As organizations are quickly adapting to the rapidly changing situation due to COVID-19, many companies are requiring that their employees work remotely from home, often for the first time. If the employee’s computer or home network isn’t secure, it leaves both the employee and the company at risk. Ransomware, stealing information and shutting down the network entirely are all potential risks. Here are a few simple steps that can mitigate the risk in the months ahead.
Conditional Access & Multi-factor Authentication
Use of MFA is estimated to stop 99.9% of identity compromises. As employees will be potentially accessing organization systems and services from their home networks and personal devices, controlling access to those systems is paramount. If home workers are required to login only with a username and password, then a compromise of those credentials could be used by an attacker to login from anywhere.
Organizations can use Azure Active Directory to only allow logins if users or devices meet certain conditions. Employees can be required to use a second factor of authentication (i.e. cell phone or hardware token) and devices could be required to meet certain compliance configurations. You could even completely deny access from any non-company-owned device. There are multiple ways to use Conditional Access and MFA to meet organizational needs.
Protect Company Data with MDM & MAM
Many employees do not have corporate laptops, which means that those employees now working from home will be using personal devices to access company resources. That means that organizations need to protect the applications and data being accessed from that device. A good solution for this is to implement device management through a service such as Microsoft Intune. Intune provides both Mobile Device Management (MDM) and Mobile Application Management (MAM) policies to control access to resources.
MDM can control the device itself, limiting access to certain resources or controlling certain configurations such as password requirements, anti-virus installs, etc. MAM protection policies can be used to prevent company data from saving to the local storage of the device or restrict data movement to other apps that aren't protected by app protection policies.
Protect Your People from Social Engineering
It’s common knowledge that the greatest risk to organizational security is human beings. Collectively, people display an ability to (mostly) accidentally do the wrong the time and time again. At this time of heightened stress, fear and uncertainty, people are even more susceptible to social engineering and phishing.
Now is a good time to reinforce strong Security Awareness. The bad guys are taking advantage of the world situation and now is a good time to remind employees to be even more diligent. That goes both for those still working in the office and especially for those working remotely.
If your organization isn’t using a service such as Office 365 Advanced Threat Protection, now would be a good time to implement it. O365 ATP provides enhanced capabilities to protect against malicious attachments and phishing links. Knowing that employees may be less focused on work, decreasing the risk of a phishing attack should be a top priority.
Remote Work Doesn’t Have to Be Risky
For all of the organizations that are now requiring their employees to work remotely for the first time, there are hundreds more where this is common practice. Depending upon how long the COVID-19 pandemic lasts, the future of remote work in many organizations could become a significant, long-term security issue.
By implementing just a handful of additional security measures and consistently reminding employees to pay more attention to basic security rules could pay dividends in the end. Just as quarantine and isolation will help all of us globally “flatten the curve” to stem the tide of the pandemic; collective caution and diligence will help organizations and the employees themselves avoid falling victim to avoidable incidents.