Loss Control Insights
7 Work-From-Home Data Security Problems (and Solutions!)
Workers countrywide have moved out of their office buildings and into their homes due to COVID-19. Many of these workers are working from spare bedrooms or dining room tables. With thousands of people plugging laptops, tablets and other electronics into their home networks, how do you keep company data safe from thieves, hackers and others with malicious intent?
James Boyd, EMC Assistant Vice President – Enterprise Information Security Governance, knows it isn't easy. So, he compiled a list of dangers and suggestions to help you protect your employees and systems from these threats.
This rampant and sophisticated scam is one of the top risks for both at-home and in-office employees. Many phishing emails look like they're from a reputable company or nonprofit. Sometimes, they even appear to be from someone inside your company. A simple click on an attachment or link and the scammer can capture names, email addresses and passwords through malware.
Security managers need to keep up on the latest phishing techniques and pass details on to employees. It's also a good idea to run tests to check employee reactions to fake phishing emails. For example, some companies send out periodic phishing simulations to employees. When an employee follows the link or attachment, they receive a "gotcha" message along with tips on how to avoid real scams.
Video Meeting Platforms.
Vulnerabilities of internet-based group meetings have been widely publicized and platforms like Zoom have been hijacked in the past. Disrupters can enter a random meeting number and manage to get in or a meeting participant might share the link with a crasher.
James urges security managers to research and apply security controls to protect your meetings from interlopers. If someone manages to get into a meeting, they could steal company secrets and user information–especially if they don't announce their presence. Security measures can include:
- Using methods of authentication
- Requiring attendee login rather than providing a direct link
- Protecting each meeting with a password
- Not allowing session recording
- Encouraging employees to avoid sharing meeting links
Lost or stolen Devices.
When employees work in the office, they usually have desktop devices and company phone systems, which are housed in a secured building. When employees shifted to working from home, they switched to laptops and mobile phones. Both of these devices are portable and can easily disappear from an unlocked vehicle or public location. Employees must be aware of the dangers of carelessness and the use of personal items for company business.
You can also employ security settings and mechanisms to protect equipment. These include a timed lockout (often 10 minutes) with a password required to reenter, requiring a boot password, providing antivirus software on each computer and setting up a firewall for entry into your company system.
Phone protection is slightly different. You can set up a separate "container" for work-related apps and data. If a phone gets stolen, the company can "bomb" the work container to delete any company data. This feature used to be difficult for smaller companies to take advantage of, but it has recently become more affordable and attainable.
Anything plugged into a computer–a mouse, keyboard, USB or smartphone–can introduce malware into the computer system. While it's entirely reasonable to plug in a mouse or keyboard, other accessories should be limited and only used with permission from the company's IT department. IT departments of larger companies often set up notifications when an unauthorized item has been plugged in. Companies with less IT resources may have to rely on employees knowing the policy and abiding by the rules.
Passwords, printed materials and software updates can all be security risks if not handled properly. Employees working at home may be lax about securing passwords, assuming they are in a safe environment. This information must be kept secure, just as if the employee were in the office. It's possible a roommate or a thief could take the information and use it to access sensitive data. Additionally, some offices have shared in-office computers and passwords for certain processes. Sharing passwords puts company data at risk and should not be allowed. Employees should report any requests to share password data, even with another employee.
In the same vein, leaving printed materials on an at-home printer for others to pick up or leaving business materials visible in their workspace are risky behaviors. Similarly, emailing sensitive material from work computers to a home computer can pose dangers as family members may have access to one another's email accounts.
Updating computer software is another necessary task for maintaining security. Patches and updates may be controlled at the company level or might be a required task for employees. Vigilance keeps remote systems as safe as possible.
Distributed Denial of Service (DDOS) Attacks.
With employees working from home, hackers are targeting company's virtual private network (VPN) circuits, sending nonsense traffic to overload a company's network. There are several steps companies can take to prevent this.
- Increase the bandwidth of VPN connections, if necessary due to the increased number of employees working from home
- Subscribe to a mitigation service to keep DDOS at bay by scrubbing out malicious traffic
- Keep redundant systems at a backup data center
These last two options are more feasible for large companies. Small companies can use a backup internet service provider instead of a data center, and very small companies may need to rely on frequent backups of their systems.
Simply put, home networks are not as safe as office networks. While many businesses have VPN encrypted network systems for remote workers, the home may not be secure. The concern lies in what can happen to the laptop before it's able to connect to your VPN with each login. Malware can run rampant over home networks, so it's vital for your employees to have a desktop firewall on their laptops.
In addition, home networks can bog down VPN networks. If employees are simply logging in to your network, it's not too cumbersome. But if they must go through VPN for internet searches as part of their workflow, your system may be slowed down by the connections.
Many companies use split tunneling as a solution. Employees can go straight from their computers to the internet, bypassing the VPN. This reduces bandwidth on your system and protects the VPN circuits from being overwhelmed. While this is a risk, many companies are accepting the risk as a better option than an overwhelmed network.