Working remotely is nothing new; many companies allowed it before the pandemic, and its popularity has grown immensely since. However, as the popularity of remote work has grown, so too has the attack surface available to malicious actors. Malicious actors now have many more entry points for cyberattacks, such as employees’ vulnerable home Wi-Fi routers and the public networks they use at local coffee shops.
As a result, many companies and workers find themselves asking a new question: Who is responsible for securing company data on a remote worker’s laptop? Is it the responsibility of the remote worker or the IT team at the company? This blog will delve into potential answers to that question to help companies ensure that they are properly safeguarding their data.
The IT team needs to implement effective policies, procedures, and settings to ensure that there is a sufficient baseline of security.
To start, the IT team should set up a virtual private network (VPN) to secure network traffic from remote workers’ devices when they are connected to a public Wi-Fi network. (To learn more about how a VPN works, check out the Microsoft Azure cloud computing dictionary.) You might be wondering, What happens if I don’t use a VPN? Well, when you connect to a public Wi-Fi network, your network traffic is unencrypted. This means that your data can be viewed by anyone who is connected to the same Wi-Fi network. A VPN secures your data by encrypting network connections. As a result, even if a hacker is connected to the same Wi-Fi network as you, the hacker won’t be able to access your data.
When an IT team configures a VPN, it has two options: full tunnel and split tunnel. When a VPN is configured as a full tunnel, all network traffic flows through the VPN regardless of whether it is company related. By contrast, when a VPN is configured as a split tunnel, only company traffic (to and from specific IP addresses or URLs) is transmitted over the VPN. IT teams should set up a full tunnel to protect remote workers from data leaks. Full tunneling is more secure because when an employee visits websites or accesses company servers or data from an unencrypted public Wi-Fi network, all traffic is encrypted.
Speaking of encryption, it is imperative that the IT team encrypt the entire hard drive of remote workers’ laptops. Otherwise, if a hacker gains physical access to a remote worker’s computer, the hacker will be able to remove its hard drive and easily retrieve the data—even without the password for the worker’s computer. IT teams can use FileVault and BitLocker, which are included with MacOS and Windows, respectively, to protect the contents of remote workers’ hard drives.
IT teams should also consider implementing mobile device management (MDM) and requiring all computers that access company data to enroll in it. Implementing an MDM solution allows an IT team to set an automatic idle lock, enable a firewall or antivirus software, set password requirements, and enforce other important settings. For more information on the settings that can be controlled on a Windows 10/11 computer and a MacOS computer, see the setting lists provided by Microsoft and Apple, respectively.
Implementing an MDM solution also helps prevent employees from using their personal computers (which are likely not configured securely). And if an employee’s laptop is stolen or hacked, the IT team can send a remote wipe command to the laptop to ensure that no company data is leaked or lost.
If the IT team does not adopt a password management solution, safeguards like a VPN, full-disk encryption, and MDM may not be sufficient to protect company data. Without a password management tool, employees are more likely to use weak passwords or reuse the same password for multiple accounts or systems. Password management tools allow employees to store a strong random password for every system, and most have browser extensions that can help them autofill their credentials into different systems. It is also important for the IT team to disable password-saving features and prompts in all browsers via its chosen MDM solution. This is necessary because passwords saved by browsers are often stored in cleartext and easily retrievable by malicious actors.
Lastly, the IT team should adopt a password expiration policy under which passwords never expire. This practice is now recommended by the National Institute of Standards and Technology, though many companies have still not adopted it. When a company requires employees to change their passwords every 60–90 days, they are more likely to create weak new passwords or make small changes to existing passwords (such as incrementing a number). As a result, their accounts and passwords become vulnerable to attack.
Remote workers must also treat security with the utmost importance. Ensuring security is a team effort, and employees cannot rely solely on the IT team to protect every aspect of their system.
Policies, procedures, and settings can only do so much to protect employees’ and companies’ data. Most IT teams also push security updates to employees’ computers on a regular basis, but those updates do not take effect until employees restart their computers. It can be tempting for employees to delay the restart process so that they don’t have to close out of their applications and files, but restarts are crucial to the proper application of security updates. “Reboot, reboot, reboot”—employees should put that mantra on a sticky note attached to their monitor or create a weekly calendar entry to remind them to reboot once a week!
Password policies set by IT teams are only as strong as the weakest employee password. Employees need to make sure that they do not select a password that contains their name, their birthdate, or other personal information that can be easily obtained from sources like social media profiles. It is recommended that employees select a passphrase that is basically a sentence without spaces. Such passphrases make strong passwords but are also easy for employees to remember.
Physical security is also the responsibility of the remote worker. Remote workers must never leave their bags, briefcases, or laptops unattended. Leaving a laptop unattended for just a minute (while ordering another drink at a coffee shop, for example) might seem harmless, but attackers can work quickly. As an extra precaution, an employee can attach a device like an Apple AirTag to their laptop or laptop bag so that it can be tracked if it is stolen.
However, even if an employee does everything right, a motivated attacker may still be able to steal the employee’s laptop. And if the IT team has not fulfilled its responsibility of encrypting company laptops, it will be very easy for the attacker to access data on the laptop.
Remote workers need to be mindful of the Wi-Fi networks that they connect to and of the non-work-related internet traffic that may occur. All too often, remote workers connect to a public Wi-Fi network in an airport or a coffee shop, for example, and feel a false sense of security. Employees should remember that public Wi-Fi networks are just that:
Moreover, malicious actors sometimes create Wi-Fi networks that seem like “official” public networks (with names like “FREE Public Wi-Fi” or “Free Starbucks Wi-Fi”) but are actually bait for others to connect to. If employees must connect to a public Wi-Fi network, they need to be alert to potentially malicious networks and cannot assume that public locations provide public Wi-Fi at all. They should also remember to use the company-provided VPN.
Employees often use their company-provided computers for non-work-related internet activity. Ideally, a company-provided laptop should be reserved for business use only; however, if an employee must use a company laptop for something personal, care must be taken. It is the remote worker’s responsibility to visit only trusted websites and to not download any peer-to-peer or pirated software. It only takes one employee accidentally downloading a malicious file (one that contains malware, ransomware, a virus, etc.) from one untrusted website to cause an outage for the entire company. Employees also need to make sure that no one else uses their work computer, as a friend, significant other, or child could easily put the whole company at risk by visiting a malicious website.
It’s clear that the security of a remote worker’s computer is not a one-sided responsibility. Each side—the remote worker and the company’s IT team—needs to do its part to maintain a cohesive “umbrella” of security. There are also a couple of important areas that require input from both parties.
One significant shared responsibility is training. IT teams cannot assume that remote workers have any amount of prior security knowledge. Security awareness training should be mandated by the company and must cover a wide range of topics including phishing, password management, USB baiting, and cloud security. Employees need to feel involved and engaged in training, so the company needs to ensure that there is not too much information thrown at them at once. On the other hand, employees are responsible for going into trainings with an open mind and staying focused. They need to understand that they are at the front line of security. It only takes one successful cyberattack against an employee to endanger the whole company.
Remaining alert to phishing attacks is another critical responsibility shared by employees and the IT team. According to a Verizon report, 74% of all data breaches involve a human element, whether it’s human error, privilege misuse, use of stolen credentials, or social engineering (phishing, vishing, or SMS phishing). As a first line of defense against phishing, the IT team should implement a strong spam filter. Sometimes, catching the majority of phishing attempts and thoroughly filtering out spam requires two spam filters: a third-party solution and the one that comes with the company’s email solution (e.g., Microsoft, Google, etc.). Think of it as having a lock on your door and an alarm system—it helps to have two forms of security.
The second line of defense is the employee. There is no doubt that some phishing emails will get through the spam filters, so employees need to be vigilant and remain on high alert for any emails that look suspicious. The old adage “If you see something, say something” applies here. Employees must not be afraid to report suspicious emails to the IT team and to ask for help if they need assistance with determining whether an email is fake or legitimate.
As this post has shown, both remote workers and IT teams are responsible for safeguarding company data. There are policies, procedures, and settings that can be enforced at the IT level, but some of them will not be effective unless remote workers understand their critical role in the process. Security is a group effort; the entire group should be on the lookout for new attacks and for new ways to prevent and mitigate data breaches.
As Abraham Lincoln said, “You can’t escape the responsibility of tomorrow by evading it today.” IT teams and remote workers cannot afford to ignore their responsibilities, push them off to a later date, or let their guard down. Malicious actors are not slowing down, so neither can IT teams or remote workers.