Before the coronavirus hit, only about 7% of the US workforce had the option to work from home, according to the Bureau of Labor Statistics. Today, remote work accounts for over 70% of employees across all industries, with some companies exploring permanent work from home setups.
With so many organizations relying on out-of-office operations, a robust company security policy for remote access is not just a good idea, it’s a must in the new post-pandemic landscape.
What is a Company Security Policy?
All types of organizations, whether large or small, require a written policy that governs actions regarding cyber security. The company security policy provides a concrete standard of do’s and don’ts, and assures stakeholders that the organization takes IT security seriously, safeguards information, and has procedures in place in the event of an intrusion or security breach.
What a Security Policy Should Contain
The standard security policy typically consists of the following sections:
Purpose of the policy
- Outline the importance of information security
- Stress the company’s reputation, legal, and ethical obligations to data privacy and proprietary information
- Comply with industry-standard regulations that may apply to the organization. Some industries have compliance standards for sensitive information, such as the HIPAA for healthcare and the Payment Card Industry Data Security Standards for the financial service sector.
- List the elements of the policy (which will be discussed below)
- Identify the audience it applies to
- Categorize data and access control
- Identify what is considered public, proprietary, and confidential, along with the clearance levels for each category
- Have a concrete list of disciplinary measures for policy violations
The Difference Between Traditional Security and Remote Access Security
Because of the upsurge in out-of-office operations , it’s necessary to distinguish the domain of remote security from conventional IT security.
|Traditional security||Remote work security|
|Devices||Hardwired or WiFi- connected desktop computers or laptops||Wider variety of productivity devices (smartphones, tablets, PDAs, etc), some of which may be user-owned|
|Connection||LAN or Wi-Fi||External ISPs routed through VPN|
|Data hosting||Internal data center||Data center or cloud|
Traditional office setups use hardwired desktops connected to a central network. Such networks use VPNs designed for an older era, when applications were hosted in an internal data center. This is the domain of conventional IT security.
Today’s remote setups use a variety of devices, some user-owned, to connect to the company network, greatly increasing the attack surface and intrusion risk. In addition, applications have also shifted to the cloud, and end user attacks are much more common today.
Unlike traditional office computers with robust firewalls and restricted web access, devices working outside the safety of the office firewall are more vulnerable to remote user attacks. These include tactics like phishing, social engineering, malware and ransomware payloads, among many other threats.
Remote access security aims to strengthen the weakest link in the chain: remote end-users and their devices.
The Difference Between Remote Access Control Policy and Network Security Policy
The security policy should also distinguish between network security and remote access control.
The network security policy is the broad set of guidelines for access to the network. The remote access policy is a subsection that governs endpoint devices outside the office space, from laptops and tablets to smartphones and other productivity devices.
This subsection is critical for organizations that have a BYOD policy, or allow employees to work from their own devices in addition to company-supplied ones.
Why a Remote Security Policy Matters More than Ever
- There is a hacker attack every 39 seconds, affecting 1 in every 3 Americans each year.
- 64% of companies have experienced web-based attacks, while 62% experienced phishing and social engineering attacks.
- The FBI has recorded a 300% surge in reported cyber attacks since the start of the pandemic, as malicious actors target remote work operations.
- The average cost of a data breach is $3.9 million, and balloons to $116 million for publicly listed companies.
- 95% of data breaches are caused by human error (find a source that’s no from a competitor).
- Security awareness and education are the best defense against phishing attacks.
Best Practices for Remote Company Security Policy
- Password policy
- Enable strong passwords that must be changed on a regular basis.
- Use two-factor authentication to mitigate the risk of stolen credentials.
- Encourage good password habits, such as not reusing passwords or using passwords that are easy to guess and vulnerable to social mining.
- Utilize a password manager software to encrypt stored passwords and act as an additional safety layer.
- Device controls
- Enable device timeout lock to make unattended devices more secure.
- Enforce separate personal and work accounts to reduce the risk of compromised access.
- Require permissions for critical functions such as installing or deleting apps.
- Lock the settings option.
- Enable auto patches to ensure the device is always up-to-date.
- Internet usage
- Have web filters and restrictions in place.
- Emails should be routed through business email servers and clients.
- Physical security
- Unlike traditional office computers, remote devices face risks of loss or theft. While the device’s physical well-being is up to the user, the organization can implement steps to ensure data integrity if ever it gets misplaced or stolen.
- Enable passwords / PINs and remote memory wipe.
- Use disk or memory encryption to add an extra layer of protection.
- Enable location tracking, balanced against user privacy concerns.
- Use a device management service to keep track of all devices, including their geo-fenced locations and current status.
- Access control
- Assign access according to
- mandatory access control
- discretionary access
- Add extra layers of authentication such as device signatures.
- Periodically review credentials and update access level. This should be done on at least a quarterly basis, or during personnel changes such as promotions or cross-company movement.
- The best defense is to empower the user who owns the device.
- Educate employees on device security instead of passively having them sign the policy and forget about it.
- Have active updates on security, news about exploits and data breach incidents, and keep them updated on the latest attacks so they are sufficiently aware.
Even with the end of pandemic, the workforce landscape has irrevocably changed. Companies like Facebook and Twitter are giving employees the option to work from home indefinitely, while others like Mastercard and Uber are exploring long-term remote operations.
However, the move to telecommuting has also caused an uptick in remote attacks. One security poll found that almost half of the companies surveyed experienced a phishing attack, a third reported an increase in ransomware attacks, and a quarter saw a rise in vishing (voice spear phishing). Meanwhile, over a third of the IT leaders of these organizations are worried about having inadequate time or resources to support remote workers.
For better or worse, remote work is here to stay. A robust security policy can help your company adapt to the new remote environment, and avoid being part of the statistic.