Working from Home – Security Policy Checklist

It is really important to have a working from home security policy and here are the top ten things to consider.

1. Checking that security privileges on your data, email accounts and network are correct

Where is your data? It may be on a shared drive in your office – on a server or NAS drive. It may be an email account that was previously allowed to be accessed by someone else during a holiday or leave of absence. Should it still be in place? Do you know who has access to it? Perhaps some of this data is confidential or has personal data that should not be accessible to the whole organisation. Have you checked that the access is now correct? These types of access must be checked on a regular basis to verify access is as it should be.

2. Check that former employee’s accounts have been disabled or deleted

When members of your team leave, as part of a formal offboarding policy, several steps should be taken. Should their data be transferred to someone else? Should their replacement gain access to this data? Maybe the data should be deleted? In any event, the account used by the person leaving should be disabled or deleted. This is a real security concern.

3. Check that only suitably trained and approved users have admin accounts

It may sound obvious, but administrative accounts are able to add, delete and modify accounts, data and other assets. Giving these rights to users who either don’t understand the power their account has and make mistakes or (worse!) do know what power they have and perform malicious actions is a really big issue. Regular assessments of who has admin access and confirming that this level of access is justified are vital.

4. Work owned device Vs Personal devices

Work owned devices can be governed by the company: what software can/can’t be installed, what the device can and can’t be used for. More than that – the device can be protected – by way of securely deleting data in the event of loss, theft or even staff dismissal. Using a personal device for work can cause security and privacy issues as the protection that can easily be applied to a work-owned device may not be acceptable to the worker using their own device. There are protections that can be applied to “containerise” the work data – reducing the chance of data loss/theft/breach but this clearly must be thought through and not just “assumed”.

5. Weak Passwords

Possibly the most vulnerable link in all of the IT environment is the password. When you visualise a password as a “key to enter” – having a simple key means that others can easily break in. Unfortunately, by 2020, most of us have many passwords we need to remember and as such the temptation to use the same one and make it easy to remember results in poor password hygiene. Don’t shoot the messenger here, but this is something that has to stop and has to stop now. Password management software, that lives on your phone, in your browser and on all your devices requires knowledge of one password to unlock all your other passwords – and those passwords are a) unique and b) random.

6. Multi-factor verification (MFA)

In conjunction with password hygiene, setting up MFA on all your accounts significantly enhances overall protection. An MFA is when your bank sends a text to your phone when you make a bank payment. Both Microsoft and Google accounts can all have MFA set up and this is an essential setup in securing your accounts.

7. Remote access to your office IT systems

If your team still needs to access resources in your office, whilst working remotely, it is important to ensure this access is provided in a secure manner. A virtual private network connection creates an “encrypted” tunnel into the office network. Ensuring remote access is encrypted stops eavesdroppers accessing your network.

8. Vulnerability of home networks

If a worker is using a device on a home network, what other traffic is on that network? What other devices are there, and have they been compromised? Has the home router been compromised? Hoping for the best and assuming everything is above board is not enough. Checking the router and scanning all other home devices is the bare minimum that should be undertaken.

9. Use a VPN service to secure communications

Because of the potentially malicious activity on a shared but non-work managed network, you could consider the use of VPN service to enhance IT security. This service securely connects your device to a known IP address which means that it minimises any local security compromises, such as a “man-in-the-middle” trap where your browser is directed to a spoof version of a site (like Microsoft 365 etc).

10. Security awareness training

Your team is only as strong as your weakest link. If they can’t spot a phishing email or can’t identify a risky web link, then your whole IT network could be in trouble.

If you would like to discuss the above further, you can easily book in a call with Ben by using our calendar scheduler:

Alternatively, please contact us using any the options below, and we’ll quickly get back to you.

Ben Schneider, founder of ITGUYS

Book in a 15-min call with Ben to discuss your security policy needs and challenges.