With the outbreak of the Coronavirus, a key challenge many organizations are facing is enabling their workforce to work from home. For many organizations, this is something new, often lacking the processes, policies and technologies that enable people to do so safely and securely. In addition, when people work from home they lack many of the typical security controls you find in organizations, exposing them to far greater risk.
Below we identify the top three behaviors we feel organizations should focus on to quickly secure any new employees that are working from home. And please don’t overlook the list of expert-driven resources we've included at the end to help reinforce remote cybersecure best practices. The simpler we make security, the more likely people will implement the measures they need. As such, our goal here is not perfect security — but the fewest behaviors that will have the greatest impact.
Feel free to modify the below recommendations as you see fit, as every organization’s needs, requirements and tolerance for risk is different. If nothing else, think of this as a starting point.
1. Social Engineering
One of the greatest risks remote workers will face, especially in this time of both dramatic change and an environment of urgency, is social-engineering attacks. Social engineering is a psychological attack in which attackers trick or fool their victims into making a mistake, which is easier during a time of change and confusion. These attacks can take on many forms besides email-based phishing attacks, including phone calls, text messaging and social media. The key is to teach people what social engineering is, the most common indicators of a social-engineering attack, and what to do when they spot one.
2. Strong Passwords
As identified in the annual Verizon DBIR, weak passwords continue to be one of the primary drivers for breaches on a global scale. A key finding is strong passwords are one of the most effective defenses. We want to re-emphasize what is needed for strong password use. This includes:
- Passphrases (password complexity is dead)
- Unique passwords
- Password managers
- MFA (multi-factor authentication), often called two-factor authentication or two-step verification
3. Updated Systems
The third step that will go a long way to protect remote workers is ensuring any technology they are using is running the latest version of the operating system and applications. For personal devices this may require enabling automatic updating.
In addition to communicating these topics, we recommend that you implement some type of technology to answer questions, preferably in real time. This can include a dedicated email alias, Skype or a Slack chat channel, or some type of online forum.
Another recommendation is to host a security webcast that you repeat several times a week so people can pick a time that works best for them and attend the event live, perhaps even ask questions. The goal is that you want to make the security team as approachable as possible and help people with their questions.
This is a fantastic opportunity to engage your workforce and put a friendly face on security. Try to take advantage of the opportunity.
To help you teach and reinforce the three key behaviors for creating a cybersecure remote workforce, below are links to the OUCH! Security Awareness Newsletters that address these topics. OUCH! is a free, security awareness newsletter published every month in over 20 languages and written by a subject matter expert guest editor.
Four Steps to Staying Secure
Creating a Cybersecure Home
Messaging / Smishing
Phone Call Attacks / Scams
Stop That Phish
Scamming You Through Social Media
Making Passwords Simple
Lock Down Your Login (2FA)
Yes, You Are a Target
Smart Home Devices
Virtual Private Networks