COVID-19 has required many people to suddenly work from home. But that doesn’t mean businesses can get lax on their security. As a matter of fact, with a distributed workforce using devices not previously managed and secured by the business, security has become a big problem for most businesses. Many companies face the question of how to continue operating, sharing resources, and communicating, all while securing multiple locations. To make matters worse the technical differences between many homes and offices means that many remote workers may not be able to easily implement the same level of security as the office can.
To help your employees better secure their home computers, here are some things to consider.
A Virtual Private Network (VPN) creates a secured tunnel between two locations. This tunnel allows you to securely access resources (computers, data, email, etc.) over the Internet that lie at the other end of the VPN tunnel. For example, a VPN between your house and the office allows you to securely reach across the Internet from your home into the office to access files sitting on the office file server.
Another use of VPN, is to force remote workers to go through the business firewall / network for Internet access. This allows the business to apply security measures to remote workers’ Internet access, just as if they were sitting in the office.
In order to do this, however, you need to make sure you are using “full-tunnel” VPN, not “split-tunnel” VPN. A full-tunnel vpn is more secure, but it can add serious congestion to the office network and Internet bandwidth, so make sure your office infrastructure is ready for it.
A split-tunnel VPN adds a security hole to the business network. A split-tunnel VPN allows your employees’ non-work related Internet activities to skip the VPN and business Internet connection, thus relieving that extra load on your network. However, since your employee’s computer straddles both a non-secured Internet connection and a secured connection to your office, any malware the comes into the remote computer via the non-VPN connection can make its way back through the VPN to the inside of the business network (sneaking in behind your business firewall), spreading itself to the computers there. There’s a trade-off to consider.
The VPN will require some setup of hardware and / or software at both the business office and each employee’s home. If they travel with their laptop, use a software-based VPN.
Create a Business Network at Home
When possible, it’s best to separate “personal” devices from “business”. Using Virtual Local Area Networks (VLANs) you can specify which devices are personal devices and which are business devices. VLANs separate groups of devices and won’t be able to communicate. They’ll both share the same Internet connection, but the router keeps the home stuff and the business stuff separated. This increases the security for the business. VLANs help prevent viruses that may infect home devices from crossing over to the business computer.
It’s important to note, however, this capability is largely available only in “business grade” routers (even low-end “business grade” routers). If you wish to require your remote employees use VLANs at home, it may require upgrading their routers.
Some compliance regulations may require separating home from business data. In fact, HIPAA has this requirement.
While we’re talking about this, let’s look at wifi for a minute. If your employees will utilize VLANs at home as well as using wifi, make sure you require they have a separate wifi network for home and business. The home wifi network will route traffic through the home VLAN. The business wifi network will route through the business VLAN. Like the router, your employees may have to upgrade their access points to that support multiple SSIDs as well as VLANs.
There are two general types of firewalls. The first is a firewall that protects the network as a whole. It may be a dedicated piece of hardware that sits between your router and the network, or it may be built into the router. Either way, the function of this firewall is to filter traffic between the local network and the Internet to make sure only the appropriate data is moving between the two.
Some of these firewalls have advanced capabilities that allow them to filter out specific websites, categories of content, scan for malware, log the Internet sites visited by your employees, and more. Every network should have such a firewall in place. For homes and business, this dedicated hardware firewall should be sufficient, so long as it’s an advanced firewall capable of meeting the security requirements set forth by the company’s IT team.
The second is the firewall installed on your computer (usually called a “software firewall”). It may be the firewall built into the OS itself, or a 3rd-party software. Most antivirus vendors have a firewall component as well (you may to buy the upgrade to the antivirus product). A software firewall, installed on the computer, is good for mobile devices such as laptops and cell phones. Having a firewall installed on your computer while at untrusted networks, such as hotels and coffee shops, not only protects your computer from Internet-based threats but also from threats on the same network you or your employee are visiting. A good, properly configured firewall will make your computer completely invisible to other computers on the same network. All portable devices should have a properly configured firewall installed.
Your IT service provider needs to monitor this as well. Firewalls will log successful and failed attempts to enter or leave your network, and the data collected by the firewall can provide an indication of threats that need to be addressed.
It should go without saying, but unfortunately, people still need to hear this: every device – without exception – needs antivirus / antimalware software installed. Update your antivirus software at least once every few hours. Run the software in real-time (it’s scanning every program and file as it’s opened), and run a full scan of your entire hard drive at least once per day. Every attached device (plugging in a USB drive, for example) should be scanned before opening any files. Under no circumstances should you turn off or bypass your antivirus software.
Data stored on a memory device, such as a hard drive or thumb drive, is said to be “at rest”. When moving the data over the network, such as sending and email or downloading a file, the data is said be “in motion” or “in transit”. In either case, the data should be encrypted so only authorized people are able to view it.
Let’s envision you want to transfer a client’s file from the business server to your computer so you can work on it. Behind the scenes, when you first connect to the server, your computer and the server agree on a method to encrypt their communication. You choose the file you want to transfer and download it. The server encrypts that file, and sends the encrypted bits across the business network, through the Internet, into and across your home network to your computer. After all the bits get to your computer, it is your computer that decrypts the data. Encrypting data in transit prevents a hacker from capturing a copy of the data and reading the contents. Even if they get all the data, all they see is random letters.
Now let’s say you have finished updating that file. You send the file back to the server where it saved. The server will encrypt that data on the hard drive as it is saved. Should someone break into the office and physically remove the server, they won’t be able to read the contents of the hard drive because the contents are encrypted at rest. But what about your computer? Yes. Your computer also needs to have some kind of encryption in place to encrypt data at rest. Your computer is just as – if not more – susceptible to being stolen. This is especially true if you have a portable device. It is really very easy for a laptop, cell phone, iPad, etc. to be misplaced, lost, or stolen. It happens all the time.
Do we really need to mention the importance of backups? Yes. We do. So often no one does this well. Having some means of triplicating your data is crucial. And yes, I mean triplicating, not duplicating. Data loss can come from any direction at any time. You might accidentally delete a file, a virus can encrypt data and hold it ransom until you pay up, a power outage or hardware failure can destroy the hard drive. The opportunities for data loss are many, and so are the means of protecting the data.
RTO and RPO
The first step to building a backup plan is understanding your Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO and RPO will tell you the thresholds your recovery plan must meet.
The Recovery Time Objective is simply how long it takes to recover your data, from the moment of data loss. For some companies, it might be OK to be without data for up to 4 hours. For others, it may be days or minutes. The RTO tells you how quickly you must get your systems operational before the business incurs financial loss. In other words: how long can your downtime be? Keep in mind to plan for a worst case scenario. Don’t think about losing one file. Think about losing entire systems. The cost of downtime includes paying your employees for their hours when they are just sitting around doing nothing.
The Recovery Point Objective is the oldest the data can be that is recovered, from the point of failure. You’re counting back in time. If you experience a system failure at 2PM today, is it ok for the data recovered to be from 6AM the same day, what about 12PM yesterday? The RPO tells you how often you need to backup your data.
Understanding your RTO and RPO gives you the thresholds within which your backup plan must operate to keep your business operational.
- You should have 3 copies of all data (production, plus 2 copies)
- Your copies should be stored on at least 2 types of media (local hard drive, network file server, NAS, etc.)
- 1 of your backup copies should be offsite (cloud storage)
Let’s imagine your employee is working on a really important spreadsheet, and something goes wrong. Maybe a virus encrypted it, along with all the other files on that computer. No problem. You have second copy of that overwritten data on a network attached storage (NAS) device. You can grab it, and copy it back to the original location. Done. Because that copy is local, it’s a quick and easy restore. If you had your second on the same computer, that virus that encrypted all the files on the computer would also encrypt that second copy. This is the importance of utilizing a different medium to holding your second copy of the data.
Having one copy of you data off-site protects you from a site-wide cause of data loss. Think of a fire. You come to work one morning to find office has burned down. What happens to your computer holding your data? It melts. What about the backup copy stored on the external USB drive in the drawer? It melts, too. Now what do you do? Having a copy of your data off-site gives you a means to recover your data. It may be slower than a local copy, but you don’t lose your data. While we’re at this, while having a backup in a “fire-resistant” safe at the same location as your primary data may sound good, but it doesn’t equate to an off-site copy. Fire-resistant safes have a time and temperature threshold, above which they can’t protect what’s inside. You really must have an off-site copy of your data.
If you have employees working from home, you have to ensure your backup plan accounts for their home systems as well, and your data which they are keeping at their home.
You might consider a policy that forbids any employee from saving company data at their house. They can download it and work on it at home, but the final saving of the data should be onto a server at the office. There should be no company data saved in any form on an employee’s home device. This benefits you in a couple of ways.
First, you can better track and secure your data. This limits the opportunity for private or confidential data to leak out to unauthorized users.
Second, you can limit your backup strategy to those few systems that hold the critical company data. This makes for a more efficient backup strategy that can be better managed.
There is no single plan that works for every business. RTO and RPO along with the 3-2-1 Rule give you the structure within which to develop your backup strategy. Using this structure, you can define which systems need what kind protecting. Some systems may need images taken every couple of hours. Other systems may only require data copies every day. Whatever the plan is, make sure it includes the following:
- Understand all the systems to protect;
- What will the backup methods, schedule, and location be;
- How and when will the backups be tested;
- Who is responsible for testing backups;
- How will the testing be performed and documented;
- What is the process to report a data or system loss;
- Who is responsible for recovering systems and data?
Your plan should be fully documented and available to all invested parties. It should be reviewed no less than often than yearly. All employees should be trained on the procedures for identifying system or data loss and who to contact.
You will see this mentioned as “two-step authentication”, “multi-factor authentication”, “2FA”, or “MFA”. It doesn’t matter what it’s called, it’s all the same. In the world of security, there are three factors of authentication (”authentication” meaning how you prove you are who you claim to be): something you know, something you have, something you are. Using any 2 or more of these is multi-factor authentication. The more you use, the more confidence the system has in believing you are who you claim to be.
You probably have a bank account and with that, a login username and password to access that account online. Your username (typically your email address) is how you tell the bank who you claim to be. Now you have to prove that (authentication). Usually that’s with a password (something you know). If the password matches what the bank has on file, you are in. But that’s only one authentication method. What we know is passwords alone – regardless of length or complexity – are insecure.
If you take only one thing away from this section, make it this: Using a password alone is simply not enough, regardless of how “safe” the site may say it is. Without 2FA, you have NO security. Period. Anyone saying otherwise is either lying to your face or they are incompetent. Either way, do not work with them.
So we need to beef up our security. The way we do that is by adding another form of authentication – something you are, or something you have.
The something you are is biometrics. This includes retina scans, facial recognition, fingerprint scans, voice prints, etc. If you use your finger print on your phone to unlock it or verify a purchase, that’s biometrics – something you are.
More often however, when it comes to logging in to sites and applications, the second form of authentication will be something you have. This includes SMS codes sent to your phone, one-time use passwords or codes generated by an app, etc.
Side Note: Many sites will send a text message to your phone with a 6-digit code. Do not trust this form of 2FA. SMS messaging is insecure.
If you have any resources that your employees log in to, they must use 2FA. It is that simple. That includes logging in to their own computers. Everything should use 2FA. I know, the reality is not everything supports 2FA right now, and you may not be able to get around that. For some reason, bank websites frequently don’t use 2FA. If you can’t get around that and absolutely have to use the resource without 2FA, make sure you document the business need that is so great it’s worth the risk of exposing all that information to the world. Not using 2FA is hands-down a security risk that must be acknowledged, understood, and accepted by you and you must document why that’s an acceptable risk.
The lack of using 2FA to log in to a resource means anyone can impersonate a legitimate person to gain unauthorized access to confidential data.
Phishing emails are emails sent by a hacker to a broad number of people. These may be many people in the same company, or many companies. The idea is, the hacker is casting one line into a big pond of fish, hoping one will bite. And bite they do. So many people respond to phishing emails, that it is now the number one means for a hacker to gain unauthorized access to a network.
When you think of phishing, you might first think of the Nigerian prince who just needs a little help moving his money around, and he’ll reward you greatly for it. You think you won’t fall for that old trick. And you are probably right. But we’re past those days now. Hackers are smart. Today, phishing emails look exactly like a legitimate email you might get from your bank, doctor’s office, financial adviser. They’re really, really good. There are some tricks you can employ to identify these malicious emails, but if you aren’t seriously questioning and investigating each and every email, you will bite one day.
The good news is there are plenty of training programs available. These programs intentionally send phishing emails into your company and tracks who clicked or responded (don’t worry, these are simulation phishing emails, so no harm comes when they click these). The business manager can get a report of who’s being hooked, and who’s not. What categories of emails catch your employees better than others? And with all that comes training.
Phishing training will teach your employees how to identify phishing emails, how to handle them safely, and the training program will continuously test your employees to make sure they’re improving their awareness.
Every employee, whether remote or not, should be on some kind of phishing training program.
What makes for a good, strong password? Most likely, you think about 8 or more characters; a mix of upper and lower case, symbols, and numbers. A recent study by the US National Institute of Science and Technology says that in today’s world, that just isn’t the case.
They revised recommendations for passwords to include:
- Not requiring periodic changing of a password. Only change the password when you suspect it has been compromised
- Length matters. Passwords are exponentially more difficult to break with each added character. An 8-character complex password is easier to break than a 12-character not-so-complex password. Make it long, and memorable.
- Use a password manager tool. Password managers allow you to create extremely long, secure passwords that are unique to each resource (no more using the same password, or variations of the password at different sites). And the best part is, you don’t have to remember them. The password manager does all the heavy lifting for you.
Many devices come from the factory with a default username and password combination. This makes the initial setup easy, but most people don’t change this. It is imperative that the first thing you do is change the username and password to any Internet-connected devices, especially your router. If you haven’t done this before, take a minute and do it now.
Make sure your employees have done this for their home equipment as well. Home users are likely the weakest link to your security framework. Most home users don’t take the time to change the login information for their router. If the hacker can get into the router, they will have access to all the devices on the network (both the “home” and “business” networks, if you are using VLANs) and through them, across the VPN bypassing your business firewall and into your office computers. Consider how many remote employees you may have, and that’s how many very weak points of entry hackers now have to bypass all the security you’ve paid a lot of money to implement.
The security of the operating system and software you use are always a top concern. Keep your OS and all software up-to-date with latest security patches from the vendors.
This is an area your IT service provider can help a lot. It’s worth considering requiring your remote employees provide your IT service provider with remote monitoring of all their home computers and devices, so they can ensure they’re up to date.
Homes create some unique concern for managing the physical security of remote devices. Store devices in secure locations. Family members shouldn’t have any username or password to login to the computer. If it’s a shared computer, then each family member should have their own login. In fact, the employee should have one login for doing work and another for doing personal computing. If possible, lock computers behind a door, or cabled to a desk to hinder theft.
Video conferencing is growing in use because of the number of people working remotely. Even as we get back to work in our offices, many businesses are making efforts to allow their employees some flexibility in working part-time from home. Many schools implemented video conferencing as part of their at-home curriculum. It’s clear that video conferencing is here to stay.
There are a myriad of video conferencing solutions available. All will promise they’re secure, but as we’ve seen in recent report from the FTC, you really have to rely on vendor’s word that the product is secure. Make sure whatever conferencing tool you’re using is provided by a name you trust and keep the software patched with the latest security updates.
When participating in a video conference, make sure you have no sensitive information on your computer desktop (should you share your screen), on your desk, or in view of your camera (look at the table surfaces behind you!). If you are the meeting creator, password-protect the meeting so unauthorized people can’t join in, and don’t allow participants to enter the meeting ahead of you.
HIPAA requires some special care and documentation when it comes to working remotely.
Be sure your technology documentation notes the use of home computers, where it is located in the home, and who has access to it. Computers shared by other members of your employees’ households should use a separate user account for work purposes, to which only the employee has the password. This account should not be an administrator-level account. Have your IT service provider ensure the computer meets all the technical security requirements of the business, just as if this were a computer at the office. They should be as tightly integrated into any home network and/or computer as they are for the office.
Point of Contact
Every remote worker should have the name, phone number, and email address of the proper IT support team should they have any issues. Remember, that just because they’re using a home computer for work, doesn’t mean you can have just anyone service the computer. That computer has access to your business and client confidential data.
Get The Help You Need
With today’s COVID-19 crisis, businesses are learning to be flexible in when, how, and where employees are working. This flexibility creates added concerns for the security of the company’s data and the data of their clients. A more distributed workforce means more opportunities for data loss and unauthorized access to the data. Data is much more at risk now than before. If you have compliance policies to maintain, that job just got much more difficult.
If you need help with any of this, have questions, or would like a second opinion of what your current IT provider is doing, please call me today.