Use a Virtual Private Network (VPN), not Remote Desktop Protocol (RDP).
The use of a VPN is a fundamental safeguard when users access the company's network via their home WiFi. A VPN allows for encryption of data, which adds a level of protection for information such as passwords, credit card numbers and other sensitive or private information. A VPN can also provide a level of anonymity through capabilities such as masking of location data, website history and IP addresses. Employers should avoid using the RDP on their network. RDP may be an expedient option, but it is not a secure solution.
Implement Multifactor Authentication (MFA).
The basic principle of MFA is that an authorized user must provide more than one method of validating their identity. Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. Commonly, the factors correlate to something you have (e.g., an authenticator app on a smartphone), something you are (e.g., a fingerprint) or something you know (e.g., a PIN). For more information on the best way to implement MFA at your company, reach out to your technology staff and/or managed service provider.
Ensure remote work practices comply with internal and external policies, laws and regulations.
It is important for companies to understand their regulatory environment and ensure that remote work maintains compliance. It is possible that some roles within a company will not be suited to remote work, in which case companies should be clear with staff about remote work expectations and permissibility. For example, some teleconferencing software may not be HIPAA compliant for use by a medical provider because the software does not encrypt personal health information (PHI). Identify and address risks with storing business information in personal cloud storage or printing on home printers, etc.
Ensure systems, software, technologies and devices are updated with the latest security patches.
Employers should track the equipment to be used in a home environment and provide a means of updating software security patches. The National Institute for Standards and Technology (NIST) provides a National Vulnerability Database that offers information on vulnerabilities from many vendors. For more information about patch management and best practices to consider, reference the NIST Guide to Enterprise Patch Management Technologies.
Prevent unauthorized users on company resources (e.g., laptops, mobile devices).
Employees should not allow anyone to access company resources, including family members. Whenever possible, use a private location if you are on a call or in a meeting that involves sensitive information, such as anything HIPAA-related.
Use only company-authorized devices for remote work.
Personal devices may not have the same level of security and privacy protections as company devices. If your company has a "Bring Your Own Device" policy, be sure that your use of a personal device is in accordance with that policy. This includes home printers and personal email accounts. It may seem convenient to print work documents on your home printer or send emails to your personal device, but these actions may put your company at risk and violate company policies. Be aware of "shortcuts," such as taking photos of company documents with your personal phone as an alternative to scanning them, as these shortcuts may introduce privacy and security risks.
Dispose of company documents properly.
Review your company's records retention and management policies, as well as information management policies, to ensure compliance. If you must dispose of hard copies of company documents, either shred them or securely retain them for proper disposal when you return to the office. Protect physical documents that must be retained as best you can.
Should you have any questions, please contact ACBI via email or at 203-259-7580.