It’s no secret that humans are the biggest vulnerability to any corporate network. Whether it’s an inability to properly manage password complexity across multiple systems, poor social media habits, or even a lack of awareness with things like email links, online shopping, or app and software usage.
A major problem for businesses, particularly in a post-COVID world with so many people working remotely, is the fact that these security challenges employees face extend very easily to their personal devices, while your visibility and control as corporate IT does not. The trick of course is finding a way to help employees protect themselves as a means to better protect corporate resources while maintaining a budget and avoiding invasions of privacy.
One way to do that is to encourage employee use of personal security tools like those listed below. Organizations might even pay for them or offer incentives for employees to purchase on their own.
Okay, calling training a tool may be a stretch, but hear me out. Many companies already have some form of cybersecurity training but getting employees to realize the risk involved with their personal life and finances is a tall task. Consider the payoff: Having employees invested in protecting their own digital lives results in having corporate interests protected as a significant side benefit.
Some vendors offer cybersecurity training at varying price ranges and with different focus areas. A major area of focus in your training tools should be helping sell the value of proper digital habits to an employee’s personal well-being and getting your employees invested in protecting themselves online.
While not traditionally considered security tools, digital wallets can be useful from a security standpoint for a couple of reasons. For one, the less an individual goes in and out of their physical wallet, the less opportunity for a card to be left or another card (such as a drivers license or corporate ID) to fall out and become the basis of a compromised identity. Second, digital wallets can be used online in lieu of a credit card or as a way of establishing a profile without creating an account. This helps minimize an individual’s digital footprint and constrains that footprint to services that maintain high levels of security. In many cases, employees will likely already have digital wallets available as part of their smartphone’s operating system (Apple Pay or Google Wallet). They just need to be educated on the value and potentially how to set it up.
Credit/digital identity monitoring
Most people are familiar with credit monitoring, which tracks your credit history for things like new credit cards or loans that potentially were created by criminals. Credit monitoring provides an early warning system for a compromised identity, which in turn is potentially critical for both personal and corporate security. A compromised identity can lead to malicious users having enough information about an employee that they can further compromise user email accounts or cell phones, then leverage those to compromise more critical resources like corporate accounts.
Digital identity monitoring is similar, but it focuses on specific types of information, some confidential (Social Security numbers, bank account and routing numbers, or credit card numbers) and other slightly more public like email addresses and phone numbers. The goal of monitoring digital identity is that if any account information (financial details or a username and password) becomes compromised and leaked online, you will be notified and have the opportunity to take remediation steps such as changing a password or replacing a credit card.
Passwords have long been the keys to the corporate kingdom, and while businesses are taking steps to eliminate the risks involved with password-based authentication, we’re a long way from being rid of passwords. The consumer side of things is in even worse shape. Few consumer services have passwordless authentication options, and in general that’s limited to services offered by industry giants like Microsoft and Google.
The next best thing is to do everything in your power to encourage proper password management: unique, complex passwords (not just special characters but with enough length to achieve sufficient entropy) for each online service. Expecting your employees to be able to manage this task on their own is a nonstarter, which leads to the requirement for a password management system.
A good password manager will encourage good password habits, warn employees when the same password is used across multiple accounts, and even support strong passwords generated from random characters. Many times password manager services will also help monitor your digital identity, keeping a watch for compromised account credentials made available on the dark web, or warn you when services you use have been breached (prompting a password change).
Ideally everyone would use two-factor authentication (2FA) for all critical workloads, but at minimum employees should be using an additional factor for things like email (which is itself a de facto authentication factor) and financial accounts. There are 2FA systems like time-based one-time passwords (TOTP) with which employees can simply leverage a smartphone, but there is value in hardware tokens like the Yubico Yubikey, which works with a huge array of applications and services (both web-based and local). Hardware tokens have also been found to provide stronger protection against targeted attacks than even app-based authenticators according to a Google study comparing the success of different 2FA challenge types against different attack categories.
Another entry that’s a bit of a no-brainer, antimalware software helps protect employee devices from most malware categories and variants using techniques ranging from signature matching to AI-based detection. It has become clear over the last few decades that antimalware is not the end-all be-all solution to device security, but it is certainly a key component. Device-based attacks are still a popular way to steal credentials or other sensitive user data, regardless of device type or operating system. The nice thing about antimalware is that it should be trivial to convince users that it’s something they should have on their devices considering the long history of device-based attacks.
VPNs are fairly ubiquitous for corporate networks these days, largely because they are relatively easy to implement, provide a measure of privacy on untrusted networks, and can allow users access to corporate resources as if they were sitting in the corporate office. Many businesses have legitimate concerns about allowing employee-owned devices connectivity to the corporate network, but there are still benefits to simply leveraging a VPN to provide a private internet connection for when your employees are using public Wi-Fi networks. If use of a corporate VPN connection doesn’t pass the sniff test, several credible consumer-focused VPN services offer similar privacy benefits to your employees without taking up any corporate resources in terms of support, hardware, or bandwidth.
With the threat that ransomware has become, having a way to restore critical data is essential. Providing employees with a backup solution for their personal devices has obvious value if they might be performing business functions on those devices. Even if corporate policy prohibits employees from using personal devices for business use, there’s a case to be made about the stability of an employee’s personal life and the impact loss of critical data can have on an employee’s family.
A potential budget alternative is a cloud storage solution that is cryptolocker-resistant, meaning it can detect a ransomware attack and protect employee files from being encrypted. If you are contemplating this route, make sure you consider the functionality you lose: automatically backing up certain files or folders on a schedule and the monitoring or reporting tools that are often available in a full backup solution.
Not every problem requires a high-tech solution. Working remotely has more people using their devices in public places and using personal webcams for work meetings. Offering simple solutions like privacy screens for laptops or physical covers for web cameras can protect both employee privacy and corporate resources. These physical privacy protections are also on the very low end of the price spectrum, making them an easy win for your employees.
Laptops, phones, network hardware
Before you stop reading, consider the fact that corporate security always requires a balancing act between investing in security up front or risking the costs resulting from a breach later. This, along with the budgetary realities inherent in businesses large and small, typically manifests itself by large organizations prioritizing investments in security infrastructure at a much higher rate. Even small businesses should evaluate whether the risks involved with users being unmanaged and unmonitored warrants additional spending, even for a limited set of users such as executives.
Purchasing devices or network hardware for your employees to use while at home provides increased security by extending the reach (and control) of corporate IT management, allowing you to keep an eye out for potential threats and nip them in the bud. Laptops and mobile devices are common investments for employee home use, but network hardware (Wi-Fi access points, router/firewalls, or other network security devices) is another area to consider as these devices are increasingly targeted by malicious entities and put all devices on the network at risk if compromised.