Don’t forget about security while working from home

man working from home office

A short while ago, we discussed preparing and testing a Remote Work Plan as COVID-19 was becoming more prevalent. The time for planning is now past and most businesses that can support home workers should already have that plan in operation.

The Home Workstation

Probably the most important aspect of working from home is making sure that the home workstation is safe, secure and pre-configured to work in the event of an emergency. Ideally, company-owned and configured devices should be used. If that’s not possible, have each employee identify in advance the workstation/laptop to be used and ensure that it:

  • Has current antivirus or antimalware software
  • Is fully patched with the latest security patches
  • Is running a current, supported operating system
  • Has all of the necessary applications and tools required for the individual’s job, or is configured for remote access to those tools
  • Be pre-configured with secure VPN (Virtual Private Networking) agents.

It’s also a very good idea to use Multi-factor Authentication (MFA) when connecting to company or cloud-based applications. Once you permit access remotely, use all precautions to make sure you know who is connecting, and where they are connecting from.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Typically, this means providing an additional way for a user to verify who they are beyond the usual username and password. This additional factor should be one that is not easily captured or hacked by a bad actor. Most modern applications support some level of MFA. It is important to investigate what options are available for your applications.

Here are the most common methods of Multi-Factor Authentication. These are listed from the weakest to the strongest options.

1) Email Code. The application sends a code to your pre-registered email address. The code must be entered within a limited window of time.

  • Good – This adds an additional factor for authentication with a limited time code.
  • Good – This method doesn’t require any special device or application.
  • Not so good –
    • Email accounts are vulnerable to hacking so the code could be captured as well.
    • If the email account is compromised, the hacker doesn’t need any special device or application either.
    • Email should be protected by MFA as well, so you need another way to add multi-factor authentication to the email account.

2) Text Code. The code is texted to your registered mobile phone number

  • Good – The application sends a limited time code to a specific mobile phone device held only by the user via text message.
  • Good – A lost phone is easier to identify and report than a hacked email account.
  • Not so good – SIMM swapping is a known way for hackers to capture texts from mobile phones, but is still much less common than email hacking.

3) Mobile App. The code is accessed from a dedicated mobile app.

  • Good – A hacker would have to have physical access to both your phone and credentials for the app to access the code.
  • Not so good – The end user must have a smart phone capable of running the app.

4) Hardware Token. The code comes from a hardware token that displays a time sensitive code or can be plugged into a USB port.

  • Good – Doesn’t require users to have a “smart phone” or mobile app.
  • Good – A hacker would have to have physical access to your token to get the code.
  • Not so good – Tokens must be ordered and distributed in advance.
  • Not so good – don’t lose the token!

Biometrics (finger print or facial recognition) can be added to any of the methods above to enhance security, but is not strongly secure as implemented on phones and laptops It can be a convenience and often better than remembering and entering a really complex password, but typically does not count toward MFA by itself.

Security Awareness is paramount for home workers. The single most common way for hackers to gain access to your credentials is through careless clicks on emails and websites. All employees should keep up their training and phish resistance!

For the past several weeks, RESULTS has been helping hundreds of clients transition to a safe, secure, work from home environment. If you need help with your work from home technology or security awareness training for your employees, please give us a call.