What does the recent surge in businesses encouraging employees to work from home means for your business?
For most businesses that can remain productive during a pandemic such as the COVID-19, these businesses are opting to move their work force remote. When working remote there are key security and productivity practices that must be reviewed and revised with the changing workforce dynamic. Security, Communications, and Productivity are the key concerns when working remotely. Let us navigate some solutions to those concerns.
Virtual Private Networks / VPN Tunnels
Utilize a Virtual Private Network “VPN” to secure access on public and untrusted networks. There are two types of VPN’s, those that are considered a VPN -as-a-Service meant to secure or hide network traffic from others on the same network (“What a VPN-as-a-service Can Do!”) or hide traffic from an Internet Service Provider ISP (“What a VPN-as-a-service cannot do!”) or those VPN Tunnels that Perform a trusted and secure connection Between your businesses network and your employees. Typically for accessing some shared network resources, remote desktop services (“RDP”), application server, or file server. WiFi traffic is the most vulnerable traffic for hackers to gather information on, especially on Public WiFi and Hotel WiFi type connections. VPN services can either be setup for both purposes either cloud based hosted on Microsoft Azure, Google Cloud Services, AWS or another cloud services provider or through a physical device on your business network, such as a network firewall or security gateway. VPN access must also have strong security measures like using IKEv2 Protocol and using Multi-factor Authentication or FIDO2 Device as a second password.
Retention Policies
Maintain or Implement Document Retention Policies and maintain a Secure Backup. Make certain that employees continue to follow relevant data retention policies while working remotely. On most systems an audit can be ran either manually or task based that can automate reporting on a specific retention policy. This is possible on Dropbox, Google Business/Google Drive File Stream or Office 365. Within Office 365 its important to set retention policies for e-mail, SharePoint and Microsoft Teams data via Governance in Teams or Office 365 Cloud App Security. Cloud-Based Backups are necessary and when configured correctly can provide up to 30 days of constant retention if there were a need to restore files that were accidentally deleted.
Evaluate Licenses and Agreements IT Providers’
Evaluate Licenses and Agreements with Third-Party Software Provider’s, Data and IT Vendors that could possibly support your Remote Workforce. Ensure Servers have the necessary Client Access Licenses (“CALS”). Confirm that your business internet bandwidth won’t be adversely affected by an increase in VPN Traffic and consider increasing the speed. Make certain software providers can support your remote workforce and maintain awareness of contractual limits.
Maintain and Update your Security Appliance, Computer and Server Operating Systems, Network Firmware, Security License Subscriptions, Applications while employees are working from home. Let’s face it, software and firmware updates are increasingly painful to keep track of. It’s important to maintain your systems and keep them up to date. Most updates and patches are released to fix security loopholes and vulnerabilities. Staying up to date provides one of the largest security benefits to your businesses data.
Commonly Used and Important E-mail Security Methods
E-mail is the most commonly penetrated method of communication medium that transmits, viruses, malicious code, malware and spyware. First off, if you aren’t using some secured e-mail at your companydomain.com, this should be your primary focus when setting up your employee’s IT Infrastructure for success within the remote workforce. Second to that, if you are using a free, come with your webhosting e-mail package, the free Gmail account you used to use is likely much more secure. Most clients opt for G Suite or Office 365 for their email, while both are great options, if your employees use Microsoft Office Apps such as Outlook, Work, Excel or PowerPoint, stick with what they know in order to keep Moral up and changes to a minimum. Office 365 is a great platform and most utilize Office 365 Business Premium (Office 365 App Suite and Exchange E-Mail, SharePoint and Microsoft Teams) or Office 365 Business Essentials (Exchange E-Mail, Microsoft Teams). After you are on a secured business E-Mail Security Platform you will need to configure security properly within your admin center. For Google, keep “Less Secure Apps” Disabled, Enable and Enforce Multi-factor Authentication or FIDO2. For Office 365 Enable and Enforce Multi-factor Authentication, Disable Legacy Sign-Ins, Turn On Auditing, Setup and Review Retention Policies and Configure Cloud App Security for simple email security measures in Office 365 or Exchange E-mail. Using Single Sign-On? Evaluate SSO and make changes were the security dynamic changes. For example, if employees are working directly from their own PC’s or Personal Laptops a security policy for the remote workforce should include, requirements such as Endpoint Security or Antivirus Software being installed on the PC and the PC must be inspected and even monitored by IT. Certain local laws may require employees to be compensated by their employer for using their cellphones as the MFA Device or having Employee Owned Monitoring Software installed on their PC’s. Always check your local laws on compensation of business use on personal devices.
DNS Records for Security and Positive E-Mail Reputation, Avoid Client Spam and Junk Folders
Digging deeper into E-Mail Security it is important to ensure e-amil is setup correctly, often most believe just following the DNS server setup and successfully sending and receiving mail is it, project complete? Negative! There are several things that need to be implemented on a DNS level to further secure security, now are becoming mandatory. The DNS records SPF, DKIM and DMARC must be configured, Google and Microsoft Office 365 Business E-mail are soon to require this for all incoming mail to not land in a junk folder.
SPF is the Sender Policy Framework; its purpose is to list servers that can send mail for a specific domain. Since this record is a DNS record, its authoritative for the domain, only those with proper admin credentials can change this info.
DKIM or Domain Keys Identified Mail, is a method that verifies that messages content are trustworthy or unchanged since it left the mail server, this is achieved by a public and private key signing process. Messages transmitted are then signed by the server key, authenticating that the sending server actually sent the message; ensuring the message wasn’t spoofed from a hacker or malicious address.
Finally, DMARC or Domain-based Message Authentication, Reporting and Conformance. This DNS entry empowers or qualifies DKIM and SPF by making a policy on how they are used, can be used to gather stats on domain messages and used to send messages for reporting on messages that passed and did not pass SPF, DKIM or DMARC. SPF and DKIM are required prior to setting up DMARC.
Security Awareness Training and E-mail Security Gateways
Being vigilant with e-mail security starts with your employees or remote workforce. Making sure employees are practicing security and exercising caution with interacting with e-mails requires training. Realize first that a remote workforce is a “Zero Trust Environment” and company data is ultimately 10x more likely to be exposed or compromised is a rick or having a remote workforce. Having a solution that trains employees weekly/bi-weekly, in small sessions is needed. Many platforms exisit for White label Employee Security Training and Awareness. Webroot Security Awareness Training, Iron Scales Phishing and Simulation Training, and Breach Secure Now, to name a few. These all focus on educating and training the weakest link in IT Security for the Remote Workforce, Humans.
Another barrier for E-Mail Security is Proactive E-mail Protection. Proactive E-Mail Protection is offered by services such as Proofpoint or Barracuda Email Security Gateway/Essentials. The services act as a security and spam filtering service and as an E-mail Continuity Gateway. They are setup so that mail Travels into the Security Gateway first then on to the mail server and passed to the intended recipient. During this process E-mail is scanned for malicious code and zero-day vulnerabilities and placed into an admin release mailbox for review. Most allow for sending encrypted e-mail messages. These services aren’t extremely painful to pay for, some as low as $2 per user monthly. Having a full suite e-mail security gateway can make a world of difference when securing your remote workforce.Please focus on security when implementing your remote workforce security policy. What I’ve outlined here should be standard form most businesses, it certainly is for ours. If you need assistance setting up your remote workforce or implementing a security framework around your remote workforce please contact us or call at 713-970-1016