With an ever-expanding mobile workforce, infosec teams are increasingly tasked with extending cybersecurity safeguards beyond the physical and virtual walls of their organizations. With endpoints not only increasing but on the move, the challenge is real. In addition to implementing the appropriate technical defenses, there is an important aspect to protecting corporate data and systems: Asking end users to get involved.
Wombat Security Technologies recommends remote employees follow these 10 best practices to shore up security for their organizations — and themselves.
Limit use of open-access WiFi
Free WiFi (hotspots that are not password protected) are oh-so-available and oh-so-tempting, particularly for employees who pay for their own data plans. End users should be made aware that these networks are not secure enough to use when logging into secure systems or transmitting sensitive information (customer data, credit card numbers, etc.). Travelers should use a mobile hotspot (or enable the function on their mobile devices) when they need secure connectivity.
Word to the wise: Free WiFi is a hard habit to break, even for cyber-savvy individuals.
Ensure home networks are secure
If a home wireless network is left unprotected (with no password or technical safeguards in place), it will be as vulnerable as any free WiFi hotspot. At minimum, it’s critical that remote users password-protect their networks and enable encryption (preferably WPA2). Even better, infosec teams should develop a checklist for remote employees to use in applying security settings.
Install (and use) a VPN on all mobile devices
Most organizations that have remote employees utilize a VPN — and those that don’t should. While this will protect company-issued devices, it won’t help in BYOD situations. And plenty of BYOD users access corporate systems from their phones and tablets.
Don’t put up road blocks (like assuming this step is too technical for end users to handle). Instead, identify an appropriate VPN application for employees, ask them to install it, and provide tips for using it. Even partial adoption is a step in the right direction.
Change default passwords
Remote workers are highly likely to connect corporate devices to personal networks and devices (home WiFi, wireless printers, fitness trackers, and other IoT equipment). End users should be instructed to change default passwords on these kinds of devices (particularly wireless routers). Default passwords are often accessible online, and hackers use this information to exploit unsuspecting users.
Don’t mix personal and business data
There has been plenty of press about these types of discretions, but the security ramifications aren’t up for political debate. As a general rule, corporate data should not be transferred to personal devices. Every time sensitive data is co-located, the risk to that data is compounded — and most of the risk will fall to the end user who moved the data outside of the audit trail.
In a similar vein, employees should be cautious about placing their personal data on corporate devices for the simple fact that the information leaves their jurisdiction and could potentially be accessed by others.
Stop oversharing on social media
This is a danger for on-site and remote end users, but those who consistently work from home could feel disconnected from corporate policies and procedures and not realize that sharing details of their work lives could create an issue for their employers. As well, individuals who travel a lot often fall into the trap of oversharing (posting check-ins at airports, hotels, restaurants, and more).
Employees should clearly understand the dangers of making business itineraries, corporate information, and daily routines public on social media.
Keep software and plug-ins up to date
Like default passwords, cyber criminals seek opportunities to exploit known vulnerabilities in software and plug-ins like Adobe Flash, Acrobat Reader, and Java. Remote workers should be made aware that plug-ins and software — including mobile operating systems and trusted applications — should be regularly updated on all devices they use (with automatic updating activated whenever possible).
Be alert to eavesdroppers and shoulder surfers
Employees who work in their own homes can sometimes take security for granted. However, they’re likely to be visited by plenty of people who shouldn’t be privileged to know sensitive or confidential details about their work or personal lives. When traveling, the “stranger danger” factor increases 10fold.
Remote workers should be cautious about discussing any confidential matters on the phone when non-authorized individuals (including spouses and children) are within earshot. As well, they should make sure that sensitive data on screens, printouts, or notepads is not visible to snoopers.
Ramp up physical security
This goes hand-in-hand with avoiding eavesdroppers and shoulder surfers as it has everything to do with taking control of personal space and personal devices.
In home offices, computers and paper files should be locked and secured when not in use. When traveling, extra care should be taken with devices and confidential materials; phones and files should not be left unsecured in unoccupied hotel rooms or vehicles.
When going on a business trip (or a personal trip, for that matter), end users should pare down to the bare necessities as far as devices and sensitive data are concerned. If a laptop won’t be needed, it should be left behind in a secure location. Superfluous files, credit cards, and devices also shouldn’t make the trip.