Pragmatic Security Practices for a Safer Work From Home Environment

At the onset of the COVID-19 outbreak, companies and organizations everywhere began operating remotely. They started holding virtual meetings and asking employees to work from home (WFH). In some cases, these changes happened overnight, often creating hiccups. Some firms found that their existing solutions were not effective for their needs. For example, the United States Air Force discovered that the virtual private network (VPN) solution they used could support 72,000 people, but that is only around 24% of their total civilian and contract-based workforce. Security was an even bigger issue. All companies, big or small, face similar challenges.

WFH is here to stay, at least for the foreseeable future. The security suggestions we’ve summarized below are effective even as people return to the workplace.

As companies adopted WFH strategies, many of them simply connected the corporate network to their employee’s home networks and that produced a significant security issue. Security is not a purely technical problem. It is at the confluence of people and technology, and that makes it impossible to create a completely secure environment. To be clear, people aren’t the culprits, but our human practices cannot solely be overcome by technology. We each have responsibilities to ourselves, families, employers, and communities to maintain strong security practices. Most of the time, weak practices are the core problem. Poor password policies are at the top of the list, but that is just scratching the surface.

Security risk can be produced and mitigated at many different levels:

• System Architecture
• Network
• Hardware
• Operating System Software
• Applications
• Operating System Software
• Programmatic IT Policy
• Usage

Your company can avoid data security risks through better personal security practices, instituting a social IT policy, and implementing some of these best practices.

Start by creating a more effective password policy. In 2020, having a complex password is no longer sufficient security. Length, not complexity, is what matters. We recommend that you develop an exclusion-free passphrase policy instead. Ask your employees, even executives, to use a passphrase on every device, program, and service. Because complex passwords require people to write them down somewhere they tend to produce more risk, not less. Each password should be a minimum of 16 characters and be easy to remember. Passphrases should be changed at least once a year (twice is better) and not repeated; also, lockout users for 30 minutes after five failed attempts.

Next, make sure that everyone is on the same page. With data breaches happening to even large, public organizations, security should be a company’s top priority. Furthermore, people need to be trained in personal security practices, not solely corporate security. When people work from home, their personal security practices are the most critical to overall security. A mandatory security education training program and regular check-ins help employees stay on track with maintaining a secure workplace.

You can also improve your company’s WFH security by using multiple authentication mechanisms together. Integrating Microsoft AD, Azure AD, and Microsoft Office365 AD into a single security structure could offer your organization an improved security posture. Consider adding Multi-Factor Authentication (MFA) to your systems and processes as well. MFA requires people to know specific details (i.e., the username and password) in addition to having access to the user’s physical device (e.g., their mobile phone, their tablet, or a token). Single Sign-On (SSO) services or password management services are another option to buttress remote security measures.

One of the most pragmatic security systems your company can adopt for a safe WFH environment is to build a better metaphorical mousetrap. Don’t make it easy for your computers or data to get hacked. This could mean using anti-programs (e.g., virus, malware, spam, spyware) or encrypting laptops to mitigate the risks posed by theft, like Microsoft’s Bit Locker. Both are acceptable practices and convenient for users.

To be effective, these opportunities, as well as your operating system, must be up-to- date with all available security patches.

Remote access to internal data systems on the network can be handled differently depending upon the infrastructure and requirements. Be careful with VPN as it ties the corporate (secure) network to the home (insecure) network resulting in a much higher security risk. You might consider remote desktop or virtual desktop technologies for publishing applications without the need for a VPN.

Establishing a data security policy and employing multiple authentication methods are proactive ways of protecting company data, but you also need a good defense. For instance, make it a policy to back up data regularly. This step is a critical defensive move against loss and ransomware. Make sure your backups are complete, recoverable, and stored offline. Ideally, the offline location is also physically remote, but that is a secondary consideration.

Remember to look at the wireless network security your employees have in place. You can reduce risk by asking your IT staff to create a guest network with internet-only access for all mobile devices (e.g., phone, tablet) and guests.

Nothing is foolproof, but the above steps when implemented as part of an overarching technology security strategy will put you ahead of the pack. Accommodating a new world where we both from home and the office requires more than cloud computing capabilities. While your employees can log into work assets from their different networks and computers, they should take precautions to protect company data.

Well-designed and properly executed security will improve the employee experience, improve the integrity of company data, and mitigate your risk for data loss. If you have questions or concerns about your organization’s security posture, reach out to Aldrich Technology today.