Table of contents:
- Improve endpoint security
- Be proactive with a vulnerability assessment
- Put a password manager in place
- Lock down traffic in and out the network
- Encrypt important data and communications
- Choose tools and software with built-in security
- Double down on the cloud-based systems
- Implement regular network security monitoring
- Have a breach response plan
- Use least-privilege protocols
As companies find themselves suddenly shifting to remote work due to COVID-19, many people are working from home for the first time. This is a big change for some, and it can be all too easy for things like security to take the back burner when you’re fully focused on keeping the business afloat.
But there are two reasons security should be a priority during times like these: Remotely accessing networks and data via personal devices and wifi networks can create new data security risks. And hackers have ramped up their strategies to exploit the crisis, using email scams and spoof sites to spread malware.
With that in mind, now is an excellent time to give your IT security policy a closer look. Read on for some tips to beef up organizational security as your team goes remote.
1. Improve endpoint security.
Use a virtual private network (VPN) and 2-factor authentication—especially with bring-your-own-device (BYOD) remote work.
Your actual users—along with the devices they use to access your network (e.g., mobile phones, laptops, or mobile point-of-sale systems)—can often be the weakest link in the security chain. What was once on-site on one network, is now scattered across devices on different home wifi networks, so you’ll want to adapt your IT security policy to account for more “endpoints.”
When it comes down to it, users are endpoints themselves, and they can do the most to prevent attacks by using good judgment, having antivirus software, keeping software and operating systems up to date, and backing up data to the cloud. Encourage your remote workers to password-protect their networks and implement a VPN for remote logins, which can help to encrypt communications and data between your network and theirs. Using two-factor authentication (2FA) can also help tighten security for this large, and notoriously vulnerable, attack area.
2.Be proactive with a vulnerability assessment and a round of penetration testing.
The best offense is a good defense—especially in regards to network security. Security audits can help hone in on any vulnerabilities in a computer, network, or communications infrastructure, preventing costly attacks in weak areas you may not know exist. This can be especially useful for businesses that must adhere to certain regulations and standards like PCI-DSS, HIPAA, and NERC-CIP, among others.
Penetration testing deliberately probes your network or system to safely identify vulnerabilities ahead of time and devise a plan to fix them. These can be flaws in operating systems, issues with non-compliance, application code, or endpoint problems. From this, a tester can generate a report as proof of compliance and a prioritized list of vulnerabilities to keep on the radar.
3. Put a password manager in place.
One of the biggest security threats to businesses by far comes from the inside: weak passwords.
Look into creating and enforcing organization-wide policies to make sure passwords are difficult to crack and changed regularly. Enterprise-grade password managers can help enforce certain behaviors and ensure they’re not reusing passwords across accounts. There are password managers for businesses of all sizes, with some that offer convenient administrative oversight to IT and security departments.
When it’s time to change a password, a password manager can automatically update it so employees don’t have to, or send an alert when a site for which a password is saved suffers a security breach.
4. Lock down traffic in and out the network.
A network layer firewall is a good idea for monitoring what’s coming into and leaving your network’s walls when you’ve got people remote. This will help you scan traffic for unusual behavior such as large data transfers, a hallmark of an attack.
What about keeping unwanted visitors and malicious software off your network? A firewall can help to make sure only the right people and files are getting through with a set of rules to block unauthorized users from accessing your network. They’re excellent lines of defense for preventing data interceptions and blocking malware from entering your network, and they also keep important information from getting out, like passwords or confidential data.
5. Encrypt important data and communications.
Encryption can help protect the actual data and files that are stored on your network, but it’s especially important if you’re using the cloud and have data and files that are in transit—in email, browsers, or on hard drives of remote workers outside the network. In the event that data is intercepted, encryption makes it difficult for hackers to do much with it.
Utilize software-based encryption measures like full-disk and file-based encryption to safeguard data shared between endpoints, stored on your server or in the cloud, or stored locally on devices. Also, it’s good to ensure your website’s traffic is encrypted with an SSL certificate.
6. Choose tools and software with built-in security for communication and collaboration.
For chat and other communications, many platforms offer built-in security and privacy features. Paid versions of software like Trello and Slack will offer better security and privacy features, and Slack’s paid tiers offer access to authentication, security, and compliance features. Using a platform like Upwork Messages for communications can keep messages and attachments centralized and encrypted via SSL connections.
Engaging independent development talent? Code versioning tools let you grant access to certain branches of a code base so developers can securely contribute without having carte blanche access to your entire system.
7. Double down on the cloud-based systems and APIs that power your remote work.
Undergoing a digital modernization? When your network evolves, your security strategy should transform, too.
Microservices, APIs, and the cloud are behind the transformation of online work and distributed teams. However, with all of the scalability and convenience they offer, moving operations, hiring, and data into the cloud takes critical functions outside of your network’s secure perimeter. This can open you up to a new set of security concerns.
The Cloud Security Alliance (CSA), a not-for-profit organization to promote best practices in cloud security, recommends that organizations use multifactor authentication and encryption to protect their data whenever it’s being transmitted or stored outside the organization. This is, according to the CSA, especially critical for organizations in regulated industries like banking and healthcare, which have much stricter standards for how data can be stored and transmitted.
8. Implement regular network security monitoring.
Thanks to artificial intelligence (AI), breach-detection systems can keep an eye out for aberrations and abnormalities that signify someone has or is trying to break into your network. If there are suspicious-looking actions occurring on the network—like someone or something trying to break in—a network intrusion detection systems (NIDS) will pick up on it. NIDS passively monitor network traffic around the clock for behavior that seems illicit or anomalous. NIDS not only block that traffic, but they also gather information about it then flag it for network administrators to review.
9. Have a breach response plan ready to go.
Breaches still happen. That’s why it’s important to have a data breach response plan in place. An effective framework can help you spring into action and can be updated as often as you need to—for example, if you have changes to network components or new threats arise that need to be addressed. A plan can help ensure you’ve got resources in place and an easy-to-follow set of instructions for sealing the breach and what follows, whether that’s getting legal assistance, having insurance policies, data recovery plans, or notifying any partners of the issue.
10. Use least-privilege protocols for data access.
A common challenge when you go remote isn’t understanding what information users need to do the work—it’s figuring out how they can safely access it. How can you share internal information and data in a way that won’t leave your company exposed to unnecessary risk?
First, consider the level of risk involved. Data can generally be organized into five categories: Sensitive, confidential, private, proprietary, and public. Clearance should be role-based and “need to know”—essentially, only giving individuals access to the systems and information they require for their projects—and can be reevaluated or revoked as needed.
Remote work may require you to shift your IT security strategy, but it can be just as secure on-site work with the right proactive measures. A few tools and best practices can go a long way toward bolstering the security of online work.