How to Implement a Secure Telework Policy
The ongoing coronavirus pandemic has reminded organizations across most industries that teleworking is more than an attractive employee perk—it’s an essential business practice.
The problem is that many of the same organizations were forced to leave their offices and work from home so abruptly, that they have yet to put in place a formal telework policy that addresses all major remote work security threats. Your telework policy has now become a very important part of your business’s IT Security Policies and overall business security strategy.
Why Is a Secure Telework Policy Important?
Teleworking has been a growing trend for many years now. According to an analysis by Global Workplace Analytics and FlexJobs, the number of remote workers in the United States increased by 159 percent between 2005 and 2017.
“Remote work has grown steadily since 2005, as companies of all types—private, public, nonprofit, or startup—continue to recognize the bottom-line benefits of integrating remote work into their business strategies,” explained Sara Sutton, founder and CEO of FlexJobs.
However, the benefits of teleworking are attainable only if organizations keep their remote workforce protected to prevent costly data breaches and other cybersecurity incidents. Unfortunately, that’s no easy task because remote workers became the focus of cybercriminals in 2020.
In fact, 91 percent of all global respondents surveyed for VMWare’s Global Threat Report said they had seen an increase in cyber-attacks as a result of employees working from home because of the coronavirus pandemic. This grim statistic highlights the risks associated with employees working from various remote locations, often using their personal devices.
A telework policy minimizes the risks associated with remote work by laying down a set of guidelines and rules covering exactly how remote employees should engage in their duties, among other things. As such, it empowers employees with the knowledge they need to have to be both productive and secure when working from any location.
For a telework policy to be secure, it must address all major remote work security threats, such as phishing scams, Wi-Fi security, and insecure passwords, to protect against cyberattacks on employees. When choosing the specific guidelines and rules, it’s important to take into consideration the unique nature of teleworking and the fact that the average employee isn’t a cybersecurity expert.
Key Elements of a Secure Telework Policy
All secure telework policies should reflect the unique nature of the organizations behind them, but there are certain key elements that must always be present.
1. Enforce Password Security
Passwords make it possible for remote workers to access their own computing devices, remote resources, cloud-based tools, and just about everything else they need to do their work. That’s why every secure telework policy must enforce password best practices, including:
- Create sufficiently complex and long passwords that can’t be easily guessed.
- Avoid adding any personal information to your passwords.
- Use a different password for each account.
- Keep all passwords to yourself and never share them with others—not even your colleagues.
- Install a password manager on all devices to store your passwords in a secure manner.
While straightforward, these five password best practices can go a long way in protecting organizations against data breaches, 81 percent of which leverage either stolen and/or weak passwords, according to Verizon’s annual Data Breach Investigations Report (DBIR).
2. Use Multi-Factor Authentication
Whenever possible, remote workers should be required to use multi-factor authentication to add an extra layer of security on top of traditional password-based authentication.
There are many types of multi-factor authentication to choose from, including SMS tokens, biometric verification, security questions, and hardware authentication tokens, among others. Each of them has different advantages and disadvantages, which is why organizations should carefully compare them and strike the best balance between security and productivity.
3. Require a VPN for Remote Access
Many remote workers need to access internal resources over the public internet, which is a major security hazard because cybercriminals can hijack unsecured connections and obtain access to restricted data. To minimize the risk of attackers hijacking a legitimate user’s remote desktop session, organizations should require remote workers to use a virtual private network (VPN) for all remote connections.
A VPN creates an encrypted private tunnel that extends over a public network (the internet) to protect all traffic going through it. From the point-of-view of a third party, such as cybercriminals monitoring an open Wi-Fi network at a coffee shop, all data flowing from one end of the tunnel to the other one is completely unreadable.
4. Set Up Endpoint Security
In the current cybersecurity landscape, endpoint security must go beyond traditional antivirus solutions. Organizations with remote employees should implement endpoint detection and response (EDR) solutions, which allow for continuous monitoring of all endpoints and response to all kinds of cybersecurity incidents as they arise.
Endpoint detection and response solutions are offered by a multitude of vendors, so organizations of all sizes can choose the right solution to meet their specific needs. While their cost typically exceeds the cost of traditional antivirus products, the superior protection they provide easily offsets it, which is why their sales are expected to reach $7.27 million by 2026, with an annual growth rate of nearly 26 percent.
5. Patch Early and Often
One of the largest data breaches in the United States, the infamous Equifax breach, happened because cybercriminals successfully exploited a known vulnerability, exposing the personal information of 143 million consumers. This massive breach serves as a perfect example of how severe the consequences of lackluster patching can be.
Because remote workers are far more exposed than internal systems defended by enterprise-grade firewalls, it’s paramount for them to install patches as early and as often as possible. Organizations can help them by implementing a centralized patch management system capable of providing a holistic view of all available patches and facilitating their remote installation.
6. Educate Employees on the Latest Threats
The most effective protection against one of the biggest threats facing remote workers today, phishing attacks, is ongoing education that provides relevant information about the latest threats. All remote workers should be required to promptly read phishing alerts so they can better recognize and avoid known scams when they encounter them in the wild.
For cybersecurity awareness training to be even more effective, it can integrate formal training programs with practical mock phishing exercises that test whether users identify or fall victim to fake phishing attacks.
7. Don’t Forget About Physical Security
Physical security is an often overlooked but critically important part of every secure telework policy. It addresses the threats stemming from the use of work-related devices in public places, as well as places that can be easily accessed by other people. Prevent cyber attacks on your business, by analyzing all forms of security risks, not just digital vulnerabilities.
Remote workers should never leave their work devices unattended, not even locked in the trunk of their cars, which is how the data of 43,000 patients was stolen from a laptop of a Coplin Health Systems employee. For the same reason, remote workers should improve their home security by locking their doors and, if possible, installing a home security system.
Ensuring a Secure Telework Policy Success
It’s one thing to establish formal guidelines around remote work, and it’s something else entirely to ensure that the guidelines are actually adhered to by all employees who are working from remote locations.
To start with, organizations that want to permit the use of employees’ personal assets for work-related purposes need to update their acceptable use policies accordingly. When it comes to company-issued devices, it’s a good idea to restrict their use for work purposes in order to avoid cybersecurity incidents stemming from careless web browsing after work and other similar activities.
Once the telework policy has been finalized, it’s paramount for the management to explain it to all employees, who are much more likely to adhere to it if they understand the reasoning behind its guidelines and rules. Whenever employees deviate from the policy, they should be gently reminded and retrained if necessary.
Last but not least, employee productivity should be measured using productivity applications to determine whether it has remained the same, decreased, or increased, which is the best case. The gathered information, together with feedback from remote employees, can then be used to make educated adjustments to the policy.
Your technology strategy is your business strategy. Be prepared for the future and read our article with technology strategy examples, that will help your business thrive.