[email protected] - Fotolia
Cybersecurity hygiene has always been a critical component of any infosec program. Just as washing your hands and brushing your teeth are important to personal hygiene, password updates and software patches are important to cybersecurity hygiene -- and critical to preventing data loss, breaches or identity theft.
Many cybersecurity hygiene steps are well known, but the COVID-19 pandemic, which created dramatic shifts in volumes of remote workers, has thrust the need for bringing cybersecurity hygiene into the 21st century into sharp focus. Keeping corporate assets safe amid the enterprise's recently widely expanded boundary into every employee's home -- combined with the explosion of cloud use -- has proven difficult for security teams -- to say the least.
It is important to note, however, that the unique combination of enterprise, cloud and remote employee security is not mutually exclusive, but intertwined into a hybrid workplace whose future requires a shared security responsibility mindset.
These following shared responsibility practices should be woven into any cybersecurity hygiene checklist as they will lead to more aware and secure employees and, in turn, more secure enterprises.
'Bring your own home' security best practices
Just about every organization today is now dealing with "bring your own home" as the enterprise boundary has exploded into every employee's home. To address this in the new shared responsibility model, the following best practices must be adhered to:
- Home network segregation. Security teams need to teach users -- in simple terms -- how to carve subnets with security rules. This will be an undertaking for security admins as there will be a wide variety of routers and firewalls in employees' homes that must be considered.
- Patch, patch, patch. Company-issued laptops and devices should always have either a mobile device management app or enterprise agent to manage patching. However, as more and more workers use their own devices for work purposes, the onus is on them to do their part. Teaching employees the importance of patching and sending reminders are critical; otherwise, the recommended way to keep patches up to date is to turn on auto updates on all devices.
- Passwords, biometrics, facial recognition. Requiring basic security features be enabled can ensure any accidental or intentional identity assumption of a device can be avoided.
- VPN everywhere. Most enterprises have a VPN enabled by default for access to the corporate network. But, even in the absence of that, employees would do well to install a VPN client that enables encrypted connections to strengthen public Wi-Fi or poorly secured home connections.
Cloud security best practices
The cloud is inside every home -- personally (think Netflix or Alexa) and professionally (think Microsoft 365 and Salesforce). While the cloud helps improve the productivity and accessibility of remote workers, its risks from a security perspective will inevitably follow.
To keep employees and employers safe in the cloud, the shared responsibility model requires two critical components: basic cloud data hygiene and SaaS hygiene.
Basic cloud data hygiene
Enterprises must spell out the dos and don'ts of what is accepted cloud use and what is not. For instance, an enterprise might use OneDrive for document sharing, but given the widespread use of BYOD and device sharing that Google Drive and Box offer, it is quite likely these services might be preferred by employees. Admins should acknowledge that user preference is key but take a stance on cloud app use from a security perspective and provide short, engaging training on how to use the cloud for secure data sharing. Items to include on your basic cloud hygiene checklist should include the following:
- Don't share credentials.
- Encrypt drives by default.
- Be mindful when giving document and shared folder access rights to co-workers, partners, etc.
- Revoke and delete permissions where appropriate and when disengagement happens -- for example, at project conclusion or employee resignation.
With SaaS apps becoming the lexicon of our daily lives, the need for SaaS hygiene at a personal and professional level is critical -- specifically:
- Be mindful of account cross-pollination. Consider how many Google accounts employees have. Making sure they use the correct Google Drive account -- one for work purposes -- is critical. Likewise, using a work Dropbox account to share family photos versus going through the extra step of creating a personal account to do so is also important.
- Exercise privacy and confidentiality rights. While not top of mind for most individuals, these are top priorities for corporations. Newer legislation, such as GDPR and the California Consumer Privacy Act, call out specific privacy rights. For example, ensuring digital trails are obliterated when SaaS applications are no longer in use or conducting periodic reviews of data collected by enterprise SaaS applications are critical. These tasks require training and innovative incentives, such as gamification, to raise awareness among the employees.