Amidst this uncertain time, CEOs everywhere are faced with an unnerving decision: to switch to remote operations or to close their doors. While the 2020 COVID-19 pandemic is certainly prompting more businesses to adopt temporary work-from-home policies, remote work was already growing in popularity for its diverse benefits.
Savvy IT leaders know that shifting employees to remote work presents new challenges. Endpoint devices such as desktop computers, laptops, smartphones, tablets, printers, or other specialized hardware that connects to your systems are prime targets for bad actors, as employees tapping into your private servers and networks can leave dangerous backdoors for cybercriminals to sneak in.
Double check you’re enforcing a secure remote environment with this considerations:
1. Always make employees use a business VPN
A VPN (virtual private network) can provide end-to-end encryption for your company devices, meaning, remote employees can operate on a secured web connection— guaranteed. Requiring your users to connect to your corporate VPN means that your data is always encrypted and less likely to be compromised. Unsuspecting remote employees can all-too-easily connect to fake WiFi hosts in public environments, like a Starbucks’ or a shopping court’s open connection. Even at home, users may not be on secure networks, either because they haven’t set up a password at home or because they’re using free wifi from a nearby store, neighbor, or public space.
Even if their home network is password protected, your users must understand even the most expensive home WiFi packages can be hacked. Tom’s Guide found that out of 2,205 people surveyed:
- 82 percent never changed the default network name (on their router)
- 86 percent never updated the router's firmware
- 70 percent never checked to see if unknown devices were using their network
- 69 percent had never changed the default Wi-Fi access password
These out-of-box passwords can be easily cracked and should always be changed.
2. Whenever possible, provide and enforce the use of corporate, secure storage solutions
Eager to solve problems, many users are quick to introduce their own hardware and unapproved software or storage solutions to their professional work. In fact, Forrester Research found that “53% of information users use their own personal devices for work; install unsupported software; or use unsupported Internet based services like Dropbox, Skype, Twitter, or Facebook to help them do their jobs.” Other services, software, and tools may include Google Drive, local storage on their HDD, USBs, External HDDs, Box, and countless other tools that provide threats. That’s more than half of your users introducing potentially untested applications to your organization.
These unauthorized updates, downloads, and applications increase threat landscapes for many companies. Whenever possible, provide your staff with encrypted devices to reduce your risk for breach and reinforce better endpoint security. This may be out of scope for companies just transitioning to a remote lifestyle, but prioritize providing protected technologies for optimal protection.
3. Require corporate-vetting for new tools
There are new tools hitting the market almost daily, but while these tempting technologies look attractive on paper, fresh applications increase the attack surface, This is often a result of busy IT teams lacking the ability to provide timely support for “small” considerations or even IT teams not configuring third party applications to lock them down. Remind your remote team to never download an unapproved plug-in, app, or tool to their corporate device (or personal device they use for work) without IT’s permission.
IT teams and security partners must review these solutions before any are installed and purchased. This is also a good time to remind your department leaders to be mindful of redundant tools, and to reduce your attack surface however possible by scaling back on applications and software that aren’t 100% necessary for business success.
Also, don’t forget to ensure your IT team has a policy for routinely verifying and updating security patches as they become available. Even previously approved solutions can become vulnerable without diligent upkeep, and a robust endpoint security solution isn’t complete without this important safeguard.
4. Be mindful of attack vectors
The same cyberthreats that you face in the office apply to remote work as well. Social engineering exploits are still the most common way bad actors steal data and money—and remote employees may have their guard down due to current distractions and are not used to working from home. This means they are less likely to double check before clicking without office colleagues to converse about their suspicions with. Educate your team on the tactics clever cyber criminals are using to manipulate them via email, phone, and beyond.
If you are unable to congregate employees for a live demonstration prior to your remote transition, have them watch this helpful demonstration from Kevin Mitnick, the world’s most famous hacker, where he performs a number of live hacks, center stage.
Review these common hacking techniques and train your team on other threats like malware-injecting devices, better password management, multi-factor authentication methods, and other endpoint threats before remote transition.
5. Design and implement an endpoint security solution
Businesses transitioning to partial or full work-from-home infrastructures need an endpoint security solution to protect devices from cyber attacks— it’s non-negotiable for optimal protection.
For many companies, this starts with penetration testing. These simulated attacks size up your current defenses and help to establish remediation strategies for patching any gaps in your security.
Harden Your Remote Security
At Mitnick Security, we use six different forms of penetration testing to check every possible crack in your infrastructure— all aimed at enhancing your endpoint security. It’s our superior skills and experience, reputation and competitive pricing that stand out against other pentesters.
Learn more about our pentesting services and let our Red Team uncover and strengthen your remote vulnerabilities.