10 tips for security teams to ensure employees are cyber secure when remote working

Paul Colwell, Technical Director, OGL Computer, offers his top tips for ensuring employees remain cyber secure whilst working remotely.

Building a remote workforce can see productivity increase and improve employee job satisfaction levels, as well as serving as a necessary business tool and contingency buffer in the event of business disruption – the current coronavirus pandemic serving as a prime example.
As a result, remote working is on the rise, driven by modern business requirements as well as the desire for more flexible ways of working. Indeed, in our State of Technology at UK SMEs 2020 research report, a massive 94% of businesses in the UK said that they were seeing a growth in remote workers, and were increasingly turning to technology to support them.

However, there are many potential pitfalls to allowing staff to work from home – a decreased security stance being one of the most potentially significant. We’ve picked out a range of best-practice tips and working strategies to minimise this potential risk, whatever your business vertical or size…

1) Take it from the top

If staff are not already used to working remotely, or if there is a mixture of remote veterans and green starters, it is vital to have clear written guidelines that explain how to use services and software in a secure manner. Explaining how and when to log on and use video conferencing tools, access internal resources and data is not only key to ensuring that best practice is established to begin with, but also that staff are fully briefed and in control of their working day. In some cases, entirely new collaboration tools might be needed, which require briefings on – many providers will have these assets already, so it isn’t necessarily a long and arduous task.

2) Secure the endpoints

Many businesses take the opportunity to issue remote workers with a dedicated laptop, which can be centrally managed and configured in accordance with internal data policies, as well as protected by the company’s choice of endpoint protection. If remote workers are using their own PC equipment from home, it is vital to ensure that they have installed reputable anti-virus tools, such as Kaspersky AV or Carbon Black, and that the AV is up to date with the latest signatures.

3) Manage the endpoints

By using commercial mobile device management (MDM) tools, devices can easily be set up with a standard configuration, saving time and effort. MDM tools usually include the ability to remotely lock a missing device, erase data or retrieve a backup, all essential services that will be appreciated by workers and IT department alike.

4) Make the most of what you’ve got

It is recommended that any device containing corporate data be encrypted at rest, especially highly desirable devices like smartphones and laptops. The good news is that most devices support some kind of encryption natively, so ensure that this is activated and configured correctly.

5) Establish device loss protocols

In the event that a device is lost, employees need to know who to report this fact to, so that remote wiping and replacement can be triggered. It is important to recognise that devices will be accidentally lost and stolen, so staff should not be blamed – a culture of blame will also mean that losses and thefts will not be reported promptly, potentially increasing the risk of more serious data loss.

Additional guidance on data and security considerations for remote working

6) Educate on phishing

Arguably the greatest single threat to companies today comes from phishing, whether untargeted volume fake coronavirus updates that deliver ransomware, or spear phishing attacks aiming to pull off Business E-mail Compromise (BEC) scams, the risk is significant. Remote workers should therefore be trained by the business to spot suspicious emails and query (or simply ignore) them.

In addition to initial training, it’s essential that remote workers act as their own first line of defence, by double-checking the authenticity of messages, emails and phone calls. If in any doubt, the exchange should be reported to a pre-agreed internal security team contact point. Be especially wary when presented with sudden ‘emergency’ situations, where a caller or email contact asks you to break protocol due to a poorly explained crisis.

7) Operate or subscribe to a VPN

A corporate VPN is an essential security measure, especially for remote workers that may be using suspect connections. However, it is worth bearing in mind that more licences may be required to support larger numbers of remote workers, and that bandwidth may be restricted at certain concurrent user numbers. It is also particularly important that VPN endpoints are fully patched, as with any other software. VPN use should be subject to two-factor authentication (2FA), which is simply set up on VPNs from the likes of WatchGuard and Palo Alto Networks.

8) Pass the password

As in a standard office environment, passwords can present potential security risks if they are either too simplistic, or written down on post-it notes next to the monitor. Mandating strong passwords is important, and adding an extra layer in the shape of two-factor authentication is highly recommended.

Larger corporates are likely to have two-factor already in place, but if not, there are a range of options to suit businesses of all sizes right down to the sole trader. When selecting a product, ensure that it offers 2FA.

9) Leverage Office 365

Many businesses will already be familiar with elements of Microsoft’s Office 365, but by building on top of the usual desktop suite of Word, Excel, PowerPoint and beginning to take advantage of powerful collaboration tools such as SharePoint and Teams not only saves service duplication, but also simplifies data security and policy enforcement.

10) Provide the resources that are needed

A common pitfall is for internal security teams to mandate tools and processes that are highly secure, commercially approved and a very poor fit for the processes that remote workers are required to carry out in the course of their everyday role. The result is typically a ‘workaround’, involving third-party services or USB drives, especially where data sharing and storage is concerned.

The moral of the story is to assess exactly what processes are required by workers on the ground (whether remote or not), and to provide a solution that fits the bill. This might be in the form of approved cloud storage or file sharing tools that can ensure that data is properly encrypted and stored according to industry best practice.

There are a huge number of excellent remote working tools, from secure cloud storage services, Microsoft’s tools, Google’s G-Suite through to Zoom, and Microsoft Teams. However, not all will be a good fit for your business and processes, so don’t be blinded by the big names. When looking for advice, a local IT services provider can help navigate the choices available today, while the UK’s National Cyber Security Centre (NCSC) has published best practice guidance designed to protect data in remote working environments.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report