With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
A few months ago, I came across a Gallup Report entitled, “State of the American Workplace” and a particular section caught my attention. It focused on remote working. According to the report, “In 2016, the number of employees that had worked remotely at least some of the time, grew to 43%.” That was a four percent increase from 2012, where 39% of employees said they had worked remotely. Cloud services like Amazon Web Service, Microsoft Azure, and Google Cloud Platform have drastically changed the computing infrastructure. These technologies have enabled us to have a much more flexible and customizable work environment, at the same time creating far more challenges than we were used to for keeping company data secure.
With more and more companies allowing their employees to work remotely, you have to wonder: What are some of the security risks involved with remote employees?
By allowing your employees to work remotely, you are basically decentralizing business systems, and extending your business to the cloud. This practice puts business data at risk. If an employee’s device gets compromised or stolen, there could be tremendous data loss if it falls in the wrong hands or is somehow unretrievable. A 2014 article by the information security firm Imation mentioned that one-third of remote employees admitted they had lost unsecured and unencrypted mobile devices in a public place.
The issue is not that one specific application is the most vulnerable when your employees work remotely, it’s the fact that remote employees tend to engage in risky behavior. For example, many forget that they are in a public setting when discussing sensitive information, they tend to transfer company files to their personal devices, and even worse, they often share company passwords through shared documents. All of these practices put business data at risk. With the growing number of remote employees and the security risks involved, it is critical for IT departments to implement processes that will allow the user to work securely from a remote location and minimize data loss when possible.
Here are a few basic steps we consider when securing remote devices:
- Start by encrypting the hard drive on the device.
- Have the ability to gain control of the device, wipe the hard drive, and view the device location at all times in case the device is stolen or lost.
- To reduce the risk of malware infections, install security software on every remote device and manage updates remotely.
- User password management policies are implemented to have user passwords changed every 90 days.
- If cloud applications are being used, most of the security responsibilities are handed off to the cloud provider. This can be good—and bad. Most cloud services tend to have more resources when it comes to securing customer data. At the same time, having more resources for securing data doesn’t mean that your data is 100% secure. When dealing with cloud applications, I make sure users understand that they need to create strong passwords. If the cloud application offers other forms of authentication other than a password, those settings are enabled for the users. A good example is Google Apps. They offer a 2-step verification process that requires the user to enter a one-time code when they log in. If a service offers features like two-factor authentication, you should always take advantage of it since it adds an extra layer of security to your company data.
- When setting up a remote employee who will require a physical device, we make sure they are setup with a secure connection to our corporate network via a virtual private network (VPN). There are firewall rules in our corporate location, which separates remote subnets from local subnets, giving us the ability to control access to different parts of our environment.
- Take advantage of cloud services. We recently adopted the Amazon Workspaces service—which is a fully managed, secure Desktop-as-a-Service solution—to run in our internal environment, allowing us to provision virtual desktops to our remote employees. With the different protocols Amazon Workspace uses, data is compressed, encrypted, and encoded so that only images are transmitted and data no longer resides on the local device. It has enabled us to provision new machines for remote users faster and more securely. All the virtual machines are deployed internally and secured using security groups and managed by a cloud-based Active Directory Connector. This gives us the ability to reject access to a remote employee when they leave the company.
- With regards to password sharing, having a password manager with the ability to grant and deny access to users is recommended. I recommend using a database that holds account passwords in an encrypted form. We’ve implemented security groups in our environment to grant access to employees based on different criteria. With remote employees, access to any of the passwords is only available through a VPN connection and requires 2-factor authentication.
As the remote working trend continues to grow in popularity among businesses, we need to be mindful of the security risk it presents to business data. While you can work hard on the front end to secure machines and networks, take time to educate remote users on how to work safely and together you can keep business data secure.