Asset Management

6 Best Practices for a Remote Company Security Policy

Before the coronavirus hit, only about 7% of the US workforce had the option to work from home, according to the Bureau of Labor Statistics. Here are 6 best practices to have a good remote company security policy.

January 14, 2021

Before the coronavirus hit, only about 7% of the US workforce had the option to work from home, according to the Bureau of Labor Statistics. Today, remote work accounts for over 70% of employees across all industries, with some companies exploring permanent work from home setups.

With so many organizations relying on out-of-office operations, a robust company security policy for remote access is not just a good idea, it’s a must in the new post-pandemic landscape.

What is a Company Security Policy?

All types of organizations, whether large or small, require a written policy that governs actions regarding cyber security. The company security policy provides a concrete standard of do’s and don'ts, and assures stakeholders that the organization takes IT security seriously, safeguards information, and has procedures in place in the event of an intrusion or security breach.

What a Security Policy Should Contain

The standard security policy typically consists of the following sections:

Purpose of the policy

  • Outline the importance of information security
  • Stress the company’s reputation, legal, and ethical obligations to data privacy and proprietary information
  • Comply with industry-standard regulations that may apply to the organization. Some industries have compliance standards for sensitive information, such as the HIPAA for healthcare and the Payment Card Industry Data Security Standards for the financial service sector.

Scope

  • List the elements of the policy (which will be discussed below)
  • Identify the audience it applies to

Data classification

  • Categorize data and access control
  • Identify what is considered public, proprietary, and confidential, along with the clearance levels for each category

Violations

  • Have a concrete list of disciplinary measures for policy violations

The Difference Between Traditional Security and Remote Access Security

Because of the upsurge in out-of-office operations, it’s necessary to distinguish the domain of remote security from conventional IT security.

Traditional office setups use hardwired desktops connected to a central network. Such networks use VPNs designed for an older era, when applications were hosted in an internal data center. This is the domain of conventional IT security.

Today’s remote setups use a variety of devices, some user-owned, to connect to the company network, greatly increasing the attack surface and intrusion risk. In addition, applications have also shifted to the cloud, and end user attacks are much more common today.

Unlike traditional office computers with robust firewalls and restricted web access, devices working outside the safety of the office firewall are more vulnerable to remote user attacks. These include tactics like phishing, social engineering, malware and ransomware payloads, among many other threats.

Remote access security aims to strengthen the weakest link in the chain: remote end-users and their devices.

The Difference Between Remote Access Control Policy and Network Security Policy

The security policy should also distinguish between network security and remote access control.

The network security policy is the broad set of guidelines for access to the network. The remote access policy is a subsection that governs endpoint devices outside the office space, from laptops and tablets to smartphones and other productivity devices.

This subsection is critical for organizations that have a BYOD policy, or allow employees to work from their own devices in addition to company-supplied ones.

Why a Remote Security Policy Matters More than Ever

  • There is a hacker attack every 39 seconds, affecting 1 in every 3 Americans each year.
  • 64% of companies have experienced web-based attacks, while 62% experienced phishing and social engineering attacks.
  • The FBI has recorded a 300% surge in reported cyber attacks since the start of the pandemic, as malicious actors target remote work operations.
  • The average cost of a data breach is $3.9 million, and balloons to $116 million for publicly listed companies.
  • 95% of data breaches are caused by human error (find a source that’s no from a competitor).
  • Security awareness and education are the best defense against phishing attacks.

Best Practices for Remote Company Security Policy

Password policy

  • Enable strong passwords that must be changed on a regular basis.
  • Use two-factor authentication to mitigate the risk of stolen credentials.
  • Encourage good password habits, such as not reusing passwords or using passwords that are easy to guess and vulnerable to social mining.
  • Utilize a password manager software to encrypt stored passwords and act as an additional safety layer.

Device controls

  • Enable device timeout lock to make unattended devices more secure.
  • Enforce separate personal and work accounts to reduce the risk of compromised access.
  • Require permissions for critical functions such as installing or deleting apps.
  • Lock the settings option.
  • Enable auto patches to ensure the device is always up-to-date.

Internet usage

  • Have web filters and restrictions in place.
  • Emails should be routed through business email servers and clients.

Physical security

  • Unlike traditional office computers, remote devices face risks of loss or theft. While the device’s physical well-being is up to the user, the organization can implement steps to ensure data integrity if ever it gets misplaced or stolen.
  • Enable passwords / PINs and remote memory wipe.
  • Use disk or memory encryption to add an extra layer of protection.
  • Enable location tracking, balanced against user privacy concerns.
  • Use a device management service to keep track of all devices, including their geo-fenced locations and current status.

Access control

  • Assign access according to
  • mandatory access control
  • discretionary access
  • role-based
  • rule-based
  • Add extra layers of authentication such as device signatures.
  • Periodically review credentials and update access level. This should be done on at least a quarterly basis, or during personnel changes such as promotions or cross-company movement.

Educate

  • The best defense is to empower the user who owns the device.
  • Educate employees on device security instead of passively having them sign the policy and forget about it.
  • Have active updates on security, news about exploits and data breach incidents, and keep them updated on the latest attacks so they are sufficiently aware.

Conclusion

Even with the end of pandemic, the workforce landscape has irrevocably changed. Companies like Facebook and Twitter are giving employees the option to work from home indefinitely, while others like Mastercard and Uber are exploring long-term remote operations.

However, the move to telecommuting has also caused an uptick in remote attacks. One security poll found that almost half of the companies surveyed experienced a phishing attack, a third reported an increase in ransomware attacks, and a quarter saw a rise in vishing (voice spear phishing). Meanwhile, over a third of the IT leaders of these organizations are worried about having inadequate time or resources to support remote workers.

For better or worse, remote work is here to stay. A robust security policy can help your company adapt to the new remote environment, and avoid being part of the statistic.

On the same Issue

Mobile Device Management for Education – The Complete Guide

The current influx of remote learning protocols has further increased the need for MDM security efforts in schools.With remote learning protocols, IT professionals face different concerns that require the need for increased MDM efforts.

May 20, 2022
keep reading
Apple Device Management: Guide to The MDM Solution

As companies increasingly support remote work, bring-your-own-device (BYOD) policies have become more common, companies need to be able to monitor and secure these devices. This article explores the following concepts regarding Apple device management

May 20, 2022
keep reading
Technology Challenges Students, Teachers, and IT Face with Remote Learning

Student access to technology and the teacher’s adaption to remote learning have become critical technology challenges for schools and universities during the pandemic.

February 13, 2022
keep reading
Android Device Management – What Is It & Why It Is Important

Android device management allows administrators to oversee a mass number of devices with ease. This is essential for organizations that are facing rapid growth in mobile device usage due to BYOD and remote work policies.

February 2, 2022
keep reading