When the COVID-19 quarantine hit in mid-March, it created an unprecedented situation in which the number of remote workers skyrocketed beyond anything anticipated.

“The only analogue of this scale I would say is 9/11, and that was fairly regional,” says Sean Gallagher, a threat researcher at Sophos. “It wasn’t a national thing like this is, and it wasn’t nearly for this period of time.”

Gallagher was working remotely from Baltimore for a New York company. All his fellow employees in New York were displaced for several weeks.

“We had to figure out how to operate without the office for nearly a month,” he says. “But that was very regionally specific. This is a much broader problem.”

Regional vs. global

For most businesses, the closest thing they’ve seen to COVID-19 is a regional natural disaster like a storm or tornado. Companies’ contingency plans for dealing with remote workers have been overwhelmed by the scope of this crisis, and the resulting sense of uncertainty has been unprecedented.

Despite what some may think, “it’s not something that might have been in most firms’ disaster recovery continuity business strategy,” as Gallagher puts it. However, “the necessity to be able to flexibly handle ongoing activities with people not in the office” is not unique.

In addition, Bob Moore, director of server software and product security at Hewlett Packard Enterprise, believes that the human factor “is often—frankly always the most unmanageable component of cybersecurity risk.” This is made worse by the widespread shift to remote work.

Every major company has the resources to allow certain employees to work remotely, but until recently, few few had attempted to allow the majority of their staff to do so. What changes should be made if the current state of security tools and procedures is unacceptable?

What can you do to secure your own remote working space? VPN, antivirus, two-factor authentication

The first piece of advice we received from every computer security expert we contacted was to install a virtual private network (VPN) on your machine so that all of your data stays within the confines of your company’s network and not your own, less secure one. Just one of the ways in which office security and remote security vary.

According to Tim Ferrell, a cybersecurity architect at HPE, “in a workplace environment, you typically have a well-structured, highly controlled work environment where there are tight measures and controls on the type of traffic that can flow, what type of authentication is used, and what data can be stored.”

It’s been echoed by others. According to Mick Wolcott, partner of Goldman Lockey Consulting in San Francisco, “at most enterprise or commercial locations, there are firewalls and the network is managed by a networking team.” At home, “you’re basically just doing Comcast or AT&T or something like that, and you don’t get the behind-the-scenes where we check the traffic that’s coming in. We can’t determine whether there’s malware that’s been downloaded or where it’s been clicked.”

As a result, safeguarding against viruses and malware is not adequate. Maintenance upgrades for your security are essential. You should, of course, take the usual precautions against phishing. If you share your home computer with family members or use it for work as well, you need to be extremely vigilant about the security of your remote connection and your messages.

Last but not least, two-factor authentication is recommended. While this is becoming the norm, it is still not required. Two-factor authentication is the greatest approach to stop phishing and other authentication assaults, but implementing it now is difficult.

As an alternative, Gallagher proposes making use of web-based versions of the tools you already use in the workplace.

Using “online services through a browser to accomplish most of your work” is one approach to keep business and personal life apart, as he puts it. The most prominent example of this is switching from locally installed versions of Microsoft Office to the web-based versions (now called Microsoft 365 apps) of the same programmes.

But with a virtual private network (VPN), two-factor authentication (2FA), and antivirus software that is kept up-to-date, you’ve eliminated a significant portion of the risks that remote workers face. Gallagher claims that the remainder is just “gilding the lily.”

He argues that the business world as a whole must adopt a zero-trust security strategy.

“Assume that both your corporate and your end-point systems are operating in hostile waters and that there’s some form of compromise going on at any given time,” he advises.

Since “the old days of a hard perimeter and a soft inside,” as Ferrell puts it, society has come a long way. The perimeter is now more of a checkpoint on the way in and out; however, you must always consider that every remote device connecting to your network is malicious.

What should your company do to secure its employees? Establish central control

When planning for the future, “you want to make sure that employees have access to a device that is corporate-managed and is locked down for specific use,” says Gallagher. “Another option is to switch to a paradigm where each user is provided with their own remotely managed virtual machine. Therefore, they can use their home computer for professional purposes while maintaining the security of their office machine by separating the two. And I believe that’s the direction a lot of businesses are heading towards.”

This is costly for businesses of all sizes. However, it’s possible that we’ve reached the end of the era of frugality.

Because we were mostly discussing network security, Wolcott admits, “one of the key things I think that I have not discussed is the importance of backups.” “We’ve got a number of terrible situations where someone clicked on a malicious link, downloaded it, and it encrypted their entire machine and held it for ransom,” says one expert. While corporate espionage occurs seldom, ransomware is so ubiquitous that organised criminal groups have given its malware names, such as the Maze, REvil, and Ragnar Locker ransomware families.

How can you plan for the unplannable? Process, policy, and threat modeling

Simon Leech, senior adviser for security and risk management at HPE Pointnext Services, advises, “Don’t allow the company define the security policy to you.” Leech warns that many businesses will be too hasty in adopting remote employment. The security team must avoid the trap of hasty, unsecured technology deployment.

Nor, as Ferrell argues, should it pursue flashy new ideas at the expense of tried and true methods.

“Product is the shining item, and everyone wants to look at it,” he explains. “Because of this, they’ll purchase a cutting-edge piece of technology to address these problems, but they’ll pay no attention whatsoever to the procedures or guidelines that should be in place. Without a proper procedure to back it up, even the most exquisitely designed instrument is useless.”

Enterprise IT security: Lessons for leaders

  • A company’s ability to safely manage quarantines is greatly enhanced if it adheres to industry standards.
  • There is no avoiding spending money today to reduce the risks associated with working from home if security is a top concern.
  • Virtual private networks (VPNs), two-factor authentication, and often updated anti-virus software will keep your company safe.