The world has changed in the last few weeks. The novel coronavirus has turned business on its head, with organizations across the globe shuttering headquarters and enabling teams to work remotely. Many have adapted, quickly, to this change, but IT leaders have had to focus on how and perhaps have not yet had the opportunity to ask, “How secure?” This question is essential, and these strategies will help you educate your organization and ensure security in this new work reality.
1. Security Awareness Basics Still Stand
With so much change and worry happening every day, it’s easy for employees to forget their foundational security awareness training, but threats remain. As your team adapts to their new work environments, it’s wise to send a reminder of all of the best practices you’ve previously shared with them. This concise list from KnowBe4 can give you a starting point.
2. Educate Users About Two-Factor Authentication
Explain to your users that two-factor authentication (2FA) adds an extra level of security to passwords by combining something they know (the password) with something they have (a phone for SMS or third-party app connections). You may already be using solutions that have 2FA available but not enabled, but it’s a good time to turn it on and teach users more about this functionality, being sure to explain that 2FA doesn’t make a system impenetrable (nothing does!) but does raise your overall security posture. Beyond SMS or telephonic authentication, third-party tools like Authy, Google Authenticator, or MS Authenticator are key.
Learn more in this video:
3. Improve Password Security and Management
Even in 2020, password security remains elusive. Many users find it difficult to remember passwords and, because of this, use similar (or the same) passwords to log in to multiple sites or products. As you know, this opens users and your organization up to a security breach. Instead, we recommend using a password management tool, such as Last Pass or 1Password, with 2FA enabled and a 15-minute timeout, to eliminate the need to remember passwords and increase the likelihood of individuals using very secure, randomized passwords.
Instead of also creating a random string of characters to protect the password management tool, users should be educated and changed over to passphrases - longer, but easily memorable phrases such as “the peach cobbler at cowboy chicken is great” that unlocks the password management tool. To enable passphrases, you may need to change your password policy and complexity to a minimum of 25-30 characters with no requirement on usage of case, numbers, or symbols.
Learn more in this video:
Here’s a resource to share with your team when you introduce these changes:
4. Provide Instructions for Using Your Company's VPN
A VPN (Virtual Private Network) sets up an encrypted connection to a trusted network. With teams working remotely, you’ll likely be seeing individuals using more and more of their own devices as part of their regular workflow. While you may not have an official BYOD policy, it’s a good time to be thinking ahead about one, and a VPN is a key component of making it harder (but again, not impossible) for someone to get in.
5. Keep Onboarding and Offboarding in mind
Everyone is conducting as much “business as usual” as possible, but it’s safe to say this is not business as usual and your organization will change in the coming weeks and months. You may add team members, lose some, and give others a new role. All of these events require a change to their security status. New hires need training right away; terminated employees need to be removed from systems quickly; a role change may require an audit of current credentials to ensure appropriate access levels.
You Can Never Be Unhackable - But You Can Be Vigilant
Every organization, from the largest multinational enterprises to localized SMBs, faces cyber security threats. They’ll never go away, and in these uncertain times, there will certainly be actors with malicious intent targeting users in new ways. Encouraging users to stay vigilant and aware is the best step you can take. We have all quickly moved to remote work models and are serving users with limited experience in this setting, but can and will be successful through education and communication. If you have questions about keeping your organization safe as you transition to remote work, contact us.