With the outbreak of the Coronavirus, a key challenge many organisations are facing is enabling their workforce to work from home.
For many organisations, this is something new, often lacking the processes, policies and technologies that enable people to do so safely and securely.
In addition, when people work from home they lack many of the typical security controls you find in organisations, exposing them to far greater risk.
Lance Spitzner, Director of Security Awareness at SANS identifies the top three behaviours he feel organisations should focus on to quickly secure any new employees that are working from home.
0. Our Goal
The simpler we make security, the more likely people will implement the measures they need. As such, our goal here is not perfect security — but the fewest behaviors that will have the greatest impact.
1. Social Engineering
One of the greatest risks remote workers will face, especially in this time of both dramatic change and an environment of urgency, is social-engineering attacks.
Social engineering is a psychological attack in which attackers trick or fool their victims into making a mistake, which is easier during a time of change and confusion.
These attacks can take on many forms besides email-based phishing attacks, including phone calls, text messaging and social media.
The key is to teach people what social engineering is, the most common indicators of a social-engineering attack, and what to do when they spot one.
2. Strong Passwords
As identified in the annual Verizon DBIR, weak passwords continue to be one of the primary drivers for breaches on a global scale. A key finding is strong passwords are one of the most effective defenses.
We want to re-emphasise what is needed for strong password use.
This includes. passphrases, password complexity is dead, unique passwords, password managers and MFA – multi-factor authentication – often called two-factor authentication or two-step verification
3. Updated Systems
The third step that will go a long way to protect remote workers is ensuring any technology they are using is running the latest version of the operating system and applications.
For personal devices this may require enabling automatic updating.
In addition to communicating these topics, we recommend that you implement some type of technology to answer questions, preferably in real time.
This can include a dedicated email alias, Skype or a Slack chat channel, or some type of online forum.
Another recommendation is to host a security webcast that you repeat several times a week so people can pick a time that works best for them and attend the event live, perhaps even ask questions.
The goal is that you want to make the security team as approachable as possible and help people with their questions.
This is a fantastic opportunity to engage your workforce and put a friendly face on security. Try to take advantage of the opportunity.
Written by Lance Spitzner, Director of Security Awareness at SANS.