1. Make sure it’s easy for your users to get started working remotely
The three key things you want to be able to set up easily and correctly are: encryption, protection and patching.
- Encryption means making sure that full-device encryption is turned on and activated, which protects any data on the device if it gets stolen.
- Protection means that you start off with known security software, such as anti-virus, configured in the way you want.
- Patching means that you will try to get the user configured to get as many security updates as possible automatically, so they don’t get forgotten. Windows 10 has this built in.
Remember that if you do suffer a data breach, such as a lost laptop, you may well need to disclose the fact to the data protection regulator in your country.
If you want to prove that you took the right precautions, and thus that the breach can be disregarded, you’ll need to produce evidence – the regulator won’t just take your word for it! Sophos Central Device Encryption provides for this.
Protection comes with the Sophos Endpoint Protection. If you are using this product, the license allows you to deploy to any device that the enduser has, including their home device(s).
Patching is a huge deal and is strongly recommended. We recommend accessing the device and ensuring all required patches are applied and MS updates are turned on. Patching is something we strongly recommend.
2. Make sure your users can do what they need
If users genuinely can’t do their job without access to the corporate applications and data, then there’s no point in sending them off to work remotely.
Make sure you have your chosen remote access solution working reliably first before expecting your users to adopt it.
If there are any differences between what they’re used to and what they’re going to get, explain the difference clearly. For example, if the emails they receive on their phone will be stripped of attachments, tell them in advance.
They’ll not only be annoyed, but will probably also try to make up their own tricks for bypassing the problem, such as asking colleagues to upload the files to private accounts instead.
If you’re the user, try to be understanding if there are things you used to be able do in the office that you have to manage without at home.
3. Make sure you can see what your users are doing
Don’t just leave your users to their own devices (literally or figuratively) when they’re working remotely. If you’ve set up automatic updating for them, make sure you also have a way to check that it’s working. Be prepared to spend time online helping them fix it if things go wrong.
If their security software produces warnings that you know they’ll encounter, make sure you review those warnings too. Let your users know what they mean and what you expect them to do about any issues that may arise.
Don’t patronize your users, because no one likes that; but don’t leave them to fend for themselves, either. Show them a bit of cyber-security love and you are very likely to find that they repay it.
We use GoToMeeting and GoToWebinar for remote access and support. Contact us if this is something you might want to explore.
4. Make sure they have somewhere to report security issues
If you haven’t already, set up an easily remembered email address (ie. HELPME @ yourcompany.com), where users can report security issues quickly and easily when working remotely.
Remember that a lot of cyberattacks succeed because the crooks try over and over again until one user makes an innocent mistake. If the first person to see a new threat has somewhere to report it where they know they won’t be judged or criticized (or, worse still, ignored), they’ll end up helping everyone else.
Teach your users! Use a Phishing campaign to teach and show your users how dangerous phishing emails can be. Connect with our staff to assist with this. Email attacks are becoming very dangerous and the primary method to compromise a device.
5. Make sure you know about “Shadow IT” solutions
Shadow IT is where non-IT staff find their own ways of solving technical problems, for convenience or speed.
If you have a bunch of colleagues who are used to working together in the office, but who end up flung apart and unable to meet up, it’s quite likely that they might come up with their own ways of collaborating online – using tools they’ve never tried before. Sometimes, you might even be happy for them to do this, if it’s a cheap and happy way of boosting team dynamics.
For example, they might open an account with a white-boarding tool – perhaps even one you trust perfectly well – on their own credit card and plan to claim it back later.
The first risk everyone thinks about in cases like this is, “What if they make a security blunder or leak data they shouldn’t?” But there’s another problem that many companies forget about: what if, instead of being a security disaster, it’s a conspicuous success? A temporary solution put in place to deal with a public health issue might turn into a vibrant and important part of the company’s online presence.
So, make sure you know whose credit card it’s charged to, and make sure you can get access to the account if the person who originally created it forgets the password, or cancels their card.
So-called “Shadow IT” isn’t just a risk if it goes wrong – it can turn into a complicated liability if it goes right!
Most of all…
We strongly recommend 2FA (Two Factor Authentication) for all remote devices that will be accessing corporate applications and data.
This process is an added layer of security that everyone should embrace. You can contact Data Integrity for our recommended solutions.
President, Data Integrity Services