Remote Work Increases IT Security Responsibilities for Employees

With millions of American employees working at home for the first time, companies have scrambled to institute policies and processes to enhance security and protect their valuable data. But even with the most stringent measures in place, security can still be compromised if employees don’t take responsibility for implementing certain measures as well.
 
Security solutions, such as firewalls and anti-virus software, are critical
 
Employees who have company-issued laptops are typically protected by powerful security solutions and likely prohibited from installing any new applications on their machines. But those who are using their computers can expose their companies to security risks such as malware attacks, ransomware, and viruses.
 
The first line of defense and an essential component in network security is a firewall, which monitors network traffic and acts as a filter based on an established set of security rules. A firewall can block malicious traffic, acting as a barrier to hackers, viruses, and other malevolent attacks. Firewalls can be software or hardware-based solutions, and corporate networks tend to have both. For remote employees, a software solution can suffice. While the user can customize firewall settings, this should only be done under the supervision of a company’s IT professional as a network administrator will best understand what type of traffic to allow and what to prohibit. Without assistance from IT, it’s best to rely on the firewall’s default settings.
 
The next line of defense is anti-virus software, and every device should have an anti-virus program installed. Again, company IT professionals should cooperate with employees to ensure that they choose the most appropriate anti-virus software. There are many anti-virus options available, including free software available for download. However, it’s always wise to choose the most robust solution to protect against viruses, malware, ransomware, and new threats as they develop.
 
Updates are the employee’s responsibility
 
Every security solution regularly issues software updates to ensure that the user is protected against all threats. But those pop-up reminders can be annoying, especially when the update takes time or requires the computer to be restarted. The temptation to ignore these reminders can be strong. However, these updates are critical as they may be necessary to patch a security flaw or counter a new threat. Employees who don’t update when prompted leave their devices and their company network and data vulnerable. It is the employee’s responsibility to ensure all updates and patches are made when prompts appear.
 
Use only approved programs and applications
 
Remote work requires employees to use a variety of collaboration tools, many of which may be unfamiliar. GoToMeeting, Zoom, Slack, BaseCamp, and a variety of others make it possible for remote teams to work together. Some of these applications are more user-friendly than others, but typically a company will determine what tools should be used. Employees should refrain from downloading substitutes, as this could expose users to a security flaw. In such a case, both company and personal data could be compromised.
 
Don’t forget the reputational risk
 
Working at home can introduce many risks not encountered in an office environment. Take children, for example. Children of every age – from toddlers to teens – are fascinated by all manner of devices. An unattended laptop left without the password protection activated can be too inviting to ignore. The potential for embarrassing mishaps is enormous. Imagine the horror of a message sent inadvertently to the company mailing list, or even worse, to a client. Even a pet can cause trouble – in one instance I know of, a Bengal cat sent a security alert to a major corporation’s IT department. The issue of browser controls is also relevant. The child whose own laptop has strict controls might find an unattended computer a golden opportunity for some off-piste browsing. Consequently, every remote employee should ensure that browser controls are activated to filter out forbidden content, and computers are NEVER left on and open without password protection activated.
 
Conclusion
 
The COVID-19 pandemic is likely to have long-term implications for businesses around the world, and remote work is likely to be a choice for many even after the lockdown is over. Companies will have to change the way they think about security in this new environment, as will employees. In the brave new remote world, data and network security is not just an issue for the IT department, but the responsibility of every employee.
 
___

About the Author
Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.

 

Establishing a robust password policy

While passwords are intended to address the issue of authentication, they’re a source of considerable concern. We start with the problem of human nature. Insistence on complexity and uniqueness, along with regular changes, are typically considered among best practices in establishing password policy. But our natural inclination is to make things easy for ourselves; users typically set weak passwords because they’re easy to remember. Even worse, people tend to use the same easy-to-guess password, or variations on it, across multiple log-ins.
 
Complexity is the foundation of password security
 
It’s difficult to overestimate the importance of password complexity. A policy should set a character minimum, and also require the use of upper and lowercase letters, numbers, and special characters. Passwords should only be used once and checked against lists of known weak or compromised passwords. Passwords deemed unacceptable might include those obtained from previous breaches, recognizable “dictionary” words, repetitive or sequential letters or numbers, and context-specific passwords based on derivations of the username or service name.
 
Password expiry policies are detrimental to security
 
Many companies adhere to a policy mandating frequent password changes, with passwords commonly expiring after 90 days. However, this type of change policy is based on a threat model that no longer exists. Twenty years ago, it took hackers around 90 days to crack a password. Today though, a hacker can crack an average to bad password in the cloud in a matter of seconds. Studies have found that users who are required to make frequent changes choose weaker and more repetitive passwords. Employees who are required to frequently change their passwords also resort to regrettable methods to remember them – like the post-it note affixed to the bottom monitor. Ironically, password change requirements are little more than a placebo, and actually, increase the level of risk.
 
Moreover, the nature of the threat has changed, with password harvesting a greater risk than cracking. Cybercriminals have developed many methods for harvesting passwords: infecting computers with keystroke loggers, employing phishing websites, hacking text messages and more. If a password is compromised, the hacker will act in seconds. By the time the user gets around to changing the password, the damage has long been done. In May 2019, Microsoft itself validated the research on password expiry policies by discontinuing minimum and maximum password ages in the Security Baselines for Windows 10 and Windows Server build 1903.
 
Social engineering hacks are a significant threat
 
The vast majority of cyberattacks, somewhere north of 95% of all attacks, come in the form of social engineering hacks. In these types of attacks, the criminal depends on typical human behavior to gain access to information. They rely on trust or even simple error to gain access to information, including passwords. They can come through fake websites, phishing emails, fake transactions or faux IT support calls. The way to keep password information safe from these types of attacks is, first and foremost, to educate your workforce. Learning to identify and delete phishing emails unopened is a critical skill. Importantly, employees should be skeptical of any request for sensitive information. Never reveal passwords to anyone over the phone and avoid clicking on links embedded in questionable emails. Remember, social media and the wealth of personal information it reveals is a tremendous boon to hackers. A look at your Facebook posts can reveal your spouse’s name, your pets’ names, your birthday…all information people often use to create passwords.
 
Conclusion
 
Creating a robust password and keeping it secure are two of the most significant steps in maintaining information security. Every company should implement a password policy that focuses on complexity and random alphanumeric combinations. While multifactor and biometric authentication is playing an increasingly important role in security, the password will continue to be the foundational element of security in the near to medium term.
 
___

About the Author

Dan is the man behind the scenes but if you’re a client of ours, you likely have spoken with him. Dan Tomaszewski is our V.P. of Application Support and has the enviable job of supporting our clients around the clock. With over 20 years of experience in the financial services industry, he has built a career on supporting traders and operational clients in optimizing post-trading infrastructures. Dan can help solve your most complex operational challenges through the implementation of a variety of post-trade solutions including trade reconciling, allocating, flow, clearing, and risk.