How to Strengthen Security in the Virtual Workplace, Part 2

Part one of this article addresses the power of people and communication as a security tool. This article discusses the nuts and bolts of technology to secure the virtual workplace -- an area of security that is a nightmare for technology leadership and keeps them from sleeping at night. There were many nights that I tossed and turned with a sick feeling of how bad actors could break through our block walls laden with a wired fence.

What makes today so different? Managing security within the confines of the company wall is much easier than securing the business with a virtual workforce. There are many risks and exposed elements for the bad actors to sneak in and steal digital and privacy information from the company and its employees.

Cybersecurity Controls for the Remote Worker

As COVID-19 continues to spread and the call for shelter-in-place echoes across the newswires, firms had to act quickly to create a remote workforce—sometimes without the best cybersecurity controls in place. An action that is understandable as keeping people working and business running were priority number one.

With a deployed remote workforce in place, now is the time to take a step back and evaluate our security practices. Use this time to mitigate the security risks of a virtual workforce by strengthening the cybersecurity fence. When COVID-19 passes and business picks up, a new normal of how companies function will appear. Be prepared and positioned for this new world and a virtual workplace.

Computers: Company-owned vs. Personal

Due to the nature of the real estate agent's status as an independent contractor, most brokerages were okay with a "Bring Your Own Device" (BYOD) approach to technology with its sales force. This path is exercised because most states have employment laws that prevent brokerages from supplying equipment to agents. Since agents are an extension of the brokerage, the brokerage needs to provide some level of guidance to assist agents with security practices for the home and while being mobile. Agents do have the company's sensitive data within their province.

Most brokerages focus on both their security and privacy practices with the staff. It is the staff who perform business functions that have access to sensitive data as a part of the firm—one reason why brokerages keep much of the team within the office walls. Since a virtual workplace is an extension of the office, the externalities of the home office become daunting in protecting the firm's sensitive data. If there is a breach or data is compromised, the firm becomes legally responsible and liable.

The quick move to a virtual workforce created a dilemma of addressing which hardware to support—personal or company-owned computers.

Company-owned Computers

A remote workforce with a company-owned computer is undoubtedly the best practice. Company-owned computers contain the firm's security software, have the latest operating system software patches/updates, and the tools to perform the job from home. The best part is the device is managed and controlled by the IT department or your Managed Service Provider (MSP). This approach lowers the risk and limits the security vulnerability as compared to personal computers. The downside of this strategy is the cost and time required to implement. The upside diminishes the danger of sensitive information getting into the hands of bad actors.

Personal Computers

Allowing staff's personal computers to access the firm's network is a dangerous practice. The IT team or MSP has no control over these computers to circumvent insecure utilization. Insecure utilization can deliver malicious software installations not only on the staff's personal computer but can traverse throughout the company's network to infect other devices and servers. This use is one pathway how ransomware infiltrates onto a firm's systems. Some studies show one-third to one-half of personal computers have some type of hidden infection.

If a firm has allowed personal computers onto its network, now is the time to remediate this issue. There are two choices: purchase company-own equipment or create an Enterprise Virtual Desktop Infrastructure environment (VDI).

VDI implementations have many different forms. The fastest and most cost-effective virtual workplace is with a Desktop as a Service (DaaS) like Microsoft Windows Virtual Desktop on Azure and Amazon Desktop-as-a Service on AWS. These solutions are great for Windows or Linux computers. Sadly, Apple macOS computers need to be company-owned computers.

Implement Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

Real estate business tools have migrated to a cloud environment for some time now. It makes sense as the service provides easy access for remote teams, seamless collaboration, and sharing of information.

A significant downside to this model is when a bad actor seizes an employee's account and impersonates them. This scenario illustrates when hijacked wire-transfers end up in the bad actor's banking account. To prevent impersonation through an employee's account, deploy 2FA or MFA. When a bad actor does have a company member's password to access an account, they don't have a way to obtain the second or third form of authentication, thus preventing access to the employee's account.

If a company utilizes Google GSuite or Microsoft Office 365, there is no reason for not implementing 2FA or MFA. It significantly reduces the risk of employees and agents in falling victim to a social engineering scam.

Virtual Private Network (VPN) Gateway

Since the start of the pandemic, many companies are allowing staff to use company-owned computers from the home network and Internet connection. This scenario presents a significant security risk to the firm. Home-based internet connections leave a vulnerability where a company-owned computer becomes a conduit for bad guys to explore the company's network.

The solution to prevent this type of intrusion is to install a VPN Gateway in the cloud or on-premise. A VPN is a method that creates a steel pipe through the internet between a company-owned computer and the company's network. Think of it as the Lincoln Tunnel in NYC. Cars can drive safely between NJ and Manhattan without worrying about any water infiltrating into the tunnel from the Hudson River. It is a safe corridor for travel. A VPN acts as a safe corridor between a remote workforce computer and the company's network. This creates a secure virtual workplace.

The VPN also encrypts the communication between endpoints to the network and allows management of who has permissions to particular network services. A VPN is perfect for those who need to access business-critical applications or sensitive customer and employee information from unsecured networks such as public Wi-Fi or home networks.

Video Conferencing Software

Over the last month, it is clear that not all video conferencing software provides a high-level of business-class security and privacy. Many stories have come out about how Zoom does not offer end-to-end encryption or strong meeting passwords. There are findings that Zoom has been less than forthright about their customers' privacy as well. While more schools, businesses, and individuals are using Zoom, they should review the latest warning by the FBI Boston Division. The advice has steps to prevent the latest "Zoom-bombing" hijacking that is taking place by bad people.

When using any of the video conferencing software available on the market, always review the company's privacy policy. The last thing you need is to find out your customer list is accessible to people outside of the organization. Review in detail the features of the security settings of the video conference software. Develop best practices and communicate them to the remote workforce. There are alternatives to Zoom. Here are a few:

• Facetime
• Teamviewer
• GoToMeeting
• WebEx
• Microsoft Teams
• Google Hangouts

Security for Documents

Securing physical documents is imperative in providing business continuity during a crisis. Over the last two years, I am dismayed to see company documents stored in a mixed bag of unsecured devices or personal file hosting services like Dropbox or Box.com. The exposure risk of sensitive information peaks to critical without proper guards to keep the data secured by the company.

Documents must reside in corporate-owned and managed file storage systems. The risk of exposure to company information is significant when the employee has not secured company information in a file storage account outside of the firm. There are many choices to lessen this risk by leveraging company tools such as Enterprise Dropbox, Google Drive with GSuite, Microsoft OneDrive with Office 365.

Once a bad actor has access to those documents in personal accounts, the expense to remediate the breach is high. The loss to remediate is more than five years of the cost to license any of the enterprise products.

Virtual Workplace Security Summary

Companies with a remote workforce in place before COVID-19 are in good shape. They most likely have performed their security assessment of their environments and safeguarded their employees and business assets. If this is a first-time rodeo on deploying a virtual workforce for a firm, please take the time over the next few weeks to review how to strengthen security and privacy controls. AND, most importantly, communicate these controls with the team. Once completed, the result significantly lessens the risk of having a security breach and a compromised system.

As a side note, security and privacy reviews are not a one-time event. Consistently upkeep security and privacy practices as technology and social change occur around the business. It is much easier to clean a kitchen at the end of a meal when you consistently clean while cooking. A firm must communicate consistently and effectively with its people; it garners more trust and loyalty.

This article only speaks to a sample of the security risks a firm faces every day. WAV Group has a mountain of stories to share and expertise in developing strategies on security and privacy. Another area WAV Group excels in is helping firms to communicate and to secure their assets. WAV Group can provide a one-hour private virtual session with your team. The meeting is a non-technical presentation designed to inform staff and agents. The session includes:

• Bring awareness to social engineering
• Understanding the risks associated with email and text messaging
• How to protect yourself from being phish bait
• Security best practices

Reach out to Victor, Marilyn, Kevin, or David if you would like to discuss an opportunity to schedule a session with your team.

Stay safe and be healthy!

To view the original article, visit the WAV Group blog.