This is the second of two posts from the Citrix Office of the CTO on helping your employees to increase situational awareness and reduce risks when working away from the corporate office. Read the first post here.
Welcome to our second installment of this blog topic related to the realities of working from home that millions of employees are experiencing due to the COVID-19 pandemic. We recognize that, in many ways, this “new normal” can be just as disruptive for IT professionals as it is for end users. So we’ve compiled some useful tips that you can provide to your employees to ensure they are doing enough of the right things to protect the security and privacy of themselves, the organization, and your customers.
Tip 1: Know What Your Employees Are Working With
Unless they have an IT-approved PC, be aware that their personal devices are probably not secured, protected, or configured to corporate network security standards. As the saying goes, don’t mix business and pleasure. Use separate systems.
- Use an endpoint that’s specifically configured to work with sensitive company data, especially in multi-party home networks. Seriously, don’t let them use their home PC as-is. If this is their only option, boot from a trusted USB client — or splurge and get them a cheap Chromebook.
- Double check that all essential security services are enabled before allowing access or usage.
- Just because employees can doesn’t mean they should download sensitive data to their device. If this data really needs to be mobilized for offline access, ensure it is located in an enterprise-managed and encrypted container.
- If an alternative approach is needed, look into app and desktop virtualization (see the video below), especially if they are working with Private Healthcare Information (PHI), Payment Card Information (PCI), Personally Identifiable Information (PII) or sensitive Intellectual Property (IP).
Tip 2: Secure Their Browser
The ubiquitous browser is the focal point of modern computing, providing access to almost everything we use throughout the day. The problem is, they have access to almost everything that malicious code or an attacker desires: sensitive data in applications and other browser sessions, the clipboard, networks, files and file systems, peripherals, certificates, keys, and passwords. Can you imagine a more target-rich environment? If possible, encourage your employees to:
- Configure individual browser sessions to be specific to purpose. Encourage them to stop using one over-configured and overexposed browser for everything from multi-player games to controlling mission-critical apps and accessing sensitive data.
- Harden their browsers to define their access to peripherals and the clipboard, disabling access to webcam, microphone and cut/copy/paste unless absolutely required.
- Define security for browser-based apps and between browser-based apps. Especially where JAVA, Flash and the use of old browsers like Internet Explorer are required for legacy compatibility.
- Install only the minimal set of browser extensions and tools, as these extend the tentacles of the browser into areas that can lead to data exposure and loss. Carefully consider anything beyond ad blockers and approved collaboration tools.
- Dynamically use the most appropriate browser delivery framework to mitigate risks — local, containerized, hosted, and cloud-based browsers are all modern options. Has your team updated your Enterprise Browser Strategy lately? And more importantly, is using the right browser automated across your workforce and for third-parties?
- Manage browser privacy by controlling persistence, cookies, location data and settings per browser-based app and per sensitive use case.
- Use special browser deployments for your privileged workforce to protect sensitive operations such as managing your organization’s cloud instances or if they are an administrator for the browser-based HR system.
- STOP CLICKING RANDOM LINKS! Phishing, ransomware, and losing everything would make the current situation much, much worse right now. Ensure your updated Enterprise Browser Strategy inspects and redirects all arbitrary links to a one-time-use browser enclave — for everyone’s benefit.
Tip 3: Remind Them to Turn On/Off That VPN
A VPN provides a direct connection to the corporate network and is how many people access otherwise office-bound apps and data. With the VPN running, traffic, including web searches and social media, is routed through the corporate network, so many employees are in the habit of turning off the VPN at home when they need some “private time.”
- A VPN client is a trusted node on the network, leveraging the protections of the enterprise network (e.g. anti-malware, anti-spam and content filtering). When the VPN is off, employees give up all that security — so make sure they have equal or better locally-installed security measures in place. FYI, the PCI DSS endpoint security guidelines are a great place to start for a reference set of services to protect sensitive data.
- Split tunneling is a feature that acts like turning off the VPN for non-corporate network traffic. The goal is faster performance by using the local internet connection instead of routing all traffic through the corporate network. If employees are doing this, just make sure they’ve installed the aforementioned security measures on their local device.
- As you know, traffic through the VPN can be monitored, so a subtle reminder to employees about ensuring their network activities are appropriate and visibly productive might be a good idea. If they can’t avoid surfing personal content, a more obvious reminder to disconnect from the VPN might be needed — as well as another reminding them to reconnect when resume work activities.
- Simply put, the best way to avoid some of these issues is this: If you’re employees are working from home, make sure they are using corporate-managed devices that have all the latest patches installed.
Tip 4: Help Them Create Back-up Plans
Networks always go down at the worst possible moments. Show them how to create backup networks via tethering, personal hotspot, bonding, or SD-WAN. Make sure they know how to switch networks instantly — or automate it if access is critical.
- If their beloved pet destroys their laptop, smartphone, or tablet, how long would it take to rebuild and be productive again? How long to get them a new device? Show them how to make plans for getting up and running instantly with a Chromebook or USB bootable client as an always-ready contingency.
- Local backups of sensitive enterprise data are prohibited by policy but easy to do (even by accident). Ensure that employees making local backups are not keeping copies of sensitive data like enterprise directories, email, chat logs, or temp directories.
- Finally, if you’re responsible for business and workforce continuity, share tips weekly with your organization and employees on how to be productive. Also, include all the ways that corporate policies have evolved to reflect the realities of the “new normal,” especially for security, safety, and privacy.
Ask yourself: Is this the work experience I, or my employees, deserve? If it is, watch this:
Note to IT Professionals: Working securely while working remotely is both an immediate requirement and an ongoing challenge. We’re all learning together how to optimize for the “new normal.” Some tips in this article can be directly implemented by your displaced workers, and some will require your help. Let’s use them as a foundation to generate an ongoing conversation around options for evolving the work-from-home situation from surviving to thriving.
