With the spread of the novel coronavirus (COVID-19) many organizations are requiring or permitting employees to work remotely. This article is intended to remind employers and employees, data security concerns cannot be forgotten.
Employees working from home may be accessing or transmitting company trade secrets as well as personal information of the individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company. Whenever an organization creates a new way of accessing its data, it puts that data at greater risk. Remote working intensifies that risk as it can be hard for the employee and the organization to know when the data is breached and it will even harder to identify how it happened.
In order to avoid cyber attacks and to protect the confidential information, there are some requirements which every organization should follow while allowing remote access to employees.
- VPN Gateway– Virtual Private Network gateways create secure connection to your network from employee devices which are on public networks. Furthermore, make sure to use VPN only on company-owned hardware with up-to-date security features, otherwise infected date may get transmitted over VPN to subsequent networks if the client system is infected.
- WI-FI Connectivity– It is always better to use a secure Wi-Fi network to connect to your organization network. Avoid using Public Hotspots or open Wi-Fi.
- Zoning or Sub netting– To keep network integrity protected, incorporate network segregation wherever appropriate (using sub networks) to keep publicly accessible components off internal networks, and monitor and control communications at key boundary points.
- Closure of Unwanted Ports– It is strongly recommended to close unnecessary network ports with the help of your IT/Security teams.
- End Point Security with Up-to-date Security and DLP Policies –Antivirus should be up to date with remote access policy configuration for auto-update of virus definition; client machine should be properly patched before connecting to the organization network.
- Portals/VDI- It is strongly recommended that employees should access company data and applications through a browser-based webpage or virtual desktop. Ensure that all applications and data are stored on the portal’s server and cannot be downloaded or saved on an employee’s device without permission.
- Remote Access Services– It is noteworthy to document remote access requirements, authorize remote access before allowing connections, monitor and control remote access, encrypt remote access connections from the organization’s firewall and threat detection. Try to ensure employee systems/desktops are fully protected and have the same protection as office workstations.
It is also the duty of all the employees working from home to follow the below mentioned practice strictly while dealing with business information.
- Enforce strong password policies and ensure employees use a password manager.
- Change the router password after every 15 days.
- Set up session time-out on all remote connections and automatic screen locking feature on all computers
- Turn off networking capabilities (such as Bluetooth) for mobile and laptop when not necessary for work.
- Set up restrictions to keep unknown or unnecessary browser extensions from being installed.
- Avoid clicking on links in unsolicited mails and we way of email attachments.
- While checking personal emails on work machine, be extra cautious and make sure you open attachments only from known and verified senders.
- Use customized spam filter settings for personal email accounts, like in G suite, you can configure it in Gmail advanced settings –scroll to “Spam, phishing, and malware and at Spam” option and configure it, you can also opt for aggressive spam filter settings.
Every company is dealing with significant human resource, health and business issues associated with the coronavirus. With a little extra care on security at this strenuous time, hopefully companies can avoid having to deal with additional issues associated with data breaches or loss of valuable business information.