It’s critical to determine whether your employees will work from a company laptop, a company desktop from the office or on a personal device that is remotely connected to your network, because security measures differ for each scenario.

The Safest Option: Employees Use a Company Device

This scenario allows you to ensure, in advance, that the laptop or desktop meets all the remote workstation security requirements by:

The Most Difficult Option: Employees Use Their Own Devices

At a minimum, personal devices should have built-in antivirus protection and the latest operating system and software updates should be installed automatically. If this is not possible, you should block the employee from connecting to the corporate network from that device and provide them with a company laptop if possible.

It’s critical to regularly update software, because, in most cases, malware attacks target vulnerabilities in legitimate programs and applications. This makes it important to:

Did you know that in Q4 2019, ransomware accounted for 36% of malware infections at companies?¹

Despite their efficacy in securing network perimeters, VPNs can pose challenges if they are not properly segmented. Ordinarily, the VPN is forwarded to a particular segment on the local network, and the availability of the other network segments is not guaranteed. This means that IT departments may be up against the clock to re-configure equipment and tailor VPN access to the precise needs of each user. Rushed for time, they may simply open up access to a subnet for all VPN users, increasing both the potential reach of external attacks (whenever they breach the local network) and internal attacks. Your IT teams should have a preemptive plan of action for maintaining network segmentation and allocating sufficient VPN pools.
 

However, the responsibility of securing and segmenting networks doesn’t fall solely on IT teams. Remote employees should make sure that the admin password for their home Wi-Fi router is unique. It may seem like a small thing, but you can make a huge impact by communicating password best practices to your employees and offering a refresher on how to update a password (they can find the administration interface on the underside of the router or from the official site of the router manufacturer). It's also useful to update the router firmware to eliminate any known vulnerabilities as well as keep any smart devices on home networks up to date—including smart TVs, surveillance cameras, gaming consoles and baby monitors. 

Since January 2020, more than 4,000 COVID-19 information sources have been cataloged. Of these, 5% were suspicious, and 3% were malicious.³

Criminals are already taking advantage of the pandemic via phishing emails, fake sites and compromised mobile apps. Fraudsters have been sending messages that supposedly come from the World Health Organization (WHO) about a cure for coronavirus or the availability of express testing kits. Employees must be vigilant and have knowledge of threats to effectively distinguish phishing messages from legitimate ones. Doing so requires:

• Discussing the topic of phishing
• Providing well-designed and straightforward training materials
• Communicating tips frequently related to security and social engineering

Aside from training employees on warning signs and providing clear instructions on how to report potential threats, it is also worthwhile to perform dynamic scanning of all incoming email attachments inside a sandbox.

Business Email Compromises (BECs), another common cyberattack, target employees who are responsible for paying vendors and other counterparties. This is a very targeted form of social engineering where the criminals, posing as the company's executives, send emails to accounting staff. In most cases, the "from" address of the criminals' messages superficially resembles the address of a genuine executive.

So, as employees work from home and face-to-face communication is minimized, they will need to go the extra mile to verify who they’re actually communicating with. Employees responsible for outgoing transfers should use additional communication methods, such as phone calls or video conferencing, to verify who the request is actually coming from.

Administrators should make sure that employees know how to report security issues by giving them instructions to help make the transition and configure their software. Create a special email address for them to reach out to in case of issues, as well as a separate address where suspicious emails can be forwarded to warn security staff and other employees of phishing attempts.