Top tips for secure remote working

Are we facing an unprecedented pandemic, or will our fears be unfounded? It’s impossible to say right now, but global concerns over the current spread of coronavirus, and what will happen next with the outbreak is driving companies to review how their employees go about their daily tasks.

Millions of people across Asia have started working from home. Leading tech companies like Amazon, Microsoft, Facebook and other employers have asked their workforce to log in remotely until the situation improves and the virus is contained. In light of all of this, enterprises such as JP Morgan have taken steps to test-drive their remote working policies and infrastructure. This impending working paradigm shift means that every member of the workforce must prepare for the day when they are instructed to work from home.

Working from home is not complicated. Most of us do so now and again. Accessing an internet connection is easy enough, and cloud office suites and SaaS (software as a service) applications make it seamless to transition from working at the office to doing so on the couch in your living room.

But most organizations will not have supported so many employees working remotely, and employees themselves may be a little out of practice in observing best practices when working from home.

So now is definitely the time to review and enhance security around remote access to corporate data, at both ends of the connection. Here are our top tips for secure remote working for employees, and for their employers.

Best practices for employees

We naturally tend to be more relaxed at home, especially when it comes to security. After all, we’re in the safety of our own homes, so what could go wrong? Unfortunately, cybercriminals are seeking to exploit exactly this sort of complacency with carefully engineered phishing exploits and threats. So employees should take note of the following.

Passwords matter: it’s a good idea to review and strengthen passwords that you use for logging onto remote resources, such as email or work applications.

Be phishing-aware: be wary of clicking on links that look in any way suspicious and only download content from reliable sources that can be verified. Remember that phishing schemes are a form of social engineering so if you receive an email with an unusual request, check the sender’s details carefully to make sure that you are communicating with colleagues, not criminals. Our research team has uncovered that domains related to the coronavirus are 50 percent more likely to be malicious, so make sure to cast a critical eye over anything unexpected that pops into your mailbox.

Choose your device carefully: Many employees use their company computer or laptop for personal use, which can create a security risk. The risk is even greater if you use a personal computer for work purposes. If you have to use a home or personal computer for work, talk to your IT (information technology) team about how to strengthen security—for example, by adding a strong antivirus and security package to it.

Who’s listening in? Does your home Wi-Fi network have a strong password, or is it open? Make sure it is protected against anyone within range being able to access and connect to the network. The same applies to working from a coffee shop or hotel—use caution when connecting to public wireless networks. Unsecured networks make it easier for cybercriminals to access emails and passwords.

Zero trust

This guide should serve as a starting point for organizations, whether their apps and data are stored in data centers, public clouds or within SaaS applications.

Trust no-one: Your entire remote access plan has to be built using the mind-set of zero trust where everything must be verified and nothing should be assumed. Make sure that you understand who has access to what information—segmenting your users and making sure that you authenticate them with multifactor authentication. Additionally, now is the time to reeducate your teams so that they understand why and how to access information safely and remotely.

Every end point needs attention: In a typical scenario, you might have people working on desktops inside the office. Assuming that their devices aren’t going home with them, you now have a slew of unknown devices that need access to your corporate data. You have to think ahead about how to handle the threats posed by data leakage, attacks propaga­ting from device into your network, and you need to ensure that the overall security posture of the devices are sufficient.

Stress-test your infrastructure: To incorporate secure remote access tools into your workflows, it’s critical to have a VPN (virtual private network) or an SDP (session description protocol). This infrastructure must be robust, and should be stress-tested to ensure that it can handle a large volume of traffic, as your workforce shifts gears to work from home.

Define your data: Take the time to identify, specify and label your sensitive data in order to prepare for policies that will make sure that only the appropriate people can access it. Make no assumptions about previous data management and take a granular approach, which will serve you well once remote access is fully enabled. No one wants to accidentally provide the entire organization with access to HR.

Segment your workforce: Run an audit of your current policies relating to the access and sharing of different types of data. Reevaluate both corporate policy and your segmentation of the teams within your organization, so that you can be rest assured that you have different levels of access that correlate with the various levels of data sensitivity.

These cornerstones of remote access security will help organizations better protect their data and networks against threats and interception at both ends of the connection. INQ

The author is regional director of Check Point Software Technologies.

Read more...