With many organizations supporting large numbers of remote workers, security teams are being pressed to provide necessary protections and security awareness training for the remote workforce. Security awareness is important no matter where your workforce resides, but companies might find it difficult to train remote workers via traditional methods.
So how can organizations help ensure that remote employees are still practicing cyber safety?
Engage Remote Workers With a Cybersecurity Self-Assessment
Instead of sending the same old training modules in an email that employees will probably ignore, why not engage workers with more interactive and informative security awareness content?
By empowering employees to evaluate their own security practices and explaining the “why” behind certain rules and policies, instead of simply telling workers what they can’t do, security teams can improve workforce risk awareness and, in turn, raise the security posture of the overall business.
The following 13 items cover the basics of security awareness for every remote employee. Organizations should use this checklist to guide the creation of their own tailored cybersecurity self-assessments, which can then be distributed to employees working from home to encourage security best practices and can serve as a tool for identifying potential areas of weakness or opportunities for future security training.
1. Are Devices Registered With IT?
In a perfect world, employees would only use devices provided by the IT department and preconfigured with a full range of protections. Since this is rarely the case, IT should collect some basic information about the equipment employees are using, including:
- The make and model of devices
- MAC and static IP addresses
- Operating system versions
- Details about where information is stored and how it’s transmitted
- A list of people who have access to the device
If possible, IT should then add trusted devices to their enterprise mobile device management (MDM) or unified endpoint management (UEM) solution.
2. Are Devices Physically Secure?
This is particularly important in shared-access scenarios where roommates or neighbors aren’t well-known. Any device that connects to the business network should be kept in a locked room or desk outside of work hours. If the device is accessible to others while it’s in use, employees should enable screen locking for brief absences.
3. Is Anti-Malware Software Up to Date?
Either security teams should provision anti-malware tools to endpoints from a central location, or members of the remote workforce should have a list of approved suppliers whose products include automatic update features.
4. Is Email Encrypted?
The best protection is to use a company-provided email client or secure web mail. If employees need to exchange emails from a non-approved client, they should notify IT and only use a service that supports end-to-end Transport Layer Security (TLS) encryption.
5. Is Storage Encrypted?
Email encryption can’t protect downloaded attachments and archived files stored in plain text. Both Windows and Mac systems provide hard drive encryption out of the box, and there are many other commercial options available.
6. Is VPN Access Enabled?
Employees should have step-by-step instructions on how to enable virtual private network (VPN) access only if the five steps above have been completed. A VPN is one of the best ways to extend enterprise controls and ensure the security of a remote workforce.
7. Is Wi-Fi Secure?
Many home Wi-Fi networks are protected by easily guessable or default passwords, or they have no protection at all. Employees should apply strong passwords, patch their routers and turn off Wi-Fi Protected Setup (WPS), which is a convenience feature that can be a serious vulnerability if it’s exploited by threat actors.
8. Have Users Received Phishing Protection Training?
Phishing attacks tend to proliferate in times of crisis, when people are stressed and more likely to click on links that promise information or help. The threat is amplified if the targeted employee is on the VPN when malware is unleashed. Security awareness training should teach workers how to verify the source of emails and what to do before clicking on links. Security organizations should conduct routine phishing tests and conduct follow-on training for employees who fall victim.
9. Are Employees Using Multifactor Authentication (MFA) and/or Secure Passwords to Access Business Applications?
It’s recommended that security teams only approve software-as-a-service (SaaS) applications that require MFA. If that isn’t possible, remote workforce members should be required to use unique passwords consisting of at least nine random characters for each service. Password managers make this easy.
10. Do You Have a Patch Manager?
It’s all but impossible to keep current with software patches manually. Fortunately, many MDM platforms and anti-malware suites include patch management solutions that can help automate this process.
11. Are Mobile Devices Protected?
Access to smart phones and tablets that are used to access business email or document repositories should be gated by strong passwords, or better yet, biometric controls.
12. Is Document Storage Encrypted?
Employees should only store work documents on hard drives that have been encrypted with the native tools in Windows and MacOS or with IT-authorized third-party encryption.
13. Are Only IT-Approved Cloud Services Used?
One of today’s biggest cybersecurity threats is documents being stored in unencrypted form on cloud services without adequate access controls. Employees should only use IT-approved document-sharing and collaboration services that support end-to-end encryption and MFA.
Leverage Security Training Results to Improve Future Awareness Efforts
Every organization’s cybersecurity self-assessment will be different depending on the business and the areas that are most important to their overall security strategy, but the above steps provide a solid baseline to build on. After a critical mass of assessments are returned to the security department, teams can synthesize them into an overall grade or score that can help determine the best next steps for the organization or specific individuals.
Partner, Gillin + Laberis