Give This WFH Security Hygiene Checklist to Your Employees

Remote employees themselves are a key part of your remote workforce security strategy—but they have to know what's needed of them in order to do their part.

This year an unprecedented proportion of the world's workforces have transitioned to full-time remote work, a shift dictated by facts on the ground rather than by careful planning.

And while it's true that as facts on the ground continue to change some will return to their offices, it also seems clear that many others won't.

In cybersecurity terms, companies are now preparing to deploy or are already deploying new long-term security policies, infrastructure, and practices  to account for—and to protect—remote work and remote workers.

When employees transition to WFH, previously personal equipment is now part of the company’s critical infrastructure. Employees should be told this. © Kittichai Boonpong / Dreamstime

Getting Employees Involved

Yet there's more to be done if remote work is to be secure—because for remote work to be secure, remote environments and practices must also be secure.

For better or for worse, most employees aren't cybersecurity experts. Without being told, they're not likely to know offhand what they ought to be doing to support organizational security while working remotely.

For this reason, companies should consider it a best practice to provide remote employees with a checklist of security hygiene items that they can and should attend to with care.

Such a list might look something like this.

Security Hygiene Checklist: Premises

Remote employees should:

  • Avoid working in fully public places. Instead, work in locations where there is at least some predictability about the number and identity of people likely to be present.

  • Secure work environs. Lock doors and windows, entrances and exits to areas where work equipment will be used or, even more importantly, stored.

  • Educate and instruct your co-residents. Explain to roommates, family members, or other regularly co-present individuals that work equipment and accounts are private and not to be shared, even innocently.

Security Hygiene Checklist: Network

Remote employees should:

Employees need to know that the consumer NAS in the linen closet needs to be secured—and that means closing the public router port that’s being forwarded to it. © Hämmerle S / CC-BY-SA 2.5

  • Use your own Wi-Fi. Avoid public wireless networks and the sharing of networks with neighbors or other community members.

  • Keep network equipment updated. Carriers often manage this, but if a retail-purchased router is in place, ensure that it's configured to regularly run updates.

  • Require authorization. Ensure that wireless connections are set to use WPA/WPA2 encryption.

  • Change default passwords or passphrases. Ensure that the default password for router login and the default passphrase for WPA/WPA2 connections have been changed from their defaults.

  • Close all public-facing network ports. End the operation of any at-home servers that require port forwarding or public-facing network ports to be open. Move any such needed services to professional hosting platforms.

Security Hygiene Checklist: Devices

Remote employees should:

  • Lock proactively. Lock your screen whenever you pause work on a device, even for just a few minutes. Shut down and stow any equipment you're not actively using.

  • Avoid walking away from or losing track of equipment. Keep work equipment with you at all times during work, rather than leaving it unattended for breaks, and stored appropriately during non-work hours.

  • Run your updates. Avoid the use of out-of-date devices or devices with out-of-date system software or applications. Run updates promptly when offered, and check for them proactively.

  • Avoid unauthorized uses or installations. Avoid installing software on work systems that haven't been vetted, approved, and delivered by work IT staff, even if you appear to have the ability to do so.

  • Ban malware. Ensure that devices have anti-malware tools involved and active on them where available, and end all malware-risky practices. Yes, this means no cracked Windows applications, no direct-download Android APKs, and so on—even on other personal devices that merely happen to share the home network with work systems.

  • Encrypt your data. Enable filesystem encryption on devices when plausible and available, or create separate encrypted volumes for the storage and manipulation of sensitive data.

Security Hygiene Checklist: Best Practices

Remote employees should:

Authenticators need to be kept nearby and secure at all times, not left lying around where others may have access to them. They’re the keys to the universe. © Plurilock

  • Separate work from play if possible. Try to avoid mixing work and non-work hours, applications, and devices together. For example, maintain regular work-start and work-stop hours, and avoid doing personal work during work hours or on work devices.

  • Maintain password hygiene. Set different passwords for each used service or login—using a password manager if necessary. Ensure that passwords aren't predictable names, numbers, or dictionary words.

  • Develop extra vigilance about authentication tools. Become closely wedded to authentication devices—such as USB authenticators or mobile devices with authenticator apps—and ensure that they never leave your side or your sight.

  • Develop extra vigilance about unsolicited email. With IT staff and systems now far away, avoid clicking on links or following instructions received in any unsolicited email, to avoid being compromised by ubiquitous phishing attempts.

  • Be conservative at all times. If in doubt about a possible choice, operation, configuration, or activity, avoid doing anything novel and err on the side of caution until you're able to consult IT or security staff.

Deliver It Regularly

Given that the list above comprises things that many employees haven't regularly thought about in the past and may, despite themselves, not think frequently about in the future, it's also important to point to a list of this kind regularly. This could mean:

  • Posting it on the corporate intranet

  • Pointing prominent banners to it from multiple applications or locations

  • Sending it out as a monthly "security reminder" email

  • Requiring users to periodically visit, complete, and sign an online version of such a checklist

The particular way in which lists like this one are deployed will vary from company to company. That said, the existence and sharing of such lists is likely to become more and more common going forward.

After all, companies and organizations that successfully enroll the cooperation of their remote employees will fare better in remote workforce security than those who don't. That's the world in which we all now live. ■

Stay informed. Join our low-volume mailing list for Plurilock and cybersecurity news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

Plurilock Lead Capture Block

Welcome to Plurilock!

We’d love to hear about your interest in our products.

Great!

Okay, cool.

We'd like to provide you with more info. How can we reach you?

Enter your email above to agree to receive commercial electronic communication from Plurilock via email.

Thanks!

Someone from Plurilock will get in touch with you soon.
 
In the meantime, learn more about our ADAPT and DEFEND products—and be sure to check out our Blog for in-depth cybersecurity coverage.