March 24, 2020
How Businesses Can Securely Work From Home
(Note: this is an updating story. Check back for more.)
As the world continues to deal with the global health crisis, businesses have turned to remote work to help keep their employees safe and still maintain regular business operations.
With the increase in remote work, companies will have to prepare in various ways to avoid cybersecurity risks or interruptions to business. “When supporting a remote workforce, understand that security controls shift. Therefore, firewalls, DNS, and IDS/IPS could be ineffective when employees head home. Most environments that support VPNs should be able to protect the remote user, be sure to account for the bandwidth of users and remote desktop sessions,” said Dan Garcia, Senior Information Security Engineer II at Datto.
CISA's VPN Guidance
The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on 3/13 to encourage organizations to adopt a heightened state of cybersecurity. According to the CISA, remote work options require an VPN solution to connect employees to an organization’s network. The CISA encourages organizations to review the following recommendations when considering alternate workplace options:
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices.
- Alert employees to an expected increase in phishing attempts. See CISA Tip Avoiding Social Engineering and Phishing Attacks.
- Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.
- Implement MFA on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. (See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.)
- Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.
- Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns.
CDC Best Practices
The CDC has released some best practices for a disease outbreak plan:
- Review human resources policies to make sure that policies and practices are consistent with public health recommendations and are consistent with existing state and federal workplace laws (for more information on employer responsibilities, visit the Department of Labor’s external icon and the Equal Employment Opportunity Commission’s external icon websites).
- Explore whether you can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others if state and local health authorities recommend the use of social distancing strategies. For employees who are able to telework, supervisors should encourage employees to telework instead of coming into the workplace until symptoms are completely resolved. Ensure that you have the information technology and infrastructure needed to support multiple employees who may be able to work from home.
Tips from Datto MSPs
In addition, we spoke with some Datto partners to get their best practices and advice for how businesses can remain secure through and potential remote work scenarios.
- Use a Secure WiFi Network: If possible, you should work on your secure, private home network instead of relying on public WiFi. If you send your data through an unsecured WiFi connection, you lose the power of privacy making it possible for cybercriminals to intercept your data. You may be putting personal information at risk if you are accessing your email account or sending sensitive data over a public WiFi network. It’s essential to ensure your network is secure through the use of a VPN and a strong password that isn’t easily cracked. According to Andy Katz, Network Solution Engineer at Datto, the main issue in public WiFi is the potential for eavesdropping. “If you connect to a public WiFi environment that doesn’t require any authentication using WPA you’re network communication has many elements in the transmission that go over clear text and there is also a greater potential for rogue APs that can attempt to get in the middle of transactions that you would typically trust such as a VPN or banking website.
Brian Weiss of ITECH Solutions recommends MSPs advise businesses to rely solely on company hardware and connecting through a VPN. “The only time we allow a personal device to be used is in the case of an end-user accessing their company computer via a secure remote desktop application like LogMeIn with MFA enabled. Security patches and software updates should always be maintained on company-owned computers. In the event of BYOD computers or devices, ITECH requires these to be under contract with monitoring, endpoint security, and management of security patches,” said Weiss. Learn more on the ITECH Solutions blog.
- Secure Your Home Workstation: Ensure you have fully patched and updated anti-virus and anti-malware software. It’s important to follow the same best practices you would as if you were in the office, and report any suspicious activity or concerns to internal IT or your MSP. According to Patrick Murphy of Results Technology, these are some key areas to ensure you’re secure. For more tips, check out their blog.
- Coordinate With Your Internal IT or MSP: When working remotely, it’s crucial to continue your typical cybersecurity best practices and reach out with any questions or concerns. According to Steve Stokes, Business Development Director at UK-based Aura Technology, users should coordinate with their internal IT department or MSP prior to working remotely. “If you have a company-provided laptop, this should be straight forward, but if you have to work from home and use your own computer, your IT department or MSP will advise you whether this is possible and if so, how to do it securely.”
For the latest information, follow the CDC information page with FAQs, situation updates, and more.