Work-at-home world faces increased data security risks
Protect your business and workers from hackers, data loss and scams
When Governor Chris Sununu passed the stay-at-home executive order, the world went home to work. Starting that day, data security became more complicated. NH Business Review reached out to data security experts to learn where risk exists, and how to best protect your company’s sensitive information.
Mark Benton, Director, Product Management, Systems Engineering.
Matt Mercier, President and Founder of Acapella Technologies.
MARK BENTON, SYSTEMS ENGINEERING
Q. What are some of the issues/mistakes you’ve seen businesses make with regard to their data security, as we’ve all been working remotely?
Benton: “The biggest mistake is not knowing who is accessing their business network. As we’ve seen in the headlines, cyber-intelligence companies frequently find stolen credentials (usernames and passwords) on the dark web. It is no longer enough to allow employees to use credentials alone without a second authentication method, especially when accessing critical business apps with sensitive data. Businesses can address this by adding multi-factor authentication, or MFA. This solution makes it almost impossible for cybercriminals, with a set of stolen credentials, to gain access to a network. MFA requires an extra layer of authentication, such as entering a one-time pin number or facial recognition in addition to credentials. This process ensures the person accessing your network is who they say they are.”
Q. What are some security issues that people generally don’t know about?
Benton: “‘Shadow IT’ comes to mind. This term describes those applications and devices employees use for work but are not managed by the IT organization. Examples of some free or freemium shadow IT services are Google Docs, Dropbox and Zoom. Shadow IT has become more pervasive as a result of the work-from-home shift. The risk lies in sharing or storing business files within these shadow IT apps and devices. When this happens, the organization loses control of data and exposes itself to a breach. Word to the wise, don’t be too hard on your staff. Most employees use shadow IT with the good intention of getting their work done. However, organizations need policies that set clear expectations around using office technologies and data. Such policies can significantly reduce the risks brought on by shadow IT.
Not to sound like a broken record here, but multi-factor authentication is one security tool that many organizations have not fully adopted. This solution has come a long way in the last few years, and some may still view it as an expensive and cumbersome tool. Today, MFA is a cost-effective solution that gives a business the most bang for its security buck. With so many businesses now living in or moving to the cloud, this is an absolute must-have. It is proven to prevent 99% of attacks via compromised credentials.”
Q. Are home routers and is residential Wi-Fi secure enough, and what can you do to improve that issue?
Benton: “That depends. Has the employee periodically changed their password and implemented the latest security updates? What does the rest of their environment look like? Are there other smart devices in the home – like thermostats or light bulbs – connected to the network? These factors all affect the security of a network and are challenging to manage and control.
When working from home, you need to help the employee work as securely as possible. If it’s a personal computer being used for work, have them connect over some form of virtual desktop service. This service isolates the work experience from the home PC. In this scenario, employees should not store company data on their personal computers. It’s best to access the files in the cloud using a company-owned and managed solution like Microsoft Office 365. The best scenario and experience for your employees is to provide them with computers owned and managed by the company. ‘Managed’ means the device identity is known, regular security updates are applied, and anti-virus is up to date and running. In addition, the computer should have full disk encryption and be enrolled in a mobile device management solution.”
Q. What advice would you give a company whose employees are working remotely right now?
Benton: “Review your Information Security and Acceptable Use Policies and update them accordingly. If you don’t have these, I recommend you get them done now. These policies give employees clear expectations of handling a business’s sensitive information and devices. These policies include guidance on which files they can share with external parties or to prohibit downloading the coolest looking app to a networked computer. Again, because I can’t stress this enough, in today’s work-from-home environment, deploy MFA and get it adopted company-wide.”
Q. What concerns, new developments or changes in data security are coming in the near future that people should know about?
Benton: “First, email continues to be the primary vector of attack. It is reported that 95% of all breaches start with a phishing email scam. The more communication and work you can do outside of email, the more secure you will be. Next, there are great collaboration solutions now available, such as Microsoft Teams or Cisco WebEx Teams. These solutions are bringing people together to work more collaboratively and securely. The ‘Team’ is an exclusive experience by default. With email, anyone who has, or can guess your email address, essentially has access to your inbox. In a ‘Team’ concept, you must be a member of the organization to create or join a team. External members can join a Team, but they must be invited in to take part. Lastly, another other development is the concept of Data Loss Prevention, or DLP. This solution has been available for a while but was only used by large organizations due to cost. DLP allows you to secure individual files so they cannot be accessed by unauthorized users, sent outside the organization, or tampered with once they are transmitted. This is a complex solution to put in place, but it helps avoid the misuse of company data. The good news is the cost for this solution is now in reach of most businesses.”
“In summary, the above recommendations are part of what is called the modern workplace. Year-over-year the criminals advance their skills and tactics at exponential rates. This means businesses need to keep pace. Can you remember the last time you made a dramatic change to how your business works and secures itself? The Covid-19 response has forced most of us to make some dramatic adjustments. This is a good time to push ahead and keep transforming the way you do business. Adopting a modern workplace strategy moves your business forward with better security, better work processes, and a better work from home experience for your employees.”
MATT MERCIER, ACAPELLA TECHNOLOGIES
Q. For businesses suddenly needing to “work from home,” what are the most urgent needs that businesses face, and what tools are available to help them/their employees function remotely?
Mercier: “When it comes to an urgent need to work from home, it’s all about ensuring secure, reliable access to data, applications, and systems for employees. For an optimal configuration, they will need a range of tools – starting with a proper, up-to-date device that’s running a supported operating system. In addition, a VoIP business phone system to make and receive calls, virtual private network (VPN) technology to create a secure, encrypted connection to the network, and a communications platform, such as Microsoft 365, for access to email, calendar, video conferencing and more will be necessary.”
Q. When employees are working from home, what are the potential security risks that a business owner should be aware of?
Mercier: “Cybercriminals are launching more attacks than ever as they take advantage of the influx of remote workers, alongside the fear and uncertainty we’re all feeling. Phishing attacks and phony domains have increased drastically. Business owners should be aware of any suspicious emails or websites trying to gather sensitive information and/or convince users to click links or download attachments.”
Q. What advice do you have for companies who may need to migrate their now-remote workforces back to an in-office environment?
Mercier: “I would recommend keeping any remote access or cloud-based tools for added resiliency in the event of a second wave or other form of disruption in the future. The cloud tends to be more affordable compared to on-premises alternatives, so businesses can actually save money keeping the tools they’ve acquired for working remotely.”
Q. My operations have changed dramatically since the start of the COVID-19 situation and it’s hard to predict what my business will look like in 3 months, 6 months, a year, etc. I need to come up with a strategic plan to keep day-to-day operations as smooth and normal as possible, but I’m not sure where to start. What should I do?
Mercier: “The thing about strategic planning is it’s never a one-size-fits-all process. If you’re serious about creating a strategic plan, I would recommend getting in touch with an experienced technology solutions provider that can assess where you are currently, the technologies you’re using and the challenges you’re facing, and go from there.”
Q. If there is a second wave, or my company decides that there are a lot of advantages to having employees work from home, what systems should we put in place to implement a smooth-functioning, remote-working structure for the long term?
Mercier: “Aside from the tools we mentioned above (VoIP business phones, virtual private network technology and a communications platform), I’d recommend ensuring employees have enterprise-grade security measures, including any necessary data backup solutions, on their home devices. This should include anti-virus software, firewalls, intrusion detection software and more. It’s also helpful to enforce a remote work policy that outlines your expectations in terms of hours worked, communication requirements, and technology and cybersecurity specifications to ensure you’re still meeting any necessary regulations or standards.”