Remote Work Security

by Leonard Wills, NERC Reliability Specialist

The widespread adoption of remote work, accelerated by the pandemic, has created numerous cybersecurity challenges for organizations. Effectively managing and securing corporate personnel in this environment requires a proactive approach. Although working from home offers convenience, it also introduces inherent security risks. To mitigate these risks, employers and personnel must adhere to best practices.

Establish a telework policy. Organizations must establish a telework policy that sets clear expectations and govern employee conduct. This policy should address numerous items including but not limited to defining telework, work hours, use of equipment, expectation for communications, technology or home office reimbursements, and Bring Your Own Device (BYOD). Your organization should require All personnel must review and sign a remote work agreement. This agreement serves as an acknowledgment that the telework policy has been read, understood, and commits the employee to adhere to the outlined guidelines.

Secure your home router. An individual can usually access your home router settings by typing in the address bar – some routers use different IP addresses. Once in the router settings,  locate the option to change the default password. Additionally, enable Wi-Fi Protected Access 3 (WPA3) if supported; otherwise select WPA2. These two protocols – with WPA3 being the latest – provide wireless security for your home network. Some modern routers allow users to segment their network to separate more trusted and private devices. Regularly update the router and replace it when it the router reaches end-of-life (EOL).

Use strong passwords. Employ strong passwords on devices whether working remotely or in the office. The Cybersecurity and Infrastructure Security Agency (CISA) recommends choosing long, random, unique passwords using a password manager for enhanced account security. A robust password consists of at least 16 characters. Random passwords can be created in two ways: (1) a random string of mixed-case letters, numbers and symbols or (2) a passphrase of 5-7 unrelated words. Use distinct passwords for each user account and consider using a password manager to securely store and manage all passwords.

Check the email sender’s address. Phishing emails remain the primary method hackers use to infiltrate networks. Always place the cursor over the email sender’s name to verify the email’s legitimacy to avoid falling victim to a phishing attack. Additionally, organizations should establish a point of contact for personnel to report phishing email. This proactive measure allows the organization to assess potential phishing threats and promptly inform the appropriate personnel of any security concerns.