Many businesses are finding a new challenge in maintaining a remote workforce, especially if they have thrived without it in the past. Remote workforce technologies have expanded and remote home offices have become a necessity rather than a privilege. Unfortunately, most businesses ‘ policies and procedures have not kept pace with these trends. If your business needs to have employees work from home, here are a few thoughts you might consider:
- Keep an updated list of your remote employees: It’s important to know which employees are working remotely and have a detailed list of them and what information they have access to. This is crucially important in the event of any breaches of the employee’s home computer or network, and it will allow you to understand the reach of the breach with your business. This information also comes in handy if one of those employees severs employment, as you would be prepared with a detailed list of the data they access.
- Identify business hardware that is deployed with your employees: An up-to-date inventory of all computer hardware, disks, media, and software that is deployed at your employees’ home is critical. Employers should track identifying serial numbers, product keys, and other identifying markings within their asset log to validate that all deployed hardware is accounted for. While this may seem like a burden to keep an accurate and up-to-date list, it’s needed as what was crystal clear today may not be so in 2-3 years down the road.
- Update Security Policies: If you are allowing employees to work remotely, then your business security policy should reflect that. Policies help employees know what is permitted and provide an enforcement mechanism to protect your business data. Additionally, if your business is required to maintain compliance with a security standard, updating your security policy to reflect the compliance requirements while working at home is a must.
- Require Encryption: Encryption should be required for any work material being accessed at home. Most internet sites already encrypt traffic going over the internet (You can verify this, by looking for the https:\\ prefix in your browser’s URL bar). However, employees who store information on home computers need to take appropriate measures to keep the material safely stored. This may include:
- Purchase or configure a Full Disk Encryption software package (Examples would be BitLocker – Windows, or FileVault – Mac) that encrypts the local hard disk to make sure all data stores on it is inaccessible.
- Purchase a USB disk that requires encryption – We recommend a product called IronKey (URL: https://ironkey.com) for this purpose.
- Not allowing downloads to the local workstation. Using online file viewing and editing software means the critical data never leaves your network and thus is protected online.
- Detail Expectations for Transit: Every year laptops, hard drives, computers, and other electronic equipment are stolen from personal vehicles. We suggest when possible employees load equipment right before leaving the office, and immediately travel to their home and unload the equipment. This will reduce the time the equipment spends unattended in a vehicle. While considering this policy, it is also a good time to verify whether your business insurance covers the theft or damage of business properly in an employee’s vehicle.
- Create clear separation: Many homes today have multiple computers, and employees may be tempted to log in from whichever is most convenient. Unfortunately, this can create new security issues, including:
- Other users creating vulnerabilities. Home computers are typically shared by the members of the household, and the types of sites accessed are much broader than what would be legitimately accessed on a work PC.
- Weak security measures deployed on the home PC. Many home PC’s do not meet the standards of corporate security measures. Problems may include lack of Security Software, missing security patches, and potentially antiquated operating systems.
- Unauthorized Access. Multiple users on a home computer may allow non-employees the ability to access business data stored on the local computer, or access shared systems using the employee’s saved credentials.
For these reasons, we highly suggest deploying regulated business computer assets at home, if a work-from-home strategy is contemplated. Having a business device at home provides clear and deliberate separation between home and work and has the benefit of allowing that device to be returned when no longer in use.
Black Cat Security Partners is ready to help you build your telework security plan. Please let us know how we can help you create peace of mind in these challenging times!