[co-author: Charlene Bond]
Many organizations give employees the ability to work from anywhere, adding convenience and flexibility to work and personal schedules. However, with this flexibility comes responsibility—the responsibility to protect the organization’s network and data. By educating their employees on the risks involved, and following a few basic guidelines, companies can help keep their information, clients’ information, and employees’ information secure.
- Create an acceptable use policy. Establishing rules for employees to follow when using the company network and devices helps protect the organization from risky behavior. It can also serve as a critical legal control for unsatisfactory behavior. The policy should incorporate the following elements:
- Restrict the usage of unknown USB paraphernalia and flash drives. Criminals can program USB devices to install malware or steal information. If a corporate laptop or mobile device is connected to a malicious USB device—such as a cord, port, charging station, or external drive—data could be secretly transferred or malware could be installed enabling criminals to surreptitiously monitor the device or steal information. Organizations can manage risks posed by USBs by implementing a USB device management and control protocol.
- Block USB ports from accepting outside connections. All removable devices are blocked except those that are deemed trustworthy, but consider making exceptions for USB devices that have a critical business justification. If an employee needs USB access while traveling, they should request approval prior to their departure.
- Advise employees to travel with their own charging cords, ports, plugs, and drives.
- Specify and enforce technical requirements for mobile devices that connect to the network or access corporate data. Implementing mobile device management (MDM) software provides security administrators with threat detection and monitoring abilities while reducing security vulnerabilities. The resultant mobile endpoint security can help protect organizations from phishing, data leakage, and other attacks. MDM software also provides organizations with remote wiping ability if a device is lost or stolen. In addition, requiring employees to update their devices regularly is critical to devices remaining secure, especially while travelling.
- Provide security awareness training for all staff. Organizations should offer security awareness training to educate all employees—including executives and, if applicable, contractors—on digital security best practices. Because anyone with access to the organization’s network could pose a security risk, a mandatory security training program that includes strategies on staying secure while working outside the office benefits both the organization and its employees. Such training should do the following:
- Highlight the dangers of phishing. As phishing emails become more sophisticated, it can be difficult to spot red flags. Train employees to check sender email addresses and to confirm if they are being asked to do something out of the ordinary before responding in any way. They should not click on links, open attachments, type passwords, or even reply to an unexpected or suspicious email unless they have confirmed that the email is legitimate by calling or texting the purported sender. Educate employees that phishing attacks can also occur through text message.
- Train employees to avoid using a personal email account to send work-related emails. Using a personal email for work correspondence (or even cc-ing a personal email address) can make it difficult for colleagues to determine if an email from a purported personal account is valid or if it’s a phishing email. If a cyber criminal were to send a spoofed (or fake look-alike) email posing as an employee, or if a cyber criminal were to access an employee’s personal email account and send emails to their contacts, prior use of the account may mean that recipients do not realize that a hacker is sending the email and respond with confidential information. If the use of personal email is required for business purposes, consider establishing rules around its use that are laid out in an acceptable use or travel policy. For example, if an employee must send a work-related email from a personal account, they should advise colleagues by phone call or text to expect it.
- Discourage the use of public Wi-Fi. Connecting to an unknown or public Wi-Fi network to perform work tasks or update social media can be convenient but could put the organization’s information at risk. For example, the network owner could record and store all browsing or a cyber criminal using the same network could monitor all browsing or even steal information. Advise employees to connect to public Wi-Fi as a last resort. Instead, employees should be encouraged to use their device’s data plan or a work-issued travel hot spot. Encourage employees to turn off “wi-fi auto connect” in their devices’ settings and delete old networks from their corporate and personal devices to prevent inadvertently connecting to a malicious network.
- Discuss the importance of maintaining confidentiality when traveling. Shoulder surfing and eavesdropping could allow a stranger to learn confidential information about the organization. To help prevent inadvertent slips, train employees not to discuss personal, business, or other sensitive information in public spaces. Devices with access to corporate resources should not be left unattended in vulnerable locations such as hotels, airports, or cars for any period of time. No one except an employee should use company-issued devices; even allowing someone to use a personal mobile device could put the employee and the organization at risk.
- Advise caution when scanning QR codes. Train employees to think about QR codes the same way they think about email scams and social engineering—a quick scan of a manipulated QR code could lead to a malicious website that prompts employees to install an app or type a password, potentially exposing the organization to risk. Before scanning any QR code, employees should check if it appears damaged or misprinted, or if a sticker appears to be placed over the legitimate code—or even if the code is in an unexpected place. Alternatively, employees can navigate to the site’s known webpage or, if applicable, use the official app.
- Ensure employees are familiar with reporting channels and key points of contact such as the IT and security teams. This will ensure that, if a security incident needs to be reported or if technical issues arise, employees will contact the correct channel. Advise them to report a lost or stolen laptop or a mobile phone with access to corporate data immediately. Review the organization’s policies and procedures regarding lost or stolen devices to reduce the risk of exposure.
- Set up a virtual private network (VPN) for the organization’s environment. A VPN helps protect the organization by creating a secure connection between the network and corporate laptops. This additional layer of security lowers the risk of hacking or criminal activity, especially if employees use public Wi-Fi. Instruct employees to sign off the VPN and shut down their laptop when they have completed their work to prevent unauthorized access to company resources.
- Monitor login locations outside of typical office areas. Increased employee travel means that organizations encounter more sign-in locations, which may make it difficult to differentiate between legitimate and suspicious network access. Confirming that sign-ins are legitimate will ensure that cyber criminals are not trying to enter the organization’s network. Ask employees to notify the monitoring team of upcoming travel dates and locations. With this knowledge, the team can close known alerts and confirm unexpected sign-ins.
Whether employees are traveling for work or personal reasons, organizations should keep in mind that digital security is as important as physical security. By following guidelines and best practices, organizations can keep their information secure.