Remote Work Guide

How to Work from Home Securely During the Coronavirus Outbreak & Beyond

remote-work

What will you find in this guide?

Our country finds itself in a completely unprecedented situation, as we struggle to figure out how to best respond to the spread of COVID-19. We find ourselves having to ask how we can keep our country, and our world, functioning while limiting human contact as much as possible.

Businesses are sending workers home in droves to work remotely, but is your organization prepared for the security implications of doing so? As the keepers of sensitive client data, employee data and more, how can you navigate the tricky waters of securing both human and cyber health for your business?

This guide is intended to help you learn what you should be most concerned about, how you can potentially get as much of your staff working remotely as possible, and how to stay secure while doing it.

Table of Contents

1. What is required of me by law?

2. The security problems with remote work

3. How to secure your organization for remote work

4. What solutions can you implement quickly for COVID-19?

5. How to make the most of remote work.

6. What does COVID-19 mean for the future of remote work?


required-by-law

1. What is required of me by law?

What is important to understand first and foremost, is what the law requires of you with regards to data security and protection. Only from there can we begin to understand how we can stay within those requirements while changing the way our workforce connects, communicates and collaborates.

As a business, you may potentially handle quite a bit of different types of data. The first step to understanding what you need to do to remain secure is to understand what types of data you are working with and what rules or regulations are required of you to protect that data.

 

Data Types

As a private sector business, there are a couple of general data types that every organization should be aware of include:

Personally identifiable information: this can be personal or identifying data about your customers or other employees.

Intellectual Property or Trade secrets: anything that is vital to how your organization or its customers or partners works that would be negative if it found itself in the hands of your competitors.

Health data: any health or personal data protected by HIPAA regulations.

Financial data: information about finances for your company, your clients, partners or your customers including bank details and login information.

Client or partner data: any information about your clients or partners, including their passwords, their customers, or their internal systems.

 

Security laws and regulations.

There will be very specific rules and regulations you are subject to depending upon the types of data you handle. The list below is not exhaustive, but an example of some of the different legal requirements for how you have to handle your sensitive data as an organization.

Gramm-Leach-Bliley Act: The Gramm-Leach-Bliley Act specifically applies to financial institutions. It requires said companies to have a written information security plan that effectively covers three important areas: Employee Management and Training; Information Systems; and Detecting and Managing System Failures.

Fair Credit Reporting Act (FCRA): A set of standards that regulate the use and protection of credit information among consumer reporting agencies.

Health Insurance Portability and Accountability Act (HIPAA):  HIPAA is a set of national standards for the protection of health information monitored by the Department of Health and Human Services.

Health Information Technology for Economic and Clinical Health Act (HITECH): Meant to strengthen the enforcement of HIPAA, the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information.  

The Family Educational Rights and Privacy Act (FERPA): FERPA is a Federal law that protects PII for students, and applies to information held in their education records.

The Children's Online Privacy Protection Act (COPPA): Specifically governing the privacy of information for children under 13, COPPA regulates operators of websites or online services that collect data for children under age 13.

The Privacy Act of 1974: This is the original legislation regarding safe handling of PII and “establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies” (source).

Payment Card Industry Data Security Standard (PCI DSS): Often referred to as PCI for short, this set of standards is administered by the PCI Security Standards Council and governs the way personal data must be handled whenever there is a credit card transaction or payment.

Because there are so many different standards out there, spread across different industries and changing every day, typically most organizations choose a cybersecurity framework to adhere to that includes best practices and requirements that meet all of the above-listed standards. In most cases, businesses choose to follow NIST standards as closely as possible.

 

What equipment does your staff use?

One of the most important aspects of choosing to have your staff work remotely is the choice of a device on which they work. Some organizations have already provided work-furnished equipment to employees for the express purpose of allowing them to work remotely. Many have not.

As you will learn below, a very important part of the security of remote work is directly related to the security of the devices being used to do that work. Having a solid understanding of which employees have access to secure devices to work, and which don’t, will be a good first step in understanding what steps you need to take to secure your new remote workforce.

Learn More About GoSilent

Secure any user or device simply by connecting to a GoSilent cube. Compatible with any IP-enabled device (no matter how old) and effective over any connection (no matter how public) with near zero configuration required. Security so simple, “it just works.”

 

security-problems-remote-work

2. The Security Problems with Remote Work

There are a host of cybersecurity concerns with allowing workers to connect remotely. There are two primary areas where these concerns lie: technical limitations and user knowledge.

From a technical perspective, connecting remotely, rather than from within a secure network, involves the use of different equipment and devices to communicate and brings with it the frightening prospect of using the public internet as the medium through which those communications must happen.

On the other side of the equation, you have the human who is doing the connecting. Most of the humans, who are suddenly having to work remotely, will have no idea that much of what they choose to do could cause security problems. They also will have the very limited technical knowledge, so asking them to do very complex things in order to connect will be riddled with problems.

 

Technical Issues

Some of the biggest technical issues surrounding the security of remote work include:

Personal Device usage: Many of your employees will be connecting to your network using different or mobile devices that are unsecured. Keep in mind most personal devices won’t be set up with the correct security measures to be NIST compliant.

Wi-Fi Connections: Connections via Wi-Fi, especially public Wi-Fi, are notoriously insecure (and will be the most common method by which your remote employees will connect). The majority of your users will be connecting from their home Wi-Fi but have probably never set any security settings on their routers, or have any idea how to.

Eavesdropping or Man-in-the-Middle attacks: Cybercriminals gain access to an unsecured or poorly secured Wi-Fi router in order to intercept and read the victim’s transmitted data. 

Captive portals: One of the most concerning aspects of remote work, Captive Portals are present when you get a popup web page as soon as you connect to Wi-Fi networks in places with free guest Wi-Fi access. They often ask you to agree to terms and conditions and/or put in information like your social media accounts, email address, access code, last name, room number (such as in a hotel) or other identifying information before granting you broader access to the network. During this current situation, this will likely be less common (as most people won’t be traveling to these establishments), but it is still a consideration.

 

Behavioral Concerns

Some of the human behavioral concerns with remote work include:

Physical Security: The physical security of devices is just as important as the technical security of those devices. Quite often employees will leave devices unsecured in vehicles where a bad actor could easily steal them.

Password Hygiene: Most users are terrible at creating secure passwords and keeping them protected. The harder the password to remember, the more likely a user has written it down or saved it on their device somewhere for reference. Users also commonly reuse passwords multiple times and break every other password rule in the book.

Scams and Phishing Emails: Employees may fall victim to scam emails or attacks. Of particular concern during this time are Coronavirus-related scams (which are on the rise). Italy has already seen a campaign where the bad actors masquerade as officials of the World Health Organization encouraging users to download information about COVID-19 to protect themselves.

Connecting Storage Devices: Many users will connect thumb drives or other external accessories that may be insecure or infected or compromised, ultimately infecting the device itself.

Installing Updates: Many users put off installing updates when prompted by their device, leaving their device open to security threats or attacks.

 

secure-remote-work

3. How to Secure Your Organization for Remote Work

Securing your organization is not as simple as flipping a switch. You’ll want to take a two-pronged approach to ensure that your employees can work remotely without concern for security.

You’ll want to simultaneously start making changes to your technology while also working on educating your employees about what they need to be doing from their end. If you address one side without the other, you’ll be wasting your time. The technology you deploy is useless if your employees use it incorrectly or fail to use it.

 

Organizational Approach

The strategies you can employ or the actions you can take from as an organization include:

Set up two-factor authentication: Two-Factor Authentication (2FA) involves adding an additional layer of security to login entry points. It involves providing a second proof point, beyond just knowing a password, that you are who you say you are. This second factor can range from a biometric identifier (like a fingerprint) to a simple temporary code sent to a mobile device. You’ll want to have this set up for any application or device that handles or transmits sensitive data for your organization.

Use a VPN and encrypted communications: Anytime a device needs to transmit or communicate sensitive data, it should be over a secure Virtual Private Network (VPN) connection. VPNs encrypt data before sending to ensure nobody who looks at the data will be able to understand it, except the endpoint receiver that is supposed to. 

VPNs come in two flavors, hardware, and software. Software VPNs require significant setup (which you may not have the ability to do at this point in the crisis), rely on consistent updates and may be difficult to teach end-users how to use properly. Hardware VPNs, like Attila’s GoSilent Cube, are typically faster to deploy, easier to use and less prone to user error.

You’ll also need to make sure your organization’s network has the proper set up to accept and handle this traffic. It can be as simple as deploying a virtual server within your existing network to manage the VPN traffic.

Use antivirus software: On any work-furnished device, make sure you are installing and regularly updating antivirus software. This may not be an aspect you have control over if allowing your employees to use personal computers or devices.

Be careful with remote desktop tools: Depending upon how remote desktop services are set up, they may expose the endpoint computer to unnecessary risks. If your team needs to use them, you’ll want to ensure that they have been properly configured and are only accessed over a VPN connection.

Data at rest encryption: Make sure all of your devices have encryption for the data physically stored on that endpoint device. This helps mitigate concerns around lost or stolen devices. The potentially sensitive data that is stored on the device should be unreadable by bad actors.

Data loss prevention (DLP): Using DLP software can help to protect sensitive data by controlling what end users can share or do with that data. For instance, if a user attempted to forward sensitive data outside of their own internal network, they would be denied permission from doing so. Solutions like Microsoft 365 and Sharepoint have some of this functionality built-in.

 

Employee Approach

Now that you’ve taken steps to secure your network and put in place the technology you need to do so, it is time to ensure that your employees are doing their part to keep your data safe. You’ll want to place a big emphasis on training to ensure that employees know what is expected of them and how to maintain all of the security measures put in place.

Training on the basics: Train your users on the basics that they need to know with regards to best practices including password strength, phishing emails, and sites, physical use of devices, etc.

Instructions for connecting: Provide your employees with clear instructions for how they should connect, what requirements you have from their home router, and what type of connections are safer than others (e.g. public Wi-Fi connections).

Provide a solution that is fool-proof: While it should never replace training, providing users a solution that requires no specialized technical knowledge and can be secure over any connection can go a long way in reducing the problems users are able to introduce.

What is incredibly important to remember as you embark upon this journey is that it does you no good to blame your employees or give up on their ability to help keep you secure. It is your responsibility to help find solutions that will be as simple and effective as possible for them to use with as little training as possible. 

For those who do need training, make sure they get it and make sure that you’ve clearly defined what is expected of them and why. Every employee is their own CISO, and they should feel that way.

 

Supply Chain and Partners

Now that you’ve taken care of your own network and your employees are well-positioned to keep you secure, you’re done, right?

Unfortunately not. Now you have to consider anyone else you work with, like supply chain partners or vendors that have access to your network and data as well. Target learned this lesson the hard way with their HVAC vendor.

You will want to ensure that vendors or partners who have access to your sensitive data are also set up with a secure VPN solution to access your network securely from a remote location.

 

face-mask

4. What solutions can you implement quickly for COVID-19?

Unfortunately, at this moment you don’t have the luxury of time to implement new remote work procedures. You need steps you can take immediately to help those who you need to send home now or have already sent home. So what are things you can do right away that can help you make your workforce more secure now?

 

Find a solution that doesn’t require heavy IT support.

Realistically, you can’t call your entire IT team back into the office to implement a large scale solution that takes days or even weeks to set up and deploy (much less maintain while they are all remote). You need a solution that is plug and play.

You need a secure virtual server that can be set up and running in quickly, and virtually eliminates the need for centralized IT support for configuration and activation. It should have incredibly low overhead for maintenance and support means your team doesn’t need to deal with constant upgrades, updates, and patches.

 

Find a solution that is both device and architecture agnostic.

Given that you may have multiple different types of endpoint devices that you need to connect to your network, you’ll need a solution that works with any and all of them.

You also won’t be able to pick and choose elements of your existing network, like operating systems and servers, that you can change to support a new solution. You’ll need to make sure that whatever solution you choose to deploy can work with any architecture that you currently have in place.

Learn more about GoSilent Server

A solution like Attila’s GoSilent Server keeps your IT team from having to bear the brunt of a complete re-architecture and can be up and running in as little as 10 minutes, and works with any existing architecture.

 

Deploy a solution that requires little-to-no training.

As previously mentioned, the best thing you can do to ensure users stay secure is to take as much of the burden off of them as possible. Especially in the current atmosphere, where a solution must be deployed quickly, a requirement for lengthy or intense training won’t work.

Learn More About GoSilent

Secure any user or device simply by connecting to a GoSilent cube. Compatible with any IP-enabled device (no matter how old) and effective over any connection (no matter how public) with near zero configuration required. Security so simple, “it just works.”

Give them the basics: Provide a brief Cybersecurity 101, remotely of course, that teaches them some of the most important basics (e.g. always use the VPN, how to identify spam, etc.). Make everyone feel comfortable enough to ask questions and speak up.

Make sure the team knows how to report problems. Create a culture of “if you see something say something.” If a user notices strange activity on their device, suspicious email, they should be ready and willing to notify the security administrators or systems administrators.

 

woman-working-on-computer

5. How to make the most of remote work.

An entire employee population suddenly having to shift to full remote work is a drastic change. Your team and culture may not be currently set up to support such a large shift. You’ll want to make sure that you are doing everything you can to help maintain normalcy, encourage productivity and keep your employees happy during a very stressful time. Both your team and your business will thank you.

 

How to work remotely without sacrificing collaboration or culture.

You are in luck! As remote work has become more commonplace, there has emerged an entire category of tools and solutions for ensuring that collaboration is easy across wide distances and through nothing more than video conferences.

Some great tools to consider at this time to help improve camaraderie, communication, and culture are:

Video Conferencing Solutions: Tools like Zoom, GoToMeeting or Microsoft Teams all allow for group video conferencing that feels as close to the real thing as possible. Having your team use video, rather than audio-only, conferencing solutions will go a long way in making them feel closer, promote better attention and attendance, and keep you connected. It also gives employees a reason to still “get ready” which helps keep them feeling normal.

Lite Communication & Project Management Tools: Slack and Basecamp are favorites for quick communications, with features that feel like chats or recreate the casual conversation experience of “walking by someone’s desk.” It helps keep communication flowing in real-time which allows you to keep work moving at the same pace you did when everyone was physically in the office.

In this trying time, feeling as much as normal as possible will be key for your employees. There are plenty of things they can do to make remote workers feel more comfortable and natural as well. This article does a great job of exploring some of the key things your team can do to enjoy remote work more.

You can also take lessons from organizations that already have a thriving remote culture, or are fully remote companies on how to keep remote work secure:

“HubSpot already has a thriving remote worker culture and we are provided a VPN which takes one click to utilize. We also are required to use two-factor authentication (2fa).” 

     Carl Ferreira, Account Executive, HubSpot

 

“I’ve been working from home, both as an agency owner and now as a solopreneur, for a long time. My wife and I are acutely aware of security, so I use encrypt.me for all online connections, and we use two-factor authentication for all account logins. I change our Wi-Fi logins monthly, and while we don’t travel much, we take extra precautions when we do.”

     John McTigue, B2B Marketing Advisor, The Customer Journey Maestro

 

“We already have a remote work culture in place. Most of our work is done directly on sites like HubSpot and social network sites as we're a marketing agency. As it is, little to no work is processed/stored on the machines, all in the cloud.”

     David Yahid, Director of Business Development and Innovation, Penguin Strategies

 

“As a remote-first company, we have opted into most 2FA, especially for email, which is the full Google Suite, as well as our password system (LastPass). Generally, the team works from home or an approved coworking space. We generally don't recommend (though don't disallow either) working from coffee shops or the like as internet connection isn't always reliable and meetings are prevalent.”

     Kerry Guard, COO, MKG Marketing

 

"We have a VPN. Also, we are moving to a secure internal-only email and filing system. We will still use our public-facing email address for external communications but will have a different one for internal and sensitive conversations. We will each literally have two email addresses!"

     Anonymous, CMO, Crypto Exchange Company

 

“We’re a remote-friendly company (small, 15 people) but we have pretty strict security measures in place. We require a single sign-on (SSO) via Okta for all major systems containing sensitive company or customer data. We also require 2FA (I use Google Authenticator) and a password management tool (1Password). We’re an entirely SaaS-based tech stack which makes it a lot easier for our CTO to monitor and manage. Our product also helps us and our clients monitor their SaaS usage, especially with so many SaaS apps being adopted bottom-up. Historically, there’s been no way for security or IT team to know what SaaS is in use and what permissions may have been granted (ie. letting Facebook read and write data within our GSuite or Slack instance.) Intello solves that. I work from home but occasionally work from coffee shops, etc. Most of our team are based in NYC and half of them work remotely 75% of the time or more. Because we’re entirely SaaS-based we just use secure login principles. We have regular training and tech practices (being SOC2 compliant) to regularly manage security beyond what I mentioned.”

     Kelsie Skinner, Head of Marketing, Intello

 

“We have several remote employees on the sales team and I work remotely from time to time. It's always from home because of the nature of sales. We use G-suite and have Okta SSO to log into any systems that we use. You also need a VPN if you are accessing our products.”

     Gene Plotkin, VP of Sales, Mimeo

 

“We are 100% remote. I mix working from home or a coffee shop (just depends if I need a change of scenery!). Our team is spread throughout the US. We use G-suite and secure login principles.”

     Simon Tecle, Head of Sales & Customer Success, Citruslabs

 

future-of-remote-work

Conclusion: What does COVID-19 mean for the future of remote work?

What COVID-19 has truly taught is how woefully underprepared we were for a pandemic. It has made it painfully clear that we need to have better contingency plans in place such that an immediate need to deploy a remote workforce at a large scale is possible in the future.

In the wake of COVID-19, as the world begins to return to normal, we’ll find that all government agencies, contractors and public sector businesses alike will need plans in place for remote work. Similar to the requirement for organizations to have a disaster recovery plan in place, organizations will need to have a pandemic plan.

They will need a documented set of policies and procedures, as well as the supporting underlying technology to allow for immediate and widespread remote work.

This means you should start building a solution that will support you in the immediate response to COVID-19, but be prepared to build a long term plan as well.