Not that long ago, teleworking was considered an as-needed option for organizations to address specific projects or individual needs. Then, in the blink of an eye, the pandemic forced many organizations to adopt telework procedures—for 100% of their staff in some cases.
Companies pivoted quickly to provide technology and additional resources, especially for sensitive company data and files, to adapt to the situation. Due to the sudden shift, many of these same companies, across all industries and sizes, are still essentially developing and refining their telework policies, in effect “making it up as they go along.” This makes it even easier for hackers and others to launch ransomware attacks and phishing schemes that can cause significant issues across the organization.
Executives, IT teams, and general staff must be aware of telework best practices to ensure that an organization’s data is secure to prevent disruptions to everyday workflow. Everyone in your organization should view cyber or online activities as a business risk. What would be considered a catastrophic cyber event? What would be the most damaging data breach to the organization and your partners? What is the level of risk your organization is willing to take? What steps are the company and everyone working there taking to ensure that data and files are secure? Also, how can your company create long-term resiliency to minimize future cybersecurity risks?
Based on The Cybersecurity and Infrastructure Security Agency (CISA) telework essentials toolkit, here are security guidelines and action steps that everyone in your organization should take right now.
Review and Update Current Organizational Policies and Procedures
- It’s essential to review current telework procedures, especially if your organization has pivoted to a fully remote workforce. Clearly communicate any new workflows, processes, policies, expectations, or security requirements to your workforce. This also includes any transitions to new equipment, network providers, or additional technology upgrades.
Implement Cybersecurity Training Requirements
- For your organization, every employee should be aware of, and then demonstrate, basic knowledge of cybersecurity best practices and required actions should a security breach occur. Determine if your IT department needs to provide additional training or guidance to employees as needed, especially for sensitive projects that require access to remote data or important files.
Determine Risks for Moving Organization Assets from Corporate to Home
- When employees work from home, it’s crucial to know how vital organizational assets are accessed, especially when employees use personal devices at home (phones, personal computers, printers, etc.). It’s important to establish clear procedures when employees use organizational equipment (computers/phones/etc.) at home and that such equipment is securely configured to either the home internet provider or an outside internet service provider.
Creating a Secure Hybrid Culture
- A hybrid workforce that includes employees who telework year-round, staff in the office year-round, and those in-office and telework requires a clear strategy. Regularly train staff on proper cyber hygiene when it comes to maintaining cyber security standards, being aware of phishing attempts, use of external USB drives and other removable media, along with other protocols to ensure year-round compliance.
Ensure patching and vulnerability management are up to date
- IT teams should ensure that hardware and software inventories and supplies are up to date to keep with new advances in patch and vulnerability management. Also, enable automatic software updates or suitable solutions so that workforce equipment is using the latest version available.
Invest in enterprise cybersecurity controls
- Focus on investing in enterprise cybersecurity controls to securely connect all employees with the organization’s network and assets. The first step is to evaluate and review the current security architecture and ensure it provides proper protection and visibility into all remote sites and endpoints, including employees who may use public Wi-Fi. In some IT environments, zero trust architecture may be preferred to a virtual private network (VPN) due to the lack of perimeter defense in cloud and distributed systems.
Enforce multi-factor authentication
- Multi-factor authorization (MFA) is a must when it comes to organizational systems and services. Some of your workforce may feel that the extra time and effort is not worth it, but MFA is a much-needed added layer of security, especially if employees use weak passwords to access their equipment or data. Develop contingency plans if MFA is not a feasible or available option for your organization, including mandating strong passwords and changing them frequently.
Maintain a list of organizationally approved products
- Create, maintain, and update an approved list of organization products. This includes third-party collaboration tools and teleconferencing applications. Provide frequent guidance on the use of these tools.
Perform frequent backups
- Frequent backups performed regularly are crucial in protecting data and sensitive information and are an essential defense in minimizing potential cybersecurity attacks. Be sure to store necessary data backups offline and offsite.
Implement a domain-based message authentication
- A Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system will serve as a solid countermeasure for any phishing attacks or compromised business email systems, especially in a remote environment. DMARC essentially serves to validate who is sending an email, specifically in the sender’s “From” field, the business name, and the domain. This prevents “spoofing” when a hacker attempts to send a fake email from an organization that looks legitimate.
Ensure the home network is properly configured and hardened
- Make sure teleworkers are connecting their equipment to a home network that is securely configured and, if possible, hardwired and not relying on wireless. Be sure staff use strong, complex passwords and change them often. Ensure any home wireless router is configured to use WPA2 or WPA3 wireless encryption. Ensure the home network name does not reveal any physical locations (address, apartment numbers, etc.) and that it does not reveal the router manufacturer or model.
Follow secure practices and organizational policies
- When handling sensitive data at home, ensure that teleworkers are following proper procedures. That includes avoiding storing sensitive organizational information on personal devices, including personally identifiable information, classified materials, sensitive client information. On personal devices, make sure the latest patch and security updates are added. Secure home devices with additional options, including password authentication and approved anti-virus software.
Use caution when opening emails and links and attachments
- All staff should use extra vigilance when opening email attachments or clicking links in messages from people or organizations that they are unfamiliar with as these may be phishing attacks. Report any such activity to the IT team.
Communicate suspicious activities
- Advise staff on the procedures for reporting any suspicious activities that they may encounter to the IT team or other appropriate members in your organization. Any delay in reporting could lead to other staff, not being aware of the situation to inadvertently exposing the organization to the wider threat.
Cybersecurity Awareness Month is in October of each year. But cybersecurity should be a year-long priority for every organization. By implementing these best practices, your organization will make cybersecurity a year-long priority. For additional resources or assistance in creating a cyber secure organization, reach out to J5 Consulting today and let us help meet your mission needs.