6 Ways to Secure Your Distributed Workforce
Since COVID-19 safety requirements forced employees to work remotely, IT security risks have shifted. Employees and their machines are no longer in secure environments with protected servers and firewalls. Instead, data is being accessed on personal devices, through a range of networks, using a variety of collaboration tools.
Bad actors are seizing the opportunity to take advantage of not only the sheer number of distributed workers, but also the unfamiliarity with new work from home (WFH) environments. At a recent Facebook Live event, we virtually “sat down” with Axcient Partner, Elon Grad, the Vice President of Technology and Innovation at Platte River Networks, to discuss best practices for securing and managing a distributed workforce. Axcient’s Senior Vice President of Product, Ben Nowacky joined the conversation, with Corey Banner, our Director of Customer Success, as the moderator.
Utilize these safety steps within your own MSP, but also encourage clients to take these precautions within their organizations. Regardless of industry or mission, all businesses have to rethink the structure of their company within our new WFH environments.
1. Update BYOD and acceptable-use policies.
Many companies had ‘Bring Your Own Device,’ or BYOD policies in place prior to the pandemic, but with everyone remote, now is the time to revisit those standards. Employees who haven’t been out of the office may not be familiar with expected safety precautions in the first place. Plus, with entire families at home now, people may be using their work computers to access their children’s virtual classroom, an online gym, cooking class, concert, or other non-work-related sites.
In addition to establishing how company machines should be used, businesses need ensure they still have access in case something is compromised. Can the company remotely wipe the device? What happens if a device is lost? How is the company identifying threats an employee may overlook?
With unprecedented times, comes unprecedented rules and regulations. Revisiting your BYOD and acceptable-use policies in a time where nearly everyone has taken their machines and devices homes, will allow you to address all possible scenarios and be prepared, rather than surprised.
2. Revise corporate policies.
Similar to BYOD policy updates, companies should also revisit their corporate policies for the new work environment. Spear-phishing attacks are on the rise as people are less likely to notice them among a slew of new business practices, and in their less-formal home environment.
Hackers are taking advantage by asking for specific data in emails, like gift card codes or wire transfers. Whereas in the office, an employee might take a short walk to someone’s desk to get confirmation before divulging the information, at home, it requires more time and effort to email for validation. To accommodate new family responsibilities at home, not all employees are online at the same time, which can add waiting time for confirmation. And if these requests are routine, they don’t get much scrutinization in the first place. So the well-intentioned employee completes the request to get it done, and poof, that data is compromised.
Adjust your corporate policies to require validation and authorization before completing these types of requests. If external stakeholders are involved, set new expectations with them around turnaround time, and explain why new security protocols are in place. Look for other potential holes in your corporate policies where you may need to tighten up the process to avoid giving bad actors an opportunity.
3. Implement multi-factor authentication (MFA).
As you update your policies, consider adding multi-factor authentication if it’s not part of your password requirements already. Elon says, “MFA is the easiest and most cost-effective way to secure a large group of people.” No, it’s not bullet-proof, but it can be a deterrent for bad actors and catch malicious actions before it’s too late.
While you’re examining your password policies, make sure you have robust requirements in place. Regular password updates should already be standard in your company, but you may increase the frequency and difficulty requirements for password changes. Now is the time to tighten routine security protocols to thwart the spike in cyber-attacks.
4. Discuss opportunities with your solutions provider.
Many solutions providers were offering low-cost or no-cost tools when the WFH requirements were implemented. There may be existing tools, like adaptive authentication approaches, you weren’t using before, that are more relevant to the new environment of your business. Additional security controls, like an alert to tell if someone is attempting access from a specific IP address, location, or country, and at what time of day, can be beneficial in thwarting an attack.
Hopefully you have a close relationship with your solutions provider and feel supported by the partnership. If your provider isn’t already reaching out with new features or available tools, consider the value they’re adding to your business.
Ben says, “Axcient has been continuing to audit the security, and tighten our network and applications. We’ve increased our internal and external security testing by a factor over the last couple of months for that double-edged security.” Additionally, since security is always a focus at Axcient, we’ve concentrated on delivering the features our partners need to be efficient. We want to give our partners time in their day to review their policies, check their RMM, and communicate with employees.
Elon emphasizes, “Partner enablement is essential. If we didn’t have that good partnership we have with Axcient, it would have made it really hard for us to move as quickly.”
5. Take a holistic approach to network security.
It’s easy for MSPs to manage a single network in an office, but with employees working remotely, you’re now responsible for managing 80 to 90 different networks. Everything from a DSL connection, to gigabit ethernet, along with various firewalls and routers depending on each employee computer. To put it simply, network security has gotten tricky.
Elon suggests taking a holistic approach to managing it all. First, identify all the ways people are accessing the data. Not just the environment, but the data, workloads or applications that are business critical. Then, put controls and security measures in front of that. Strong password policies, MFA, a dialed in single sign-on (SSO) process, or utilizing a Cloud Access Security Broker (CASB) are all positive controls that you should have in place now.
6. Continue end-user security training.
Hopefully you and your clients have been providing ongoing security training for employees as a standard practice, but if not, now is the time. Malware, like phishing and spear-phishing attacks look different than they did three months ago. Cyber criminals are capitalizing on the relaxed WFH environment, widespread use of new tools, unsecure environments, devices and machines, and the number of people they can now target. Successful attacks are rising and training has never been more important.
Collaboration tools like Zoom and Teams, which may be new to some users, are a novel entry point for bad actors. Once an unknowing employee clicks a disguised meeting link, or tries to access what they think is a shared file, the system is compromised. Train your employees to both identify these attempts and alert your security team to the effort. Utilize a training method that is engaging, continuous, relevant to your environment, and provides tests. The tests show you just how vulnerable your business-critical data is, and will give you an idea of where more emphasis is necessary in training.
Learn more about security in the Facebook Live video above, or here on Facebook. Follow the Axcient Facebook page for weekly Live events and other affairs, partner insights, and MSP best practices. See you there!
About the Author:
Liz Mellem // Technical Copywriter, Axcient
Liz Mellem has been a freelance copywriter for over three years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.