As remote working has become standard practice, employees are working from anywhere and using any device they can to get the job done. That means repeated connections to unsecured public Wi-Fi networks—at a coffee shop or juice bar, for example—and higher risks for data leaks from lost, misplaced, or stolen devices.
Think about it.
Let’s say your remote employee uses his personal smart phone to access the company’s cloud services, where he can view, share, and make changes to confidential documents like financial spreadsheets, presentations, and marketing materials. Let’s say he also logs into company email on his device, and he downloads a few copies of important files directly onto his phone.
Now, imagine what happens if, by accident, he loses his device. Worse, imagine if he doesn't use a passcode to unlock his phone, making his device a treasure trove of company data with no way to secure it.
Recent data shows these scenarios aren't just hypotheticals—they're real risks. According to a Ponemon Institute study, from 2016 through 2018, the average number of cyber incidents involving employee or contractor negligence has increased by 26 percent.
To better understand the challenges and best practices for businesses with remote workforces, Malwarebytes teamed up with IDG Connect to produce the white paper, “Lattes, lunch, and VPNs: securing remote workers the right way.” In the paper, we show how modern businesses require modern cybersecurity, and how modern cybersecurity means more than just implementing the latest tech. It also means implementing good governance.
Below are a few actionable tips from our report, detailing how companies should protect both employer-provided and personal devices, along with securing access to company networks and cloud servers.
If you want to dive deeper and learn about segmented networks, VPNs, security awareness trainings, and how to choose the right antivirus solution, you can read the full report here.
1. Provide what is necessary for an employee to succeed—both in devices and data access.
More devices means more points of access, and more points of access means more vulnerability. While it can be tempting to offer every new employee the perks of the latest smart phone—even if they work remotely—you should remember that not every employee needs the latest device to succeed in their job.
For example, if your customer support team routinely assists customers outside the country, they likely need devices with international calling plans. If your sales representatives are meeting clients out in the field, they likely need smart devices with GPS services and mapping apps. Your front desk staff, on the other hand, might not need smart devices at all.
To ensure that your company’s sensitive data is not getting inadvertently accessed by more devices than necessary, provide your employees with only the devices they need.
Also, in the same way that not every employee needs the latest device, not every employee needs wholesale access to your company’s data and cloud accounts, either.
Your marketing team probably doesn’t need blanket access to your financials, and the majority of your employees don’t need to rifle through your company’s legal briefs—assuming you’re not in any kind of legal predicament, that is.
Instead, evaluate which employees need to access what data through a “role-based access control” (RBAC) model. The most sensitive data should only be accessible on a need-to-know basis. If an employee has no use for that data, or for the platform it is shared across, then they don’t need the login credentials to access it.
Remember, the more devices you offer and the more access that employees are given, the easier it is for a third party or a rogue employee to inappropriately acquire data. Lower your risk of misplaced and stolen data by giving your employees only the tools and access they need.
2. Require passcodes and passwords on all company-provided devices.
Just like you use passcodes and passwords to protect your personal devices—your laptop, your smart phone, your tablet—you’ll want to require any employee that uses an employer-provided device to do the same.
Neglecting this simple security step produces an outsized vulnerability. If an unsecured device is lost or stolen, every confidential piece of information stored on that device, including human resources information, client details, presentations, and research, is now accessible by someone outside the company.
If your employees also use online platforms that keep them automatically logged in, then all of that information becomes vulnerable, too. Company emails, worktime Slack chats, documents created and shared on Dropbox, even employee benefits information, could all be wrongfully accessed.
To keep up with the multitude of workplace applications, software, and browser-based utilities, we recommend organizations use password managers with two-factor authentication (2FA). This not only saves employees from having to remember dozens of passwords, but also provides more secure access to company data.
3. Use single sign-on (SSO) and 2FA for company services.
Like we said above, the loss of a company device sometimes results in more than the leak of just locally-stored data, but also network and/or cloud-based data that can be accessed by the device.
To limit this vulnerability, implement an SSO solution when employees want to access the variety of your available platforms.
Single sign-on offers two immediate benefits. One, your employees don’t need to remember a series of passwords for every application, from the company’s travel request service to its intranet homepage. Two, you can set up a SSO service to require a secondary form of authentication—often a text message sent to a separate mobile device with a unique code—when employees sign in.
By utilizing these two features, even if your employee has their company device stolen, the thief won’t be able to log into any important online accounts that store other sensitive company data.
4. Install remote wiping capabilities on company-provided devices.
So, your devices have passwords required, and your company’s online resources also have two-factor authentication enabled. Good.
But what happens if an employee goes turncoat? The above security measures help when a device is stolen or lost, but what happens when the threat is coming from inside, and they already have all the necessary credentials to plunder company files?
It might sound like an extreme case, but you don’t have to scroll far down the Google search results of “employee steals company data” to find how often this happens.
To limit this threat, you should install remote-wiping capabilities on your company-provided devices. This type of software often enables companies to not just wipe a device that is out of physical reach, but also to locate it and lock out the current user.
Phone manufacturer-provided options, like Find my iPhone on Apple devices and Find my Mobile on Samsung devices, let device owners locate a device, lock its screen, and erase all the data stored locally.
5. Implement best practices for a Bring Your Own Device (BYOD) policy.
When it comes to remote workers, implementing a Bring Your Own Device policy makes sense. Employees often prefer using mobile devices and laptops that they already know how to use, rather than having to learn a new device and perhaps a new operating system. Further, the hardware costs to your business are clearly lower.
But you should know the risks of having your employees only accomplish their work on their personal devices.
Like we said above, if your employee loses a personal device that they use to store and access sensitive company data, then that data is at risk of theft and wrongful use. Also, when employees rely on their personal machines to connect to public, unsecured Wi-Fi networks, they could be vulnerable to man-in-the-middle attacks, in which unseen threat actors can peer into the traffic that is being sent and received by their machine.
Further, while the hardware costs for using BYOD are lower, sometimes a company spends more time ensuring that employees' personal devices can run required software, which might decrease the productivity of your IT support team.
Finally, if a personal device is used by multiple people—which is not uncommon between romantic partners and family members—then a non-malicious third party could accidentally access, distribute, and delete company data.
To address these risks, you could consider implementing some of the following best practices for the personal devices that your employees use to do their jobs:
- Require the encryption of all local data on personal devices.
- Require a passcode on all personal devices.
- Enable “Find my iPhone,” “Find my Mobile,” or similar features on personal devices.
- Disallow jailbreaking of personal devices.
- Create an approved device list for employees.
It's up to you which practices you want to implement. You should find a balance between securing your employees and preserving the trust that comes with a BYOD policy.
Securing your company’s remote workforce requires a multi-pronged approach that takes into account threat actors, human error, and simple forgetfulness. By using some of the methods above, we hope you can keep your business, your employees, and your data that much safer.