Work from home Security Checklist for employers and employees

 Whether remote working or sat behind a desk in a corporate office, company employees need to be more vigilant than ever to avoid cyber security issues. If we can offer an initial few words of advice to computer users in this day and age, it would be to be sceptical, cautious, untrusting, and alert. That said, the data security challenge presented by the increasing number of people working from home needs particular attention. 

In this article we’ve drawn up a security checklist for any organisation with a remote work force, but would encourage business owners to research further to tailor processes and procedures to their own organisation.

Computer Hardware

Home workers may be using non-company devices to access data, it may be their home PC used to access business systems, or their mobile phone or tablet used for accessing email.  Here are some security issues to consider.

Check Specification of “own” devices

• Where possible we would recommend employers providing all the necessary equipment for people remote working in order to ensure company policies can be strictly applied. If that isn’t possible or practical then we recommend the following security measures.
• Ensure that devices have supported Operating Systems and that they receive automatic updates. Some of the biggest virus outbreaks have been attacking out of support versions of Windows.
• Check local antivirus has been installed and is receiving updates and new virus definitions. Review government recommendations on antivirus software; for example using Kapersky antivirus is being discouraged by many security analysts.
• Keep other software up to date, including browsers and Microsoft Office.
• Use a Desktop as a Service solution so that employees access data and systems remotely without any data being held on local devices.

Check user account policies on “own” devices

Ideally employees working from home shouldn’t use devices that are shared with family members. Where they are (and even if they’re not) home workers should take these steps to ensure security of company data.

• Check that if using home computers that employees have dedicated profiles (user accounts) that are secured by unique and strong passwords that the rest of the family cannot access.
• Require users to set their devices to lock after no more than 5 minutes of inactivity.
• Require users to require passwords or pins on their devices.
• Users should avoid using local administrator accounts on their computers for day to day activity as these have elevated privileges which can be used by Malware as part of their attack.
• Try to remove or rename local default administrator accounts. Malware will look to logon as “admin”, changing the name will thwart its attempts.
• Home routers need to have unique passwords and people should never stick with the factory set default administrator accounts and password unless it is clearly unique i.e. if a router has admin/admin to logon to it with then change it.   Home workers should also check and update the firmware of the router to make sure they have the latest security patches.

Checks for company supplied devices when used remotely

• Company supplied computers when used in a home office may not be “managed” in the same way as those on site. Laptops and other portable devices have their own unique vulnerabilities in terms of theft.
• Remote workers should separate work and personal devices where possible. Employers should be aware that workers with something like a work Microsoft 365 accounts and email addresses on their personal mobiles may have access to company documents and files which could be at risk if the phone gets stolen. If those files include Personal Data then that may constitute a data breach in the eyes of the ICO.
• Employees should never use personal storage or messaging apps for company data.
• Utilise tools included on phones and tablets such as “Find my device” and “Remote Wipe”.   Always wipe devices before disposing or selling them.
• Use encryption on devices, for example Bitlocker on Windows PCs or FileVault on Apple Mac.
• Ensure devices are installed with the company procured/approved antivirus software.
• We would recommend everyone makes use of Password Managers to save and secure passwords for all services and sites they use.
• If using mobile devices on public networks such as coffee shops, hotels and airports then use a Virtual Private Network (VPN) solution to encrypt communication across that network. Also, consider the physical security of devices, for example prevention of theft from a garden or home office.

Polices, Procedures, People and Practices

We recently put a message that appeared to users as they logged on to our remote desktop solution, advising them to be extra vigilant, especially when opening attachments in emails. The very same day one user opened a .html email attachment, releasing a virus which luckily was intercepted by our antivirus software. The moral to the tale is that continuous education to employees about cyber security is vital.

• Invest in cyber security training. It is important that users at every level, office workers and remote workers, know how to recognise cyber-attack attempts, teach employees about defending against phishing attacks, spear fishing, whaling attacks, typo squatting attacks, and other common hacking methods.
• Educate employees not to respond to emails, texts, or social media messages unless they can verify the sender, including when using personal email or messaging accounts. Hovering over links or email addresses will disclose the true URL which may not be what the words say. When viewing websites check that the page has the https padlock in the address.
• Train employees to use strong passwords, and to always use unique passwords for each system or service they use. Never to use the same password twice, never use passwords or pins that relate to individuals such as birthdays, car registration numbers, or house numbers, and to use a good password manager app to remember all the passwords.
• Train staff to never open email attachments unless they are obvious and expected, even if from someone they know.  Don’t download executable files (.exe). Avoid browser plug ins unless they know they can trust them.   Never click through warnings in browsers or operating systems without reading and carefully considering the consequences.   Where possible only install software from the proper app store such as Google Play, Microsoft Store and Apple Store as these have processes in place to filter out malware.
• Education on Social Engineering techniques used by cyber attackers is also important. Social engineering relies on trickery rather than technology to get people to hand over credentials or to visit phishing sites.
• Review guidance from the National Cyber Security Centre
• Only allow data, especially personal data, to be sent using corporate emails solutions, never personal email or messaging accounts.  Never share company data from personal storage or messaging apps.
• Put in place processes to detect forwarding rules in emails
• Have clear, documented procedures for home workers, especially in regard to dealing with personal data. The procedures need to cover the access, handling and disposing of data.
• Take the opportunity to review data privacy and security policies, or create some if you don’t have them already. IT security policies should include things like:

• • Device hardware and operating system standards
  • Password management, length, complexity, re-use, renewal.
  • Not using personal applications to process company data
  • Data breaches, how to recognise one, what constitutes a data breach and what action to take should a breach be discovered.
• When updating privacy policies consider new communication technologies like Teams and Zoom. Control data within your organisation following the principle of “least privilege”.
• Set security permissions on data that can be accesses remotely or held in the cloud so that, unless needed, users only have read access to data as opposed to write edit or delete permissions.
• Cloud storage may on the surface appear less secure than local storage, but consider that users will try to find the path of least resistance and will stray into bad behaviour if the alternative is too hard or too time consuming.   Secure cloud storage is better than users copying data to local computers or memory sticks because they can’t access it easily remotely.
• Never enter plain text usernames or passwords into documents or other files, folders or scripts.

 

Remote Access solutions and Remote Applications

Many businesses with a remote workforce will invest in various remote access solutions. This may be a virtual private network (VPN) back to the office server, a hosted desktop or Desktop as a Service type solution, or remote applications delivered as Software as a Service solutions through a web browser. Here are some security check list items to consider in relation to remote application solutions.

• Have the most up to data version of any remote access solutions
• Where possible, use Multi-factor authentication to connect to remote services
• Implement account lockout to remote services after a number of failed logons.  Lock or disconnect connections after a period of inactivity.
• Check that cloud storage solutions have no public access to them, or no access without proper user credentials.Only staff that actually need it should be able to access remote access solutions.
• Manage how people access remote access solutions to lock them down, for example remote desktop solutions should have policies in place to prevent use of admin tools like Command Prompts or PowerShell.   User accounts should not have any admin privileges and should never use the default administrator accounts.
• Disable automatic login for devices.

The complexity and interconnectivity of modern computer systems presents major challenges for organisations, and technology is changing all the time. Who would have thought just a few years ago to consider security of personal data when sharing screens in a Zoom or Teams call. This check list is by no means exhaustive and employers should carefully consider their own environment and circumstances to see if special additional measures need to be put in place.

Your Office Anywhere are one of the country’s oldest providers of hosted remote desktop and remote application solutions  Remote Desktops go a long way towards the protection of company and personal data as while they can be accessed from anywhere, the data never leaves the service.   To find out more about managing systems on a hosted desktop please get in touch using the form below.