It’s been front page news all week. “Global Cyberattack,” “Ransomware Attacks,” “Digital Insecurity Is the New Normal.” This week’s world-wide cyberattack by the Shadow Brokers infected computers in over 150 countries with ransomware. The message is, “We are out here and we want your data and your money.” However, the truth is that the greatest threat to the confidentiality of your company data is your teleworker with a USB device, a smartphone, and an unsecure Internet connection.
To make matters worse, your company just announced its new telecommuting policy and everyone will now be allowed and even encouraged to work from home up to three days per week. You wring your hands as a bead of sweat rolls down your furrowed brow. Why? Because you’re the IT Manager and the greatest threat to your company’s data has just been unleashed!
You’ve spent years tweaking your corporate firewall, adding an Intrusion Detection System (IDS), and tightening access controls to ensure availability of your systems. You’ve implemented hashing techniques to ensure data integrity. But how do you ensure confidentiality when employees are logging in from home? Is it even possible to protect the data?
In a nutshell, an unprotected smartphone in the wrong hands provides easy access for snoopers. And an unsecure home Internet connection is equivalent to leaving the office front door open! Likewise, USB devices like thumb drives, keyboards, and mice can carry malware. And often the malicious code is not stored in the device’s flash memory but rather in the firmware that controls the operation of the device. Because of this, a flash drive can be scanned and deemed “good” when the firmware code on it can be designed to, say, redirect the user’s Internet traffic or alter files… or even take control of your PC!
However, all is not lost. You can take these five steps immediately to shore up your telecommuting policy and substantially increase the confidentiality of your systems with teleworkers.
Secure Remote Wi-Fi Networks
Before connecting to the company network, the following should be done at each remote worker’s home:
- Change the router admin user name and password
- Change the network name (SSID)
- Activate WPA2 encryption
- Turn on the router’s built-in firewall (either SPI or NAT)
- Turn off guest networks
- Update the router firmware
- Turn off WPS (the button on the router that allows connection)
Denying Wi-Fi access to your teleworkers’ neighbors is imperative and these steps will thwart even the most persistent snoopers. And time spent training employees on how to take these steps could save major time and headaches down the road!
Passwords / Biometrics
- Require teleworkers to password-protect their smartphones and laptops
- Require teleworkers to use the biometric features (fingerprint scanner, etc.) built into their smartphones and laptops, when available
This sounds obvious, right? But co-workers who get annoyed by having to log into their phone each time can cause a huge hole in your security simply by turning off the login. A lost or stolen phone with no password or biometrics is an open door to your systems.
Secure Mobile Access
- Ensure that access via public or free Wi-Fi is only via encrypted hotspots
- Use cellular connections for sensitive sessions like banking
- Require a VPN when accessing the office network from a free or public network
Logging into the company system from Panera or McDonald’s at lunch is a quick and convenient way to stay connected. However, most public Wi-Fi hotspots do not offer encryption. You must assume that these networks are compromised or, in some cases, counterfeit and designed only to steal your information. Therefore, remote workers must either use VPN when connecting to public Wi-Fi hotspots, or connect via cellular.
Use Mobile Antivirus Tools
- Use antivirus tools that offer some level of data backup, remote wipe, GPS tracking, and remote locking
- Turn off Autofill
- Log out every time after using mobile apps
Apps like Avast Secure Me and Lookout Mobile Security encrypt your browser session from your smartphone. And they provide useful features like easy backup and tracking of lost or stolen phones. You can even wipe your lost or stolen phone’s data remotely! Turning off Autofill prevents a lost or stolen phone from inadvertently helping the perpetrator. Similarly, not logging out of apps after each use leaves open access to password protected sites.
Limit Access to What Can be Accessed Remotely
- Use simple browser-based tools to access databases via a web browser when possible
- Only provide the minimum tools when teleworkers VPN into the network (some tools may only be available to workers when they are physically in the office)
Browser-based tools can provide simple access to your data without providing a direct connection. You should consider not providing any remote access to company systems that can cause the biggest problems if compromised. Sometimes the best remote access policy is no access at all!
I have worked remotely for 24 years now. Accessibility needs have grown enormously over that time and so has the sophistication of the nefarious few who want your data. However, the tools to help you secure your networks are many. Opening your company networks to remote workers does not mean the end of network security… if you take action at the start!