By Rajesh Maurya, Regional Vice President, India & SAARC, Fortinet.
The concept of cyber hygiene is a deceptively simple one: It involves a series of practices and precautions that, when repeated regularly, keep users safe and their devices working as they should be. But that’s easier said than done with distributed networks, IoT everywhere, the adoption of multi-cloud infrastructures, and a growing reliance on SaaS application usage. Add the convergence of IT and OT, and the number of aging devices that cannot be taken offline because they monitor or manage critical systems 24×7, and the risks are greater, and the table stakes are higher, than ever before.
Keeping Remote Workers Safe
One of the most critical places on which to focus cyber hygiene efforts is remote workers. The rapid growth in a mobile workforce and their reliance on personal devices and home networks is just the latest addition to the challenges that IT teams face. Unfortunately, enforcing cyber hygiene for remote workers seems to be low on the list for overworked IT teams – somewhere below keeping the business up and running and ensuring access to business applications and essential resources.
Of course, the challenge is that employees working from home are using unsecured personal devices, from laptops to smartphones to tablets, to stay connected during the workday. And these devices, attached to weaker and far more vulnerable home networks, have created the perfect platform from which cyber criminals can launch attacks on enterprise data.
Top Cyber Hygiene Tips to secure Remote Workers
- Ensure all employees receive substantial training, both when hired and periodically throughout their tenure, on how to spot and report suspicious cyber activity, maintain cyber hygiene, and on how to secure their personal devices and home networks. By educating individuals, especially remote workers, on how to maintain cyber distance, stay wary of suspicious requests, and implement basic security tools and protocols, IT team can build a baseline of defence at the most vulnerable edge of their network that can help keep critical digital resources secure. This can involve online training and workshops with experts.
- Ensure an incident response/recovery plan is in place, including a hotline through which employees can promptly report a suspected breach, even when they are working from home. This way, in the event of an attack, downtime will be minimized, and employees will already be familiar with critical next steps.
- Run background checks before designating power users or granting privileged access to sensitive digital resources. By taking this extra step, organizations can make informed decisions that will inherently mitigate the risks associated with insider threats.
- Implement a strong access management policy, requiring multi-factor authentication when possible and maintaining strict standards for password creation. Employees should not be allowed to reuse passwords across networks or applications, whether corporate or personal, and should be encouraged to set complex passwords with various numbers and special characters.
- Encrypt data in motion, in use, and at rest. However, VPN and other encrypted tunnels can also be used to securely inject malware and exfiltrate data. Which means that organizations need to invest in technologies that can inspect encrypted data at business speeds as well as monitor data access, file transfers, and other significant activity.
By focusing on training, awareness and education, employees will be better able to perform basic security tasks such as updating devices, identifying suspicious behaviours, and practicing good cyber hygiene. After that, it is essential that organizations invest in the right systems and solutions – from VPNs to anti-malware software and encryption technologies – that enable clear visibility and granular control across the entire threat landscape. Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics. And that starts with cyber hygiene.