Securing a Remote Workforce

Advice from DC The Computer Guy

With this outbreak of COVID-19 comes many new concerns. Among the things that keep me awake at night are ensuring that our own and our client’s data is both secure and available. I imagine this is true for many small business owners and managers. Having important data and emails available to the workforce at home, while maintaining network security, is a challenge that we all must face, especially now.

At CLARK we have a mobile workforce out of necessity. Our technicians need to be able to access information and emails while at customer sites, but now our employees are not only mobile, they are also working for home.  To ensure that CLARK’s information is secure, I have to be concerned with the security of each employee’s home network.

It all Starts with Policy

At CLARK we have, out of necessity, established a policy that our information and systems can only be accessed by devices that are owned by Clark Computer Services. Understandably, when COVID-19 hit not all small businesses were in the position to have their employees work from home and many had to rely on employees to use their personal devices. The potential security risks that come with this makes it even more important to ensure that all computers with access to your businesses systems meet minimum standards for security before gaining access. A well written policy outlines the requirements that a personal computer must meet before this access is granted.

Among these more basic requirements are password protected accounts, antivirus, lockout periods, and lock screens on wake-up.

As you can see, just managing these requirements on someone’s personal computer can be extremely challenging. Therefore, it is my recommendation – if you are in the position to do so – to restrict access to business systems and information to only computers and devices that your business owns. And if your business is required to follow government regulations such as HIPAA or CJIS, then it is critical that you ensure sensitive data is only accessed by devices owned by you.

Beyond the Policy

Make sure that every device has antivirus and is continually updated. Believe it or not, we still see computers come into our shop without any type of antivirus at all. Others come in with antivirus installed, but it is turned off or expired. And then there are those that have gone months or years without any definition updates. With a good managed service provider on your side (like CLARK) making sure that your company’s computers have current antivirus solutions being monitored for risks is easy, but when the computer is not owned by you or being properly managed, that tasks becomes almost impossible. Here at CLARK we recommend buying business class antivirus that alerts you when the agent hasn’t checked in or completed updates, that way if your employee’s computer encounters a virus, even while away from the office, you’ll be alerted.  Using business class antivirus alleviates you from worry, allowing you the comfort of knowing your information is secure!

Updates, updates, updates. Make sure your employees apply all updates, not only to operating systems like Windows, but also to all business applications like Microsoft Office. Not applying updates makes your computers vulnerable! Software companies are constantly finding exploits and providing security patches to protect you. I recommend reminding your employees at least monthly that they should apply all updates and ask for email confirmation when they have been completed.

Ask your employees to verify that their home network is protected by a firewall. The purpose of a firewall is to protect networks from intruders. They’re necessary, whether it’s your business network or a home network. Many internet providers – like Comcast and Verizon – have firewalls built into the router/modem that they provide, but some leave it up to their clients to purchase their own firewall. At CLARK we advise asking each employee to check with their internet service provider to see if their network is protected with a firewall, and if it’s not, to get one installed.

Note: Windows comes with a built-in firewall, make sure it is enabled. While not a replacement for a firewall that protects the entire network, it is a necessary layer of protection. I’ve seen too many computers with the firewall disabled, very often as a shortcut to solving a problem. By the way, disabling a firewall is never an acceptable solution!

Backups, Backups, Backups. Controlling computers in the workplace is much easier than those in a distributed environment such as the home, especially when it comes to backups. At CLARK we use cloud technologies that allow us to work off a central system whether at home or in the office, but that’s not true for all businesses. If your business hasn’t adopted cloud technologies, it may be more difficult for your workforce to share information, making it more likely to have employees saving files locally and sharing them through email. If this is the case, then it’s critical to have these computers backed up regularly, otherwise you are a hardware failure away from losing potentially critical information. We strongly recommend utilizing cloud-based backups. Before you ask, yes, using cloud-based backups can be extremely safe and secure. In fact, it is more reliable and secure than local backups – especially if you experience a catastrophic event such as a fire.

When connecting to your business network, use VPN – no port forwarding. If your workforce is connecting remotely to access files and systems, such as your finance server, it’s likely through a Virtual Private Network, or VPN. In this type of network, the VPN tunnels are encrypted connections from their computer to your business network – the encryption keeps cyber criminals from eavesdropping on your electronic communication. In the olden days it was common for IT technicians to allow traffic into the business network through a process called port forwarding. That was before cyber criminals learned how to easily find and exploit this method of remote access. Today it is considered dangerous and simply should not be used. When you allow traffic into your network, you are allowing free access to anyone anywhere in the world – not a wise decision.

Educate employees on security best practices. At CLARK we cover security topics weekly in our staff meeting. I feel that covering one topic each week increases our overall awareness and encourages best practices, not only to keep my employees devices secure but also to advise our clients on ways to keep their devices secure. Incorporating security information into meetings is easy, and that constant drip of security awareness really improves the odds of keeping information safe. You can achieve the same result with a weekly email. The key is to be consistent and informative without being overwhelming – something as simple as reading and forwarding a cyber-threat article each week. If you want to know how to get started, Google: security awareness email to employees.

Educate employees on COVID-19 scams. It’s sad that there are people looking to take advantage of others, especially when we’re all going through something like COVID-19, but it’s happening. There are numerous COVID-19 scams floating around – it’s in everyone’s best interest to be aware of these threats. This can be as easy as googling: “COVID-19 scams”.  Seriously, just Google on “COVID-19 scams” and start reading!

Important Tip
Implement two-factor authentication (2FA) wherever possible. A lot of businesses today have at least some of their systems in the cloud, like Office 365, Drobox, or a business management system. 2FA provides another layer of protection and has been shown to reducing threats like phishing attacks by 99%. Doing this one thing gives you tons of protection!

Like I’ve said many times, COVID-19 has forced us to operate under a new paradigm and my gut tells me that when this threat is finally over, we won’t go back to pre-COVID-19 normal. I believe that working from home will be much more commonplace in the future. Taking the steps now to ensure that your business information is safe, regardless of where your workforce is located will help you sleep at night. It’s well worth the time, effort, and cost!