How to Maintain Security When Employees Work Remotely

Thanks to major advancements in technology over the past 40 years or so, the modern workforce is no longer tied to a single location and is able to work from virtually anywhere in the world. This remote work revolution has changed lives, enabling employees to develop a healthier work/life balance and put their best foot forward, while employers enjoy the cost savings of not having to pay for physical office space and the ability to hire from a much larger talent pool. In light of COVID-19, remote work has taken on even greater significance, enabling businesses to weather economic uncertainty and workers to keep their jobs without having to put their health on the line.

Although remote work has become commonplace — the number of people who telecommute in the U.S. increased 159% between 2005 and 2017 — it does present certain security challenges that businesses have yet to overcome.

Most American business leaders — 86% of C-suites and 60% of SBOs, to be exact — believe that the risk of a data breach is higher when employees work remotely. In spite of that, an alarming 26% of IT professionals report that their organization does not have a formal policy for ensuring information security while working remote, leaving them vulnerable to risk.

It’s safe to say that remote work arrangements aren’t going away any time soon — quite the opposite, in fact. That means that organizations need to figure out how to maintain security when employees work remotely. We’ve put together this blog post to help you get started.

Common Remote Work Security Challenges

Even under the best of circumstances, remote work can present certain security challenges.

First and foremost, remote work makes security everyone’s responsibility. That’s great news if every employee is equally invested and has the same tools, resources, and skills to identify potential security threats, but that’s rarely the case. Your employees are likely preoccupied with other aspects of their job, and understandably so, especially if they’re just settling into a work-from-home routine. Also, shifting responsibility to the individual without implementing security policies or providing the necessary tools or training invites trouble.

Which brings us to our next item: Employees aren’t always able to recognize scams. Phishing scams, spoofing attacks, fake alerts, and the like can be so deceptive that even the biggest names fall for them. COVID-19 has only added fuel to this fire: On average, during the first half of 2020, four out of 10 Coronavirus-themed emails were tagged as spam, with fraudsters impersonating government, health, and financial institutions. Without proper training, your remote employees could unwittingly fall into a cybersecurity trap.

It doesn’t help that employees often use unsecured public Wi-Fi when logging onto work devices. Although COVID-19 has made this practice less commonplace — at least, for now — it remains a major concern for businesses everywhere. And if you’re thinking, “Well, at least we have our virtual private network to protect us,” you’re in for a bit of bad news. Although they provide extra layers of security, VPNs can be easily overloaded and overwhelmed, especially now that more people are working from home than ever before. This can cause slowdowns that leave your business vulnerable.

There’s also the matter that remote work can cause staff to lose sight of security priorities. There’s a lot that goes into setting up work-from-home arrangements, which can take up most of your IT team’s focus and cause important security measures, such as patching, to fall to the wayside. And without supervisors present to monitor their activity, employees are more likely to be lax about security protocols.

Ultimately, it can be difficult to apply existing security policies to remote work scenarios — difficult, but not impossible.

Remote Work Security Best Practices

Whether your workforce is currently remote or you’re looking to make the transition in the near future, here are some best practices to help safeguard your business:

1. Establish and enforce a data security policy. According to Hanlon’s razor, “never attribute to malice that which can be adequately explained by incompetence.” You can apply this mental model to how your employees handle company data: Although internal security breaches can and do happen, they’re far more likely to be the result of an employee mistakenly mishandling sensitive data than intentionally doing so.
   
   The easiest and most effective way to avoid this issue is to draft a policy document that clearly outlines the different security protocols you expect employees with comply with, as well as the consequences of non-compliance. It’s also important that you explain to employees how the company intends to support compliance (more on that in a moment). Once employees have signed this policy document, be sure to hold them to it.
2. Equip your employees with the right tools and technology. Establishing a work-from-home security policy is just the start — now it’s on you to ensure that your employees have the tools and resources they need to remain compliant. From a VPN to a password manager to antivirus software, make sure your remote employees have all the tools they need in their arsenal, so they can spend less time worrying about compliance and more time focusing on getting the job done.
3. Frequently update your network security systems. It’s not only vital that any device that remote employees use to access company or customer data be equipped with network security systems, such as firewalls, antivirus software, and spam filtering tools, but also that those systems be kept up to date. You might even consider investing in a mobile device management platform so that, if a device is lost or stolen, you can remotely wipe them of any sensitive data.
4. Regulate the use of personal devices. Speaking of devices, in today’s tech-savvy world, many organizations have some sort of bring-your-own-device (BYOD) policy in place. While BYOD is great for many reasons, it does pose certain security risks for remote employees. For example, personal devices might not be password-protected or use outdated antivirus software. To that end, if your company has a BYOD policy, you might want to restrict it to employees located in the office and require your remote workforce to use employer-provided devices.
5. Institute a “Zero Trust” approach. The folks over at Microsoft have developed an approach to network security that revolves around one simple principle: never trust, always verify. Known as the Zero Trust approach, it provides protection “by managing and granting access based on the continual verification of identities, devices and services.” You can institute your own Zero Trust approach by treating each remote access request as though it originated from an uncontrolled network and authenticating it accordingly.
6. Make sure all internet connections are secure. That means no unsecured Wi-Fi networks allowed. Now, that doesn’t mean your employees are forbidden from working at their local neighborhood coffee shop from time to time (that is, once it’s safe to do so). Instead, make it clear to your staff that, should they decide to work in a public space, they are expected to use your company’s VPN to secure their connection.
7. Don’t overload your VPN. As we mentioned earlier, VPN overload is a common obstacle to remote work security. There are a few ways to avoid overloading your VPN and prevent much-dreaded VPN slow down:
   • Look for a VPN provider with a large server network
   • Change your VPN server location, preferably to one closer to your actual location
   • Manage VPN traffic with split tunneling
   • Keep track of who’s using your VPN, and when
   • Prioritize VPN use for specific services
8. Require employees to use strong and varied passwords. Did you know that, according to a survey from the National Cyber Security Centre (NCSC), some of the 10 most common passwords are “123456,” “qwerty,” “111111,” and — perhaps most embarrassingly — “password”? Weak passwords pose a major security risk to your organization, especially when remote work is involved, so it’s important that you advise your employees to use strong and varied passwords and to avoid reusing passwords.
   
   “Password re-use is a major risk that can be avoided — nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favorite band,” says Ian Levy, NCSC Technical Director. “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”
   
   To make it easier for your employees to remember these various passwords, invest in a password manager in order to keep track of everything and safely store passwords in a digitally encrypted vault.
9. Utilize multi-factor authentication. Multi-factor authentication (MFA) requires users to provide multiple different types of information in order to verify their identity. Common examples of MFA include security questions, push notifications, personal identification numbers, and biometrics. Two-factor authentication is, perhaps the most well-known form of MFA, and is an easy way to ensure remote work security.
10. Monitor employees’ remote work practices. In an ideal world, your employees would always observe remote work security best practices, however, this isn’t the case. Whether intentional or otherwise, remote staff sometimes fall short of expectations; such security risks should be identified and addressed as soon as possible. There are any number of remote monitoring systems on the market to keep an eye on your employees’ activity; it’s simply a matter of determining which one is right for your organization. To avoid feeling like Big Brother, let your employees know well in advance that you intend to track their activity to ensure that they’re complying with the company’s remote work security policy.
11. Train your employees well and supply them with robust IT support. Solid remote work security measures start with the proper training. Provide your employees with cybersecurity awareness training, and make sure your IT team is on hand to assist your remote workforce with any security-related concerns.

Ensure Remote Work Security with Hitachi Solutions

Here at Hitachi Solutions, we appreciate just how important your company’s data security is. We’ve had numerous clients approach us asking how to maintain security when employees work remotely and how to manage data access. The answer to those questions is Windows Virtual Desktop.

With Windows Virtual Desktop, you can enable remote employees to securely access a desktop or line-of-business applications using their work credentials or configure controls so that certain data can only be accessed via a registered work device. Windows Virtual Desktop is easy to deploy and manage within your existing environment and, with Hitachi Solutions’ support, you can design desktops and applications to align with existing user profiles, security processes, and remote access controls. Windows Virtual Desktop boasts an impressive array of security features, including multi-factor authentication and user validation, and even includes the Microsoft Graph Security API to scan for potential threats.

Best of all, Windows Virtual Desktop doesn’t require you to open ports in your firewall and potentially expose your data to exploitation in order to establish connections. Since Microsoft manages all of the front-end infrastructure and only uses secure, SSL-encrypted connections, your data is always safe.

Boost your remote work security today — contact Hitachi Solutions to get started.