Remote Workforce Security Tips & Best Practices
18 security pros share their top tips and best practices for securing a remote workforce.
With more companies working with geographically distributed teams today, more employees are working remotely than ever before. Remote work poses unique security challenges for companies. Because employees are not physically working on-site, they're often relying on their own Wi-Fi networks and devices to access company data.
To mitigate security risks, companies must implement clear and comprehensive policies and take proactive measures to ensure the safety and integrity of company data. To gain some insight into the strategies and best practices today's companies can implement for adequate security when working with remote team members, we reached out to a panel of security professionals and asked them to answer this question:
"What are the best practices for securing your remote workforce?"
Meet Our Panel of Security Pros:
Read on to learn what our experts had to say about the best practices you should be implementing to ensure security when working with a remote workforce.
Cristian Rennella is the CTO and Co Founder of oMelhorTrato.com.
"After 9 years of work and having gone from zero to 134 remote employees, I can assure you that the best practice for securing your remote workforce is..."
Two-factor authentication. With 2FA, each time one of our employees wants to enter our system they MUST not only enter their personal password (of at least 10 characters including numbers and symbols), but we will also send them a 4-digit code to their personal cell phone.
We implemented 2FA just five months ago, and thanks to it we have been able to reduce security problems by 38.2 percent (yes, it is working perfectly!). And is the reason why I strongly recommend it to other organizations with a remote workforce.
Marcus Harris is a Chicago-based global technology attorney, quarterbacking a high-profile legal team for Taft Stettinius & Hollister LLP, one of the country’s oldest national law firms.
"The best ways to secure your remote workforce are..."
1. Be Wary Of Allowing Employees To Bring Their Own Devices
The risk it poses to the protection of confidential and proprietary information and trade secrets information is enormous. Without the proper policies in place, employers will have very little control of information that is on that device. This becomes problematic when employees are fired or resign.
2. Have A Policy in Place
To avoid unnecessary disputes and the costs associated with them, it makes sense to have a carefully drafted BYOD policy in place with employees. Not having a comprehensive policy invites disputes over what data/information is what, makes it hard to get back, and may compromise the protection of intellectual property.
3. Use Applications To Monitor Data Usage
It makes sense to use technology that manages and monitors data transfers and minimizes the risk of “theft.” For example, many employers allow employees to utilize their own cell phones for both work calls and work emails. They do this by utilizing applications that are controlled by the employer and allow the email functionality to be disabled when the employee leaves the company.
Abhishek Shankar is the CEO of Majime. Majime is a skilled workforce platform designed build on blockchain.
"As working practices become more casual, comfortable, and collaborative..."
Organizations need to tighten their belts to ensure data security with measures such as:
- Content storage should be allowed on cloud only. Use cloud or web-based storage software that allows sharing and editing of documents (for example, Cisco Cloudlock).
- Network Security using proxied connection to device only.
- Endpoint security using 2-factor authentication. This adds a second level of security to important applications. Multifactor authentication uses OTP (one-time password) technology, certificate-based USB tokens, smart cards, and many more advanced security technologies.
- App security such as email and storage using on-device security apps like Proofpoint and Datamotion, etc. There are several set-and-forget email encryption tools on the market. These systems deliver end-to-end protection, taking care of everything from scanning to encryption.
- No connection is allowed with public WiFi.
- Contingency plan for risk management. If a remote worker loses a laptop with sensitive business information on it, it’s essential that the laptop can either be tracked or remotely deleted.
Tim Bandos, CISSP, CISA is Vice President of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on internal controls, incident response, and threat intelligence.
"Some of the best ways to secure a remote workforce are..."
Implement Telework Policy
Typically, when it comes to securing your teleworkers, the first item on the agenda is developing a corporate policy around it. This policy should outline what’s acceptable in the form of remote access, how data is handled, what level of authorizations are available, etc. Risk-based decisions can be made here also depending on the types of devices being used for teleworking (ie. Company Issued, Personal Laptop/Mobile etc.). More stringent controls should be in place for devices that aren’t issued specifically by the company.
Implement Secure Remote Connectivity
Any connections made to the company should be performed through a VPN (Virtual Private Network) which either leverages SSL (Secure Sockets Layer) or IPsec (Internet Protocol Security) to encrypt communications from the remote teleworker’s machine; depending on various requirements. This both safeguards the end user along with the corporate environment to ensure no pesky adversaries are snooping in-between.
Installing an endpoint agent(s) with the ability to perform (1) data protection (2) malware protection will provide greater assurance into securing the endpoint especially if corporate data is allowed to reside on the machine.
Andy Gray is the Principal Consultant at Pro-Sapien. Andy's experience lies within everything SharePoint, SQL and Azure, and he is one of the founding partners of Pro-Sapien.
"Our IT team works on tight schedule and they have multiple projects at the same time..."
Some of our developers work from home twice a week regularly, so it's been important that we have a streamlined system in place with supporting tools that allow remote work without disruption. The team has a stand-up every morning, and those who're not in the office join via video call. Video calls are also made during the day in case something needs clarification. All projects are monitored and updated on Trello, a team collaboration site. This way, every member of the team can see what their teammates are working on. In addition to this, they use Microsoft programs (e.g., Microsoft Teams, SharePoint, Outlook, OneNote, and Flow) that allow for easy communication, sharing, and automation. Security is an important consideration with remote work – we use Microsoft Office 365 which has stringent security features that adhere to ISO 27001. These tools and the culture of video calls keeps the team engaged, connected, and informed.
Andy Jordan is the Special Project Lead at Mosaic451.
"Working remotely itself is not dangerous..."
It is the lack of policy and technical controls enforced by an organization coupled with the actions of the remote employee that manifest the risks into very real dangers. Consequences of poor cyber security hygiene while working remotely or while on the road can include anything from sensitive data compromise to unauthorized access into the organization's infrastructure. Secure communications while working remotely is a combination of technical solutions and controls combined with proper employee operations security (OPSEC).
When a business decides to employ a wireless network to accommodate remote employees, they are knowingly giving up a portion of physical control. It has been often stated that instituting a wireless network is like placing an open Ethernet port on your front lawn. Depending upon the methods employed to secure the wireless network, this analogy is not far off. From passive data collection via wireless monitoring to active denial of services attacks and everything in between, the dangers of employing wireless network are directly related to the way a business approaches implementing and securing it.
Selecting the proper wireless security standard that is proportionate to the current and future projected scale of the network will allow for growth and ease of management. These attributes will have a net positive effect on wireless security. Providing resources for the education and training of the IT staff and onsite security personnel, often the same individuals, will provide them with the tools they need to identify the risks associated with wireless networks along with proving them the skills required to successfully manage the wireless network in a secure manner.
Performing internal audits and third-party penetration testing of the wireless network will aid in identifying gaps in security that may have been missed during wireless network implementation, as well as a providing a fresh set of eyes by wireless professionals experienced in detecting misconfiguration and poor security practices. Also, educating employees of the risks and dangers associated with wireless communications, both within the corporate network and public networks, coupled with a sound employee wireless security policy that is enforced, will only serve to enhance the company's overall security posture.
Jon Hayes works with Pixel Privacy.
"When dealing with a remote workforce, the important thing to understand is that there will always be risks involved..."
The key thing is to mitigate these risks as best as possible by ensuring robust measures are in place.
The first thing you should lay out to your remote workforce is that all work data and personal data must be treated separately. Of course, your team will likely be using their personal devices to access documents and go about their daily work duties, but it's important that they aren't using personal accounts for work-related duties. For example, if writing an article, this shouldn't be stored in their own personal Google Drive. The main reason is that providing you've set up the correct business accounts for your workforce, you'll usually have absolute control over that data from your admin panel. For example, Google's enterprise solutions give you the opportunity to delete or lock any sensitive data should it fall into the wrong hands.
I would also highly consider investing in a password manager such as LastPass for business. Each time you share your password in plain text you're adding another link to the chain which can be broken. Even if your staff follow the strictest of protocols, there's nothing to say the software you're using to communicate or store this data can't become compromised. Yes. a password manager is also susceptible to this also, but by confining it to one single tool, you can drastically reduce the number of places your data is able to get out.
Finally, I strongly urge simple security training. It's easy to forget just how easy it can be to lose personal data. In an age where we are so focused on remote hackers and data breaches, it's easy to forget something as simple as accidentally leaving your computer unlocked while you take a bathroom break at the coffee shop can leave your sensitive data wide open.
Keri Lindenmuth is the marketing manager at KDG. For over 17 years, KDG has been helping businesses improve their processes, their customer experience, and their growth.
"One of the best practices businesses can implement when it comes to securing their remote workforce is to use a VPN..."
A VPN encrypts data in transfer, allowing personal and confidential data to tunnel from one device to the next, away from prying eyes.
If a business decides to go with a VPN, they should ensure the VPN is from a reputable company that doesn't keep a log of your business's activity. If they do, your data may be at risk of being sold to a third-party.
Also, businesses should be aware that remote workers connecting to networks with a VPN may experience slower internet speeds. However, this is a small price to pay for the peace of mind that data is secure.
Michael Fauscette is chief research officer at G2 Crowd. He served as senior analyst at IDC for a decade, before joining G2 Crowd as their resident expert on all things digital transformation, including AI, IoT, and cybersecurity.
"With cyber-threats ranging from network hacking to ransomeware..."
Providing any opening or weakness in network security can open up potential risks to reputation, to competitive advantage, and financially for violations of an every growing body of privacy protection laws around the world. The potential for network breach, and loss of sensitive business, customer, supplier, and employee data is particularly high. It’s hard enough to protect your business using the best security practices, opening up a single weak spot is all a hacker needs.
There are several best practices for remote workforces using other WiFi networks, including:
- Change default passwords and user names. Make them long, random, protected and carefully managed
- Use security, but not just any default (usually WEP) security protocol, use the best available at the time, which is WPA2 at present. You can increase the protection more by also using EAP-Transport Layer Security (TLS) for more secure user authentication.
- Turn off WiFi-protected setup (WPS) to prevent bad actors from using it to breach your network more easily.
- Do not allow employees to use non-company provided networking access points and hot spots.
- If you have a “guest” WiFi network, keep it firewalled away from the rest of your network.
- Separate your WiFi from the core network also, by using a firewall.
Andrew Rawson came to Traliant with more than 25 years of experience in strategy, operations, and marketing. Most recently, Andrew served as the Global Head of Compliance Learning (eLearning) at Thomson Reuters, an information, technology, and services company with more than 60,000 employees.
"Some of the best practices to secure your remote workforce include..."
Encrypting devices, making sure the company network contains secure connections, and updating passwords on a regular basis. These and other practices will allow a company to secure its remote workforce better. The more security you need, the more steps should to be taken, such as considering a cloud-based storage system or incorporating automatic updates into your system. The more steps you have in place, the greater your security for your remote workforce will be.
Earl White is the Co-Founder of House Heroes LLC, a real estate investment company that buys property (houses, vacant land, condos, apartments) and either flips or rents them.
"We take security very seriously, taking the following steps to secure our remote workforce..."
Company Paid Password System: I directly pay for business accounts of industry standard password protection services. Because we fund it, it is an absolute requirement that company related login information is stored and accessed only via this service. We selected 1Password, but there are quite a few password storage services.
Transfer Login Information Via Telephone: Employees are never allowed to share passwords in writing. Whenever a password is provided to an employee, it is done via telephone and directly inputted into the password protection service. After it’s inputted into password protection system, the password never needs to be typed out again.
Two-Factor Authentication: Our website is perhaps our greatest asset. It would be devastating if our password fell into the wrong hands. I installed two-factor authorization to ensure you could only enter our website after providing both the password and a verification number sent via SMS.
Segmented Access To Passwords and Client Information: The reality is no matter how secure we make our systems, either intentional or unintentional security breaches may occur. For this reason, employees only receive login information for the systems they need access to. As to client information, employees have carefully tailored access to their specific assignments. Should a security problem arise via that employee, the damage is mitigated.
Ian McClarty holds an MBA from Thunderbird School of Global Management. He has over 20 years executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Solutions.
"It comes down to the kind of work are they doing for you..."
If there are medical records involved, there are very specific requirements as to how their remote work environments need to be set up. Things like the computer should not be facing a door or window where others can see the screen, etc. From a tech side:
- Have an MDM on the computer they use.
- Enforce encryption and use a secure enclave if possible.
- Implement a CASB with advanced location-aware MFA (MultiFactor Authentication such as OKTA). Use CASB for access to SAS and on-prem apps.
- Use a VPN to connect back to the office, not RDP. Prefer a Citrix based solution in a shared application mode.
- Have them sign an acceptable use policy that dictates their use of that machine, including that NO ONE ELSE can use it for non-business purposes.
- Do not give them elevated privileges on that machine.
- Lockdown all ports – no USB, etc. unless necessary.
- Have an automatic check-in process, where if not checked in, in ‘x’ timeframe, you'll auto-wipe the machine.
Nate Masterson is the Financial Manager for Maple Holistics, a company dedicated to all-natural and cruelty-free personal care. Backed by an education in finance, Nate has been able to pursue both his professional and leisurely passions by working with Maple Holistics on becoming a leader in e-commerce.
"There are many benefits to assembling a remote workforce as an employer..."
Besides being affordable on its own, the cost benefits of having a lot of staff working from home is enormous. For starters, most employees view working from home as a privilege, so they are going to be as productive if not more productive to keep the freedom you’ve just given them. On top of that, office drama is cut to a minimum because everyone has enough space to breathe. But how do you ensure that your sensitive information stays secure when working out of office? VPNs.
Virtual private networks or VPNs are networks that extend across public wires to connect multiple users to one shared and secured network. VPNs are indispensable for companies with offices around the globe and employees who work from home. In general, private networks will throw off a lot of would-be intruders, help you remain anonymous, and make it significantly more difficult to spot you. Today, when the mobile work community seems to be growing at an exponential pace, VPNs are a must-have.
Perttu Ojansuu is a Finnish entrepeneur and is the CEO and co-founder of Happeo (formerly Universe), a digital workplace platform aiming to unify disparate communications and tooling. Previous to this, Perttu also founded Gapps, the leading Google Apps Partner within Finland.
"Shadow communications apps are quite common in remote workforces..."
With many employees turning to sites such as Whatsapp, Facebook, and Google Sites for sharing knowledge, information, and sometimes even company confidential information. Without proper contracts in place with vendors, businesses can't secure the potentially confidential data that is shared on these platforms. This is why my number one tip for tackling this is ensuring an integrated, secure, and accessible tooling system is in place to handle communications, knowledge sharing, and collaboration. If you provide the tools your colleagues are searching for, there will be less reliance on their own platform usage.
Steve Pritchard is an IT Consultant for Africa Travel.
"Be sure to encrypt all emails, which are often the first target for cyber-attacks..."
Spam and phishing emails are received daily, and while most of us know not to fall for it, you should never take that chance.
This is especially important if your remote workforce includes the likes of customer service employees, who handle not only your company’s information but also your customers'. It’s very easy for hackers to disguise a malicious email to look like a standard customer enquiry, and if your employees are receiving hundreds of emails a day, it’s unlikely a disguised spam email will stand out to them.
Encrypting all emails will make certain that the content is disguised, which will protect any sensitive information that may transpire during an email conversation and only the intended recipient will be able to see it.
Dave Nevogt has created several million-dollar companies, and is the co-founder and the current CEO of Hubstaff, a time tracking software for freelancers, remote teams, and on-site work crews.
"Securing your remote workforce can be a challenge..."
Dr. Gene Lloyd
Dr. Gene Lloyd is the Director of Lloyd Research Institute.
"Anyone who works remotely should be..."
Utilizing different encryption methods to keep organizational data and communications secure. At a minimum, connections to the organizations network should be established through a Virtual Private Network (VPN) connection. Encrypted text messages and email is also freely available and easy to setup on Apple and Android mobile devices, as well as laptops. And current smartphone technology also has built-in encryption for the device that can be utilized by simply turning it on. Using these methods will provide a great level of security that is incredibly difficult to break into, and is easy enough to configure that there is really no excuse not to implement these technologies.
Joseph Robison is the Founder & Chief Consultant of Green Flag Digital.
"I offer digital consulting to clients remotely and have a fully remote team. Some tactics that have worked for us are..."
1) Encrypted password management
As a remote team, you need to share logins for scores of sites. While tempting to send passwords via email, we all know that's not secure. LastPass has an encrypted password management system that makes password sharing among teams very easy. You simply share individual passwords with team members and they don't ever see the actual password. If any team member leaves, you're good to go.
If your remote team is spread throughout the world, it's hard to manage which ISPs their internet traffic is running through and what the security level is. VPNs mask IP addresses and make locations untraceable, a must for your remote team.