At the high point of lockdown, almost half of all UK employees were working from home. Businesses are starting to re-open their premises but there is much more acceptable to the idea of remote working.
There is plenty of technology to make working remotely just as productive as being in the office environment. However, it's also vital to make sure that remote workers are working securely as well.
Cybercriminals are always on the lookout for easy access to a business network. Make sure your remote working setup is not one of those easy wins.
To help we have put together a work from home security checklist your business can follow. It's a list of quick checks you can complete within your business. This is not a comprehensive IT security solution but it will support you in identifying some of the common IT vulnerabilities that we often see exploited.
General IT Security Principles
These are the basic steps you should have in place. They will form the basis of your IT security.
- The business has clear policies, procedures and guidance for staff who are remote working. Included are topics on accessing, handling, storing and disposing of personal data.
- Everyone is using the most up to date version of our remote access solution (this might be a VPN).
- Our staff know how to set unique and strong passwords and know to change them every 3 months.
- Where it's available we are using multi-factor authentication to secure our accounts.
Cloud storage solutions allow users to access data away from the office on any device. Your staff should avoid using their own personal storage or messaging services as a way to send and receive data.
- The business cloud storage is not set to public and cannot be accessed without a username and password (or other types of authentication).
- Only key members of the business have full access to the storage area. All other employees have only been given read, write, edit or delete permission for data that is relevant to their role.
- The business is not using any default root or administrative accounts for any day to day work. These accounts are also appropriately secured.
Cybercriminals are now focusing on the connections used by remote workers to join the company network. They will often try to access remote access solutions using privileged accounts, such as an administrator account.
- All staff, especially privileged users, have account lockouts in place. For example, locking an account after multiple failed logins.
- Generic usernames have been created for privileged accounts and all default administrator accounts have been deleted (where possible).
- Any remaining default accounts have had their passwords changed from the default password.
- Remote access is only allowed for staff that require it.
In the instance of long-term remote working your remote access solution should be behind a gateway or virtual private network (VPN).
These include any business applications that staff can access remotely. This is will avoid employees using their own personal applications to process personal data.
- The business remote application solution does not allow access to Windows administrative tools such as PowerShell or Command Prompt.
- The business remote application solution does not allow access to shortcut keys that can be used to open non-authorised applications or features.
- Plain text usernames and passwords are not included in any files or folders
Most applications can be set up as cloud-based so no data needs to be processed on a personal application.
Email is a convenient communication tool for remote workers. There are other collaboration tools you can consider, such as Microsoft Teams, that allow communication as well as file sharing.
- The business has reviewed and implemented guidance from the NSCS on defending against phishing attacks. This guidance can be found here.
- The business has blocked the ability to add forwarding rules to external email addresses.
- All staff have been instructed to use corporate email solutions and not to use their own email or messaging accounts. These personal accounts should never be used to store or send personal data.
Phishing attacks are a common route used by cybercriminals to access your network. To find out more about how they work and the best way to protect your business from them, read our Social Engineering guide.
Remote working was thrust on a lot of businesses as we went into Lockdown. As we start to emerge from Lockdown many are still making use of remote working. Your business must be using a secure method for your remote working.
This checklist isn't a comprehensive guide to IT security but it will help you find the areas where you need to make improvements. Infotech can help as well, we have a free audit that is designed to show the areas where your IT security needs improving.