When employees work from home, the threat landscape for most employers changes. It may include, for example, sensitive information that needs to be handled outside the physical office’s secure environment, difficulties in providing reliable connections to many users at once, or lack of internal communication due to limited social channels.
One of the lessons learned from recent developments is that the conditions of daily operations, including work, can change drastically in a short manner of time. As more physical workplaces close down, many companies need to create opportunities for their employees to work from home to maintain productivity and delivery capabilities.
Naturally, many companies are not equipped for all or a large part of the organization to work outside the physical office. When new working conditions are established, new safety aspects also need to be taken into account in order to ensure that this can be done reliably.
Following is a list of recommended actions employers should consider when employees work from home – in addition to the usual safety recommendations that are always applicable;
- Verify that employees only use work computer / phone for work
Private devices are harder for an employer to control when it comes to anti virus, installed software etc.
- Ensure that only employees access work computer / phone
Bringing home devices increases the risk they are accessed by children and relatives. This, in its turn, increases the risk for unauthorized or malicious software being installed on the device, or the device becoming infected due to visits of unsafe websites e.t.c Work devices should always have a lock screen activated, and be kept out of range from children.
- Ensure devices leaving the office have full disk encryption activated.
The attack surface changes when devices normally stored in a physically secure environment are brought out.
- Ensure correct network configuration
When connecting a Windows computer to a network outside of the office, the network should be configured as “public”, including the home network. This is to protect the computer from other, potentially compromised devices on the network.
- Ensure redundancy for internet connection
Employees should have a backup internet connection. Since ISPs normally have lower availability requirements for private users, the risk for these to cease working is higher. The easiest backup connection could be to use internet via the phone, or through a built in mobile network card in the laptop.
- Ensure employees have multiple communication channels for easy communication
This is necessary in case one communication channel is lost, but perhaps more importantly, it enables employees to ask in case they for example receive a suspicious email appearing to originate from a colleague.
- Be careful with temporary access solutions towards internal systems, such as RDP / remote desktop accessible from the public internet
Employees suddenly finding themselves having to work from home may be tempted to set up temporary solutions in order to access the systems they need for work. If they cannot be restricted to VPN, it is important that they are appropriately secured in other ways, such as using multi factor authentication. Also ensure they have a limited life span, so that they are not forgotten in place after they are no longer required.
- Verify that VPN or similar solutions for remote access require two factor authentication
Since such solutions often provide a direct way into an organization’s infrastructure, authenticating with password only is normally not acceptable from a security perspective.
- Practice on and ensure that support is functional for employer provided solutions so that no shadow-IT half private solutions arise
Workers could tire of complicated, badly working solutions for remote work and resort to using technology they are more familiar with – such as Dropbox or private email – thereby spreading potentially sensitive information to systems beyond the employers control.