understand the risks and implement smart policies to keep home offices secure. Here are three policies business leaders can introduce to set their companies up for home office security success.

Disallow the use of personal computers

Make sure all employees have company devices. Set the clear expectation that business data is never to be transferred to or accessed from personal computers. Suppose bring-your-own-device is already part of your culture. In that case, you can work with your IT Team to develop standards that users of personal devices need to adhere to, such as installing the organization's antivirus or patching tools.

img-make-sure-data-is-stored

Make sure data is stored securely in business-approved repositories

Many employees have a personal Dropbox or other cloud-based data storage account. They also often store data on their local hard drives. Set up easy-to-use company data repositories and implement policies that prevent workers from using their personal accounts to store and share company data.

Require relevant Cybersecurity Awareness Training

Train employees on relevant security topics such as "how to recognize phishing attacks," "proper password management," and "company cybersecurity best practices." Adequate training resources are available, and leaders should make sure their employees participate regularly.

What Can IT Teams do?

Leaders set cybersecurity policies, but IT Teams make recommendations and do the technical work to implement the policies and procedures that secure company networks and data. Here are four technical strategies IT Teams can use to help employees keep company data safe while working from home.

Use Multi-Factor Authentication (MFA)

Passwords and physical devices are both relatively easy to steal. By requiring more than one form of identification to access company devices and systems, IT Teams can prevent malicious actors from accessing company data. MFA is especially important for controlling access to publicly-accessible services such as Microsoft 365.

Require a VPN connection to access company data & applications

VPNs boost security by providing a secure connection to the company network for remote employees. Employees should only be able to access internal company data and applications through a VPN. Ensure the VPN is configured with network segmentation and profiles, so each department or external vendor account only has access to the servers or devices needed to do the job. For example, a Marketing user's VPN shouldn't allow them to ping the Accounting server. Also, an external vendor that uses the VPN to help manage a database application shouldn't be able to access a File server through the VPN.

Use Remote Monitoring & Management Tools to monitor devices

These tools help IT Teams ensure that all devices being used by employees are up to date on security patches and antivirus updates and allow helpdesk employees to assist remote users with requests directly.

Deploy a business password management tool

Employees are notorious for writing passwords on sticky notes or storing them in files on their desktop. Give workers a more secure and convenient option by providing a business-approved password management tool to help them create strong passwords and keep them organized. Talk to your IT service provider for recommendations.

img-what-can-employees-do

What Can Employees Do?

All the best leaders and most tech-savvy IT Teams in the world can't secure a home office if the employees don't cooperate. The following actions will ensure employees do their part to maintain cybersecurity while working remotely.

Protect your home wireless network with a password

This seems simple, but many employees either have open home wireless networks or have never changed the default password. You should set a strong password for your home wi-fi network and make sure not to post it where it can be easily seen.

Cooperate with company policies

Corporate cybersecurity policies about passwords, personal devices, and document storage can seem burdensome or paranoid. These things pose real risks to company data security, and there are real consequences if employees don't cooperate with the policies. Employees should be diligent in complying with all company cybersecurity policies and best practices.

Be wary of suspicious emails and attachments

Hackers and other cybercriminals often pose as managers or team members in emails, chats or meeting requests. Remote work makes it both more complicated and critical for employees to carefully identify the people they interact with. To maintain home office security, employees must be rigorous about identifying everyone they meet or share company information with.

Want to Learn More?

The steps we've described in this article will help you get started securing your employees' home offices, but there's a lot more to make sure your company has excellent cybersecurity. If you would like more information, check out our free cybersecurity resources. Ready to take action? Book a Security Assessment with one of designDATA's cybersecurity experts to get started.

jonathan-roy-headshot

About the Author

Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.