The COVID-created rush to have everyone working from home inadvertently exposed firms to security threats they may not have considered before the pandemic struck.
Even firms that were already in the cloud (and had adopted a mobile mindset) had to quickly transition tax and administrative personnel that may not have previously had experience working remotely.
With much of a firm’s personnel being newly placed into this work situation, now is a good time to review and tune-up your security processes to ensure they properly protect the firm for all remote users.
Below are key remote work considerations in expanding the firm’s security policies to accommodate this new remote normal.
Verify only authorized equipment is connected to the firm’s applications and data. This mandates that only computers configured by the firm’s IT team be utilized.
Other devices such as employee-owned computers, smartphones, and tablets should have their security settings verified as well, particularly regarding mandatory automatic updating of the Windows operating system, antivirus, and other security applications before being allowed to connect.
All firm-owned equipment (monitors, docking stations, keyboards, mice, power strips, etc.) should be inventoried.
Inventorying these items will help set guidelines on future support for hardware. (And if it’s employee-owned equipment, it’s not the firm’s responsibility to support.)
If the firm’s policy already allows the use of personally owned computers and other equipment, they should NOT be shared with any other family members.
In addition to the antivirus and operating system updates mentioned above, the policy should limit employees’ ability to load unauthorized applications or plug in any USB storage device, as these actions can both introduce malware.
Cloud solutions (like Right Networks) can enforce such security policies as well as provide application maintenance and a consistent remote work experience between home and office.
Mandated security training for all personnel should be completed at least annually and done immediately if not completed since being sent home due to the pandemic.
This training should incorporate all evolving threats on social engineering, ransomware, phishing emails, fake application updates, and any IT policy updates since the last training.
It should also include specific remediation instructions if the employee inadvertently clicks on a phishing email or suspects their security has been breached.
Instructions may include disconnecting immediately from the ethernet or WiFi connection, documenting events leading up to the breach, and contacting a specific internal security team member for further guidance.
The security of employees’ home internet connections should be verified. This includes verifying the firmware on their modem and router are up to date, as well as changing their default login credentials before connecting to firm resources.
Segmenting internet connections can also provide additional security by dedicating primary access to the employee and having other family members on the secondary or “guest” access point.
This other access should include non-business-related internet-enabled devices such as digital doorbells and locks, garage doors, gaming, and other “smart” IoT devices, which could pose a threat if compromised.
If in doubt, utilizing the mobile hot spot within an employee’s smartphone is a more secure alternative than compromised WiFi.
According to the IRS, all firms should be using multi-factor authentication, virtual private networking (VPN) applications when connecting to their digital resources, and modern password rules.
Modern password rules indicate that passwords should be:
• A string of three or more random passwords or passphrases
• Unique to each user
• Never repeated across multiple accounts
To discourage password re-use, recommend that your firm personnel use a password vault application.
While keeping client data protected is top of mind within the office, it can be an afterthought when working from home.
Firms need to remind their members that their work-from-home areas should be conducive to keeping client data private. Data privacy is supported by shutting down the computer while not actively working and mandating screen locks automatically kick-in after a pre-determined amount of time (i.e. five minutes).
We suggest you utilize part of this time to review your firm’s remote security protocols and technology, update them where necessary, and ensure each member is aware of them so no security risks slip through the cracks.
Roman H. Kepczyk, CPA.CITP is Right Networks Director of Firm Technology Strategy and has been a remote worker for more than two decades.
In this Remote Work series, he will share his findings and best practices to help your firm optimize and take advantage of the remote benefits that are part of your new normal.
Join our mailing list and get all of the latest news delivered straight to your inbox.