A Guide Book for Best Practices Related to Work from Home.

Amidst the Coronavirus crisis, remote access has become the new normal, as workplaces have completely shifted to digital. More and more industries and services are now allowing their employees to work from home and these companies do not have a set guideline in place for remote access. The article below gives a detailed guidance to avoid risks on key areas associated with working from home

I. Remote Access

1) Do not introduce/ download vulnerable IT protocols into Work from Home devices. One example is remote desktop protocol.

2) Ensure that advanced authentication mechanisms such as multifactor authentication are established.

3) Educate the users on how to use those advanced authentication mechanisms.

4) Implement a zero-trust architecture for your remote access solutions.

II. VPN

1) Certificates related to VPN must be installed properly and VPN must be properly secured using cryptography. It is advisable not to use MD5 or SHA1 associated certificates.

2) Companies should outline the capacity of users who would be leveraging the service, including the technical specifications required for the said capacity.

3) Users should know the licensing model associated with the VPN and understand how to allot and revoke such licenses.

4) Companies should actively measure bandwidth requirements related to VPN.

5) Companies should rotate their workforce so that the VPN meter doesn't go out of hand.

6) Ensure that proxy browser through VPN is installed and review if the VPN does support it for lower bandwidth internal applications.

7) DNS security must be implemented to authenticate queries. This feature ensures that queries from malicious domains are blocked.

8) If the bandwidth isn't a concern, then companies can look to configure full tunneling VPN solutions.

9) If bandwidth is a concern then companies should allow split-tunneling for VPN connections to accord with a robust least-privilege policy for VPN traffic.

10) Companies should properly validate their remote access endpoint enrollment process.

III. BYOD (Bring your Own Device)

1) Adopt a suitable strategy for endpoint connectivity. The different endpoint connectivity options can be:

• a. Company managed endpoint

• b. A BYOD endpoint which is connected to a company managed VDI instance.

• c. A BYOD endpoint which is validated to meet baseline security posture.

2) Companies should establish a minimum-security guideline for the device.

3) Determine in advance, if we can install enterprise security tools on user-owned machines to meet the standards.

4) Companies should individually validate the security features of BYOD devices with the baseline security standard.

IV. Work from Home Awareness

1) Companies should provide their employees with awareness trainings.

2) Evangelize the remote employees with regular updates on the following:

• a. Social engineering.

• b. Email phishing.

• c. Phone fraud.

• d. COVID-19 fake news.

3) Keep the IT security teams updated with new security risks that might arise due to the sudden increase in remote employees’ numbers.

V. Cloud and Digital Transformations

1) Utilize Cloud for internal services

2) Do not be hesitant in moving some workloads to public cloud.

3) Have proper audits for cloud access authorization settings.

4) Ensure that MFA is installed for all apps, especially SaaS based apps.

5) Ensure that the SSO strategy for Cloud and On-premise systems are properly aligned.

6) Properly educate internal stakeholders about the risks associated with unauthorized cloud services purchase.

VI. Identity Governance

1) A secure remote access system must be established for all users and for all their devices.

2) Properly evaluate the validity of current identities.

3) Adopt multi factor authentication for identity governance.

4) Regularly review policies and keep an account of the sensitive data that is exchanged between remote users.

5) Activate password reset capabilities and processes.

VII. Data management

1) Apply data policies to Work from Home scenarios.

2) Identify critical data and ensure that proper controls on their exchange is maintained.

3) Control permissions to users having access to sensitive data

4) Implement data encryption policies for work from home scenarios.

5) The corporate devices should have proper encryption to protect them from theft and loss.

VIII. Security Operations

1) Companies should properly configure the security operations to include remote access devices.

2) Expand the existing security operations infrastructure to include WFH systems.

3) Increase monitoring capabilities.

IX. Collaboration/Conferencing solutions

1) Investigate the total number of users the conferencing solutions will support.

2) Take note of the licensing model and understand the billing mechanism. For e.g. if it is a per usage or per minute billing.

3) Educate the users on how to the use the applications. Conduct appropriate trainings.

4) Companies can consider turning off the voice activated assistant technology during remote meetings. This would prevent cases of data leakage.

X. General Communications

1) Regularly update all employees about how do's and don'ts.

2) Create a generic mailbox used to evangelize the employees with proper policies and guidelines.

3) Regularly share upbeat and motivating messages in order to keep the employee morale high during the pandemic.

4) Prepare and share a guidebook on best practices like adherence to schedule etc.

5) Companies should also educate the employees about generic updates related to COVID-19, especially the misinformation and rumors.

6) Make sure you touch base with your employees at least once in day.

Final thoughts

You can use the guidelines stated above to create a standard ‘Work from home’ policy for your organization or just use key points stated in the document to introduce best practices for your work from home employees