UPDATED Checklist: Follow These Steps to Securely Transition Employees to Work from Home

The technical infrastructure that’s set up within the formal boundaries of your organization is tangible, reachable, and typically more trustworthy. What’s more, it is the support system that protects your organization’s most critical and sensitive information assets. That’s why most CISOs can get uneasy when it comes to remote access, and understandably so. Remote access, by design and definition, should raise questions and concerns regarding cybersecurity.

Follow these steps and you'll go a long way in minimizing the cybersecurity risk of your remote access infrastructure.

Getting Started

• A remote access policy should serve as the foundation of your remote access infrastructure and acceptable use of it. Ensure that you have one in place that clearly delineates and emphasizes the protection of your information, intellectual property, and equipment.
• Start from the ground-up. Review your network diagram and data flows. Identify the remote access entry points. Segment the networks that can be accessed remotely in order to limit your risk by design. Remember, the resources that are made accessible should be the minimum required for users to perform their jobs. If additional access is needed at a later stage, use a formal change management process to identify, review, authorize, and grant such access.
• Ensure that all laptops have automatic updates enabled. Disable all unnecessary services and functions such as webcams and ports which are against your security policies. All laptops should have password-protected screensavers that kick in after two minutes of inactivity. Ensure that laptops have remote data backup mechanisms in place. Ensure that you provide your employees with organization-assigned laptops that will be used for remote access. That way you can uniformly and centrally institute the same levels of security across all machines. Remember to do the following:
  • Ensure that all laptops have a reputable anti-virus software and firewall installed.
  • Use hardware-level encryption.
  • Consider employing two-factor authentication as it significantly reduces your risk.
  • Install privacy screens on all laptops.

Guidelines for Employees

• Provide concise and actionable guidelines to your employees regarding working from home. Ensure that they know and implement the basics.
  • A wired network connection is preferable over a wireless one.
  • If they must use WiFi, they need to take basic security precautions related to the router. Changing the factory default credentials and ensuring that they use, at least, WPA2 encryption with a strong passphrase is a good starting point.
  • They shouldn't connect to any other WiFi network but, instead, use their mobile phones as hotspots in case of emergencies. Ensure that employees know they shouldn’t connect to public WiFi networks, such as the ones at coffee shops or public libraries, or even WiFi networks of their neighbors.
  • Discourage the use of wireless printers at home. If they do have such printers, the security precautions that apply to WiFi routers would need to be applied to these printers as well.
  • A clean desk is just as important when working from home.
  • When walking away from the computer, they need to lock the screen just like they would if they were at work.
  • If they have young children at home, they need to be extra careful to keep work devices out of their reach at all times.
  • They should use organization-assigned USB storage devices at all times.
  • Ensuring the physical security of work-assigned equipment and assets is critical as well. Be sure that employees lock away machines/devices safely and don’t forget them in their cars or other places.
  • It’s best that employees do not access social media from work devices. Ensure that organization-assigned devices already block such mediums. The Human Resources department should also provide guidelines to employees on what is acceptable versus not acceptable to post on social media in relation to the organization, even if it is from their personal devices/accounts.
  • Here are some basics that employees need to keep in mind to protect themselves from attacks such as Phishing:
    • When you see a link, don’t rush to click it. Instead, mouse-over it and you’ll see a tool-tip that shows you where the link is really taking you.
    • Do not open attachments or click on links in emails that purport to provide helpful information related to the Coronavirus. Refer to official and reputable sources such as the Centers for Disease Control and Prevention (CDC).
    • If you suspect that you’ve clicked a malicious link, opened a malicious attachment, or that your machines is infected, report it to the IT Security department immediately.

Secure and Control Access

• From a remote access standpoint, only allow and use secure protocols such as SSH, HTTPS, SCP, and so on. Ensure that insecure ones like FTP, Telnet, HTTP, TFTP, and so on are completely disabled.
• Use a robust VPN implementation to provide employees with remote access. Ensure that you enforce the VPN connection before employees can access organizational resources.
• Your firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) should work in tandem to ensure that unauthorized and insecure remote access tools are completely blocked at the organization’s network perimeter itself.
• If third party vendors and/or contractors will be using remote access as well, ensure that additional monitoring, authentication, and robust logging are deployed.
• Ensure that you enable two-factor authentication wherever it is available. Features such as Network Level Authentication (NLA) in Windows should be enabled as an extra layer of authentication. And remember to have a reasonable account lockout policy in place.
• Consider employing clientless remote access solutions as well as single sign-on. These can go a long way in reducing the amount of time, resources, and overhead spent behind the nuts and bolts of a remote access infrastructure.

Patch, Backup & Monitor

• Your backup management processes and procedures are critical. Recovering from backups can be very important in situations like a ransomware attack on one of the employee machines. Ensure that you have ongoing backups in place that include both onsite backups as well as remote backups to a secure co-location facility.
• Good change management and patch management processes and practices are even more important when it comes to remote access security. Ensure that remote access infrastructure, both hardware and software, is fully patched and updated at all times. Each patch/update should follow a formal change management process wherein changes should be tested in a test environment and monitored before applying the changes to the production environment.
• Employ strong privilege and access management practices by using solutions that track, audit, log, and monitor all remote access requests, approvals, and revocations for all users.
• Factor in the implications of regulatory and standards compliance when it comes to remote access and ensure that you are checking all the required boxes.

Know Where You Stand

• Perform deep-dive, comprehensive security configuration reviews of all technical infrastructure elements across your organization. Include every single technical infrastructure element from the well-known firewalls, routers, switches, workstations, servers, databases, emails, VoIP, anti-virus and anti-malware solutions to the often-overlooked printers, cameras, telephones, and Internet of Things (IoT) devices. Ensuring that each individual component of your technical infrastructure is fully locked down and secure is absolutely critical as the whole is a sum of its parts.
• Penetration testing is a crucial piece of the puzzle. Ensure that you perform ongoing penetration tests at a network, application, mobile device, and IoT device level to unearth vulnerabilities in your infrastructure that malicious actors can exploit. Social engineering assessments are also critical to identify the human weaknesses in your cybersecurity chain.

Implement Detection Practices

• A good Security Incident Event Management (SIEM) tool is almost a necessity today. Ensure that you set up configurations, alerts, and actions meticulously and monitor the SIEM at all times. If you don’t have a SIEM, implement compensating detection controls to the extent possible.
• Set up an easy-to-remember, email address and phone number where employees can reach out to report cybersecurity issues.
• Ensure that you have a robust incident response plan in place that is tested at least quarterly. The tests should include a mix of table top exercises as well as live simulation testing. After each such test, document the lessons learned and leverage these to make adjustments and enhancements to your original plan.
• Perform data breach assessments at least once a quarter. These assessments help you identify if your technical infrastructure has suffered an undetected data breach. Oftentimes, hackers break into organizational networks and lay low with the intention of passively stealing sensitive information on an ongoing basis. A data breach assessment can nip such disastrous situations in the bud.
• If you suspect you’ve had a data breach, it is vital to follow a formal digital forensic investigation process. Doing so shows you did your due diligence and heightens chances you can prosecute perpetrators of the attack.

The decision to provide remote access to your organization’s information assets can throw up a lot of variables as far as cybersecurity is concerned. But it doesn’t have to become your Achilles Heel. Do it right and it can bring flexibility and productivity to your organization.