CISO Checklist: Working at Home Securely

Thousands of companies who have never before believed in telecommuting or allowing employees to work from home are now forced to do so, thanks to the COVID-19 pandemic. This now means more VPN usage for some companies as well as unsecure connections for companies that have yet to employ VPN.

This sudden transition to remote networking has opened up an opportunity for threat actors to penetrate secure networks. System Administrators and Chief Information Security Officers (CISO) now have their hands full and should be aware of a remote work security checklist if they’re not already, and enforce them to their remote workers during and even after the current pandemic.

The remote work security checklist first depends on the following:

Required Security Technology and Third Party Providers

The CISO should have a robust security infrastructure in place. If so, make sure it’s ready for everyone who will use it. If there’s no infrastructure, one should be set up if there’s time, by contacting third party providers who can set it up immediately during the pandemic lockdown, remotely if necessary. If money is a problem, then the CISO must consult his team about what is available and work on new or additional security measures.

Security Team 

The CISO would rely on a security team to set up and maintain whatever security technology is employed by the company. This security team will either be minimal or in full force if everyone can work remotely. The team can also be from the third party provider who set up the security technology. The team will be the ones who should also enforce policy and make sure the security technology remains up and working.

Workforce

Means the company’s rank and file staff as well as management who will be working at home during a lockdown. The CISO and the Security Team need to ensure the workforce know and understand the use of, and importance of the security technologies (VPN for example) and the security procedures (awareness to phishing for example).

Management

The company’s executives have a role to oversee how the security is being managed by the CISO, aside from the rest of the drastically-changed operations. CISOs are expected to report back breaches, if any as well as the status of the security infrastructure.

Now for the checklist itself:

Device Encryption

– is a method of keeping company information secure. Mobile devices should employ some form of encryption technology in case these devices get lost while the employee or executive is away from home. This is much more important during non-lockdown situations and will stay important in the post-pandemic telecommuting landscape. Now that it’s proven to everyone that employees can still work outside the office, telecommuting could become a corporate mainstay. The devices should also allow for remote wiping in case they do get lost or stolen.

Updated and Supported versions of operating systems and software

Everyone in the company should be on the same page, meaning they should all be using the same updated versions of operating systems and company software. The more updated the software, the more secure they will be and easier to troubleshoot in case something goes wrong.

Disable Automatic Logins / Enable automatic locking

humans are such lazy creatures who will avoid having to reenter the same things (usernames and passwords) over and over. This is a no-no when it comes to security. Unattended devices are often victim to thieves and hackers. For the lazy, they can employ password managers and settle on just one username and password, or take advantage of biometric security of newer devices. Devices should also have their automatic locks enabled in case the device is unattended for even a short period of time.

Hard-to-Guess PIN/Password

– this is already a given whether or not there is a lockdown. Hard-to-guess passwords are now a must in corporate settings. To make things easier for some and as mentioned, users can take advantage of the biometric security of newer devices.

Multi-Factor Authentication

– is a must for anyone working remotely, especially for workers who have to depend on devices that are not completely theirs. It’s not enough to have a complicated password that could be broken by threat actors, users need to verify their identity to keep said actors out, even if they guessed the user’s password.

VPN Usage

the best way to secure remote communications between the home and office is through a VPN. Companies can subscribe to a VPN service in order to further satisfy the first condition and if the first condition is somehow not satisfied, this becomes much more important to ensure the remote communication is encrypted.

Security Awareness for the Workforce

the workforce should be made aware of the importance of security as well as to be trained in the basic steps in making this possible. Workers should be made aware of viruses, malware, spam, scams and phishing attempts, as well as keeping their systems updated with regards to the second item in our checklist. The CISO and the security team will keep the users aware of any issues, threats as well as remind them to update when necessary.