Let’s face it, the dynamics of business are changing and natural disasters are not making it any easier. As a result, many businesses are faced with the need to implement remote work, work from home, telecommuting and distributed workforces but what are they doing to keep their company secure from modern cybersecurity threats?
With that in mind, I wanted to provide a few tips and recommendations that can help you keep your company, employees and customer data secure.
Password Security & Multifactor Authentication (MFA)
I know it seems like I’m beating that same old drum but the number one threat to your organization is password reuse, weak passwords and the lack of multifactor authentication. Your users should absolutely be using strong passwords today, unique passwords for each service and enforce/enable multifactor authentication on all accounts. A password manager is optional but highly recommended. Here’s a few tools for you:
- Twofactorauth.org so your users know how to enable it on every account that supports it.
- How strong is my password: let your users see just how horrible Password1 is as a password
- Bitwarden, Lastpass, 1Password to name a few password managers.
Okay now that we got that out of the way. Let’s look at company assets:
The Corporate Assets
Most businesses today have a pretty similar set of IT assets in their organization. Let’s go through them.
1 – Remote Corporate Network Access
I find most businesses today already have a Virtual Private Network (VPN) setup and in use by many of their employees. If you’re not familiar a VPN does two things:
- it allows remote users to connect to your network when they are off-site and have access to network devices and resources as if they were onsite.
- it encrypts this data ‘end to end’ meaning that the connection from the report computer to your network is secure and only the two endpoints are able to know what’s going on.
However, there are generally two challenges that come up with a company is faced with a sudden demand for a large number of employees to go remote:
- The security of the VPN is only as secure as the two endpoints. Is the VPN device up to date and configured correctly? Is the remote computer up to date with its security protection, operating system, and application patching and does it conform to corporate requirements? In most cases, the home user’s computer security has ‘what it came with’ which likely isn’t up to the job.
- Do you have the capacity? Is your VPN appliance sized correctly, do you have adequate network connectivity, are you adequately licensed for the number of users, and have your users been trained and provided documentation on how to connect to the VPN?
2 – Remote Desktop Access Software
Many companies leverage software like GoToMyPC, LogMeIn, Splashtop, TeamViewer, VNC and RDP to access their desktops from their personal computers. This is a mixed bag and the use of these applications is really something that should be discussed with your IT team or IT provider. The biggest challenge with many of these tools is that end-users will go rogue and use personal accounts or simply install these themselves. Then they become unmanaged, unpatched, out of date and ultimately a security nightmare as hackers look for and try to exploit these software applications extensively. Good internal software auditing is key and ensuring management and installation of your software is the responsibility of your IT provider.
3 – Remote Meeting Software
Webcasts, Webinars, and Online Meetings have really grown in popularity. But now that you’re looking to take everyone remote you’re going to still need to have meetings. While many organizations already use these tools, most opt only for voice. My recommendation is mandating video to be used for all of your meetings whenever possible. There’s a level of nonverbal communication that is simply lost in a telephone conference call and having video in place you’re able to still pick up on those queues. This goes for one on one meetings as well as group meetings. There’s a large number of options here including Microsoft Teams, Zoom, GoToMeeting, BlueJeans, Join.me, Google Hangouts, etc. My personal recommendation is for internal meetings if you are an Office 365 organization then use Microsoft Teams. If you’re a Gsuite organization, use Hangouts. If it’s an external meeting either of these are still viable for your company but you may find a solution like Zoom or GoToMeeting to be easier to manage. Again, have a conversation with your IT team.
4 – Common Desktop Software & Line of Business Applications
Many business applications have moved to SaaS, Cloud, Web, and Mobile type applications. Thanks to that transition I find most organizations today use Microsoft Office (Word, Excel, Outlook, Powerpoint) and a Web Browser (usually Chrome). Microsoft Office 365 allows most users to install the software on up to 5 computers or macs. This means your users just need to log into Office 365 to install it on their personal computers. However, many companies prefer not to have their corporate data floating around on personal, less protected, less managed computers. For these companies we recommend they look at migrating to Microsoft 365 to gain control of their data. This should be the norm though for all companies that exercise BYOD or allow personal devices to be used. With Microsoft 365 instead of Office 365, you’re able to sandbox your corporate data in a separately protected area on the device and restrict access.
5 – VoIP Phone Systems
Today most businesses have already made the jump to a VoIP phone system from a traditional phone system. With a VoIP service, you’re able to either take a VoIP handset home with you or in most cases use a softphone (software-based phone) that you install on your mobile device or computer. If those aren’t an option most services will allow you to forward your phone to another phone like a cell phone.
Taking Work Home
That covers the big items for most users. Now the question is will your employees be using company computers or personal computers? The reality is most users will opt to use their personal computers even when they have a company laptop. So let’s start there. What should we require when using a personal computer for work.
1- Is the Home Computer Secure?
I’ll save you the time wondering, the answer is most likely, NO. Resoundingly No. Here’s what to ask about:
Antivirus
Most home users don’t have an antivirus solution installed and if they do, it’s freeware and/or out of date. Find out what they’re using.
Operating System & Software updates
This goes for the operating system as well as the applications on their computer. They should be running supported software for the operating system and their applications and these should be up to date. This means no Windows 7, no out of date MacOSX, etc.
Windows / Software Firewall
They should have a software firewall installed on their computer and it should be enabled and configured to restrict what is able to access that computer.
Use Unique User Profiles On Home Computers
Many home computers are shared across multiple users within the home and while on the surface it may not seem like a problem, the last thing you want is someone’s 3 year old sending the wrong email attachments to your customers when he’s trying to access baby einstein on youtube on daddy’s big TV computer. Microsoft 365 enables the ability to apply restrictions so that access to business applications and accounts requires additional security like a personal identification number (PIN). A minimum though if a computer is being used by multiple users, each user should have a separate login with a unique username and unique password.
Use standard users and not administrators
While we’re on the topic of users we should mention user types. Your users should not be Administrator users on their desktops and should be standard users with a special reserved/restricted account used when Administrator access is required. This helps to avoid malware being installed inadvertently and reduces the attack surface considerably.
Monitoring for Hacker Footholds
I doubt any home users do this but it’s important if you’re going to be relying on home computers for business. The computer needs to be scanned and monitored for malware, rootkits, trojans and any activity that may be indicative of attacks like these.
If all of these seem complex, that’s because it is. If you’re trying to do it for hundreds of users manually. But most IT providers like Applied Innovations use a suite of Remote Management Tools that automate much of this.
2 – Home Networks & Firewalls
Home Networks are mostly WIFI / Wireless these days and many of the home network devices are geared towards ease of use as opposed to enhancing security. Additionally, the very device protecting the home network, the home router, are frequently running out of date firmware and potentially vulnerable to attack themselves. Like the recent Netgear Nighthawk vulnerability announced. It’s recommended you interview your users and get the information on what network devices they are running in their homes. You should also require a software firewall to be enabled on their home computers and if possible remotely managed/verified. If possible, you should enable MAC filtering so that only ‘approved’ & ‘known’ devices are able to access the network.
3 – Connecting from Other Untrusted Networks
Once your users are working remotely, it’s not uncommon for them to start working from other networks, coffee shops, hotels, public wifi networks, libraries, etc. When they’re connecting to these networks they’re at risk. Who runs that network? Who’s looking at the network traffic there? Is it a rogue access point they’re connecting to or is it really the local coffee shop? There are really two ways to combat this:
- Provide your users mobile hotspots or allow them to tether to their phones using 4G LTE connections. The downside to this is that if they’re not on an unlimited plan it could become costly and if they are on an unlimited plan, most of those limit the 4G LTE bandwidth available in a month and then start to throttle it.
- Have your users use a VPN when connected remotely. But when using a VPN you’re really moving the trust out from that network to that VPN provider. Many of the low-cost commercial VPNs advertised online replace ads, monitor network traffic or are just an unknown black box.
My recommendation here would be to go with the mobile hotspot. If that’s not an option then I would run my own VPN and have all traffic route through that VPN. But be careful, there were reports recently of a food delivery service blocking a large technology company’s VPN IP because of the number of orders coming through that IP address. So speak to your IT provider and work with them to decide what works best for your use case.
4 – Physical Security and Mobile Device Management
You’ll want to make sure your users practice good physical security precautions. This isn’t just watching for someone trying to look over their shoulder but ensuring that they are locking their computers up and storing them safely. If they’re using company laptops I recommend installing mobile device management software so that in the event the computer is misplaced or stolen it can be potentially be remotely wiped and the data destroyed. This also leads to using drive encryption on your laptops to ensure if a laptop is stolen, someone can’t just mount the hard drive and look at the data on the laptop.
What’s Next?
Planning, Preparation and Fire Drills
Finally, I’ll leave you with this. It’s important to plan in advance, ask what-if questions and run tests. If you haven’t sent everyone home to work remotely yet, have them test it in small batches, work out the kinks and gradually increase the number of users that are remote until everyone is remote. This way you won’t overwhelm your infrastructure, team or bring your business to its knees inadvertently.
I know all of this seems extremely involved and can be quite overwhelming for any business leader, but for a managed IT company like Applied Innovations, it’s what we do each and every day for our clients and it’s why you should be working with us or a company like. We’d love to have a conversation with you about your own business needs.