Maintaining information security when employees work from home
In recent years, an increasing number of businesses have employees who work remotely or work from home. In the wake of COVID-19, this trend has become a new norm across the world. This arrangement promotes social distancing and offer benefits for both employer and employee. However, without proper protocols, tools, and training, remote workers can pose an enormous threat for privacy and security breaches. Fortunately, today’s technology combined with clear guidelines can mitigate risks and protect both businesses and individuals.
Solutions and Best Practices
When employees work from home, businesses should consider how information will be shared, stored, and destroyed. Every organization should provide employees who work from home with the training and education to know how to properly handle information and the tools necessary to be successful. There are three main areas which represent the greatest vulnerabilities and require dedicated attention. These areas are devices, networks and accounts, and physical records. A business which provides employees with clear guidance and appropriate tools in these areas, will very likely meet a standard of reasonability and mitigate legal issues if a breach ever does occur.
Always adhere to basic security protocols. This is true whether a business provides workers with company devices (phones, computers, etc.) or employees use personal devices. The following is a list of the minimum requirements we recommend every business have in place. Depending on your needs, additional protocols may be required.
Locking and Security
The first step in device security is keeping them locked. Program every device to automatically lock after a set period of time when not in use, and require a password to reopen. For extra security, use a full disk encryption tool. Employees can download free options such as TrueCypt or DiskCryptor, or companies can provide access to a more advanced, paid option. When in public spaces such as libraries, airports, or hospitals, laptops can be physically secured using a Kensington Lock.
Any device with access to the internet should have strong firewalls. A firewall protects from threats by preventing them from entering your system. Typically, firewalls are builtin to any operating system, but users should double-check to make sure they are enabled. It may also be wise for companies to provide employees with access a proven firewall option. This will guarantee everyone has the same level of protection.
If and when any threat gets past your firewalls, a solid antivirus software will jump into action. Its job is to first detect malware, next disable it, and then hopefully remove it completely. Companies should provide access to a trusted antivirus application such as Kaspersky or Bitdefender. At the very least, the business should provide clear guidelines requiring employees use antivirus software and a list of trusted free options such as McAfee or Norton.
Updates to operation systems and software are essential. They not only to keep devices running smoothly, but also to install new patches which address critical vulnerabilities. Updates should be regularly installed. In most cases, updates can be set to automatically install at certain times. For instance, set devices to update in the middle of the night when the device is not in use.
Back Up Data
The point of securing devices is to secure the data they contain. A huge part of data security is storage. Essential business operations and legal mandates require certain types of data be retained for a set period of time. Therefore, require an established and secure back up method for all employees who work from home. When using an external drive, encrypt is and require a password for access. Cloud storage is also a viable back up option. However, cloud storage should be secured and access to information limited to users based on need.
When a device reaches its end of life, it should not be left in a drawer or box to sit indefinitely. It should also not be resold, unless extra steps are taken to render all data unreadable. Deleting and factory resets do not erase data, they simply free up room for new information to be added. Even wiping programs can leave data behind. We recommend physically destroying hard drives and memory chips by crushing and shredding. Other device components can be recycled with no risk of data falling into the wrong hands. Learn more about the dangers of reselling devices by watching this brief video.
Securing Networks and Accounts
Once appropriate steps have been taken to secure devices, attention needs to be turned to how those devices connect to the internet and how various services are managed. Here are our suggestions for helping secure access networks and accounts when employees work from home.
A strong password is still the first line of defense for information security. Every company and worker should take password security very seriously. Businesses should create guidelines and educate employees and how to create and store strong passwords for all devices, networks and accounts.
Every user for every account needs a unique and strong password. Passwords should NEVER be shared with others or duplicated across accounts. This will allow companies to track any breach or abuse to a specific user. It will also limit breaches if a password is stolen for a particular account, no other accounts will be vulnerable.
Current best practices for password creation include using a memorable phrase, but replacing letters with numbers and special characters. If that doesn’t work, consider using a password manager. These can generate and store passwords created from random strings of numbers, special characters and both upper and lower case letters. There are several options, Dashlane includes a free option for individuals and multiple user options for businesses. Keeper is another proven business option.
While a strong passwords is the first defense, in the event a password does fall into the wrong hands, two-factor authentication or two-step verification can save the day. These methods add an extra layer of security by requiring that logins from new devices or locations go through an additional verification to guarantee the login is from the correct user. This verification can be in the form of a message via email, text or app. It could also be a biometric method such as facial recognition or fingerprint scan. Some accounts allow for physical methods as well. Such as inserting a USB fob to complete logging into an account from a new computer.
Secure WiFi Routers
Hopefully, by now everyone knows not to use unsecured WiFi, but many are lulled into a false sense of security when on their home WiFi system. When not set up and monitored correctly, a home WiFi router represents a huge security risk. Here are a few steps employees who work from home can take to reduce the risk of breach via their WiFi router.
First, change the password. Most routers come with a default password, and many people never change it. Changing the password to something more unique immediately boosts your security. Second, set the router’s encryption to WPA2 or WPA3, if possible. Avoid WEP encryption. Third, allow the router to make automatic updates to improve firmware. Fourth, disable any unused apps and services to prevent unnecessary traffic and access to your home system. This is not a definitive list, but it is a great place to start to limit the risks associated with home routers. For a more complete guide on securing routers, we recommend this article by Comparitech.
Secure Remote Access
Many businesses use remote desktop protocols (RDPs) to allow workers access to a company network. These can be secure, but recent studies have revealed several security vulnerabilities and many RDPs, particularly on Windows computers. Choose a tool carefully and review its security on an annual or bi-annual basis to guarantee it is keeping pace with the security developments.
Vet Cloud Services
Cloud services are a great option for sharing and storing data as well as allowing for collaboration. Certain cloud services also allow permissions to be set for users so that employees can only access the information they need which limits the extent of any possible breach. The right cloud tool can even be used in lieu of a remote desktop protocol. Another benefit is that certain privacy and security liabilities will be seen as the responsibility of the service provide instead of the business. However, before choosing a cloud service, we strongly recommend following this guide created by the National Cyber Security Centre in the UK.
Use a VPN
A virtual private network (VPN) encrypts all internet traffic rendering it unreadable if it is intercepted. This protects data being set through a WiFi router and prevents snooping from hackers, ISPS (internet service providers), or even the government. An employee can affordably choose their own VPN service, or the business can select a VPN tool that can be made available to multiple users.
Securing Physical Records
One of the most overlooked areas of security is often the treatment of physical records. This is especially true when employees work from home. While the majority of attention is given to addressing the security and communication of digital records, all of that work could be for nothing if an employee prints a physical copy and fails to properly secure and destroy it. Printed copies is not the only risk. If employees take handwritten notes with protected or confidential information, that record represents a possible breach. While paper may seem outdated, and it is possible for remote workers to remain completely paperless, every business should have clear guidelines explaining what can be put to paper, and how that paper should be stored and destroyed.
Create Storage and Retention Guidelines
Just like digital records, certain physical records must be retained for a set period of time called a retention period. When documents reach the end of their retention period, they should be securely destroyed. The burden is on companies to provide employees with clear guidelines on what to keep, how long to keep it, and how to properly dispose of it. For instance a company my require all records be shred, burned or otherwise rendered unreadable.
Avoid the Garbage
Hackers may cause mass damage when they strike, but any amateur criminal can dive into a dumpster to find paperwork. It is foolish to spend time, energy, and money securing digital assets only to have a dumpster diver breach your security. Trash cans and dumpsters can be a gold mine for identity thieves and scammers. With that in mind, NEVER place whole documents containing business relevant or protected information, whether correspondence, printed documents, or handwritten notes, in the garbage.
Avoid Office Shredders
To be clear, there is nothing innately wrong with a small office shredder. However, they give people a false sense of security. Many people believe that once documents are shredded, the shredded paper can safely be placed in the trash. All too often, shredded paper is placed into a small trash bag all by itself and left outside with the rest of the trash. A bag full of shredded paper is like a big neon sign saying “take this!” Small amounts of shredded paper can be reconstructed with relative ease. If you choose to use an office shredder, it is important to mix shredded paper directly in with other trash, ideally across different bags on different days.
Use Certified Service Providers
A certified shredding company is often the best solution to provide convenience and peace of mind that records have been properly disposed of. If employees are in the same geographic area, your business can distribute shred bags to employees to fill and either drop off at a central location for the company or for each employee to take directly to a shredding facility. In the event employees are spread out around the country or even the globe, the business should provide clear guidelines for selecting a shredding service provider.
Simplify and Mitigate
Employees who work from home should do everything in their power to secure their data and prevent unauthorized access and breaches. However, developing solid and consistent security protocols and guidelines as well as training education, is the responsibility of the business. Employers should NOT leave important security decisions in the hands of disparate employees. Instead there should be clear steps and processes in place for everyone to follow.
Remember, no system is perfect, but risks can be mitigated. Taking reasonable steps makes your business and employees a more difficult target for criminals, and can also demonstrate a standard of reasonability in the event of a breach leading to legal entanglements. Meeting this standard can mitigate legal liabilities if you can show the court that your business took real and consistent steps to address any known risks. For information on laws and regulations dictating the use and disposal of documents, see the Laws & Compliance page.