Personal Security IS Enterprise Security

2020 ushered in some titanic changes for Enterprise IT.

Perhaps the most profound change in this area has been the introduction of mass remote work, which has fundamentally changed the shape of enterprise IT. As employees left offices, they had to continue their jobs from home and without the security controls that protect them within the office. 

Enterprises placed a great deal of faith in not just their employees, but the locations they were remoting in from and the people with whom that employee may share a home. Personal security has effectively become enterprise security.

Individual employees are more of a potential breach point into enterprises than ever before.  They need to know how to protect themselves personally if they’re to continue protecting the enterprise. There are several things they absolutely need to know.

Check for TLS/SSL on Websites

The potentially insecure personal browsing habits of employees are a direct threat to the enterprise. Employees need to know what a secure website is. The simplest way to do that is to check sites for TLS or SSL encryption.

Different browsers come with different ways to establish the presence of SSL or TLS. Google Chrome users see a padlock on the left side of their URL bar if the website they are trying to access is protected, if it is not, they will see a lowercase ‘i’ in either a blank circle or a red triangle. Each browser will have their own way of indicating this, so be sure to learn how the browser you use represents insecure websites.

They can also look beyond the lock for more information about who owns a website. By clicking on the padlock once, employees can check a TLS certificate’s validity and, for high assurance certificates, the organization it was issued to.

Strong Passwords on Personal Accounts

It’s imperative that remote workers know two things regarding personal account passwords.

The first is that their passwords be complex. Guidance from the UK’s National Cyber Security Centre (NCSC) advises that you use three separate random words strung together and to never use personal details.

The second is that they don’t reuse passwords. Particular attention needs to be paid to not reuse passwords that are similar to those they use on corporate apps and accounts.

Using MFA and Banking Apps for Personal Use

Where finances are involved, remote workers need to bolster their defences. Where possible they should access online banking through bank-provided apps which can provide a secure connection.

Many apps and devices now offer multi-factor authentication (MFA), which remote workers should take advantage of.

Despite these increased responsibilities for remote working employees, it’s up to employers to give remote workers the resources and tools they require to fulfill those responsibilities.

Security Awareness Training

Security awareness training is always a good idea - but during these trying times it’s absolutely necessary.

Of particular importance is advice on email security. In the age of remote working, the inbox is the frontline. Cyber-criminals have responded to the crisis by accelerating phishing campaigns which exploit public panic and the separation between workers and their well secured office networks. Employees need to know how to spot phishing attempts and how to approach them calmly and rationally.

Secure Remote Access

Mass remote work has thrust VPNs into a place of prime importance. They have been essential for maintaining secure connections between workers homes and the enterprise.

However, those secure connections suddenly become less safe if you can’t securely access the VPNs that provide them. Enterprises should consider using MFA with digital certificates to head off that threat.

Public Key Infrastructure (PKI) digital certificates are cryptographically secure so you can tell that the certificate came from a trusted source. PKIs also allow greater control over access, permitting an enterprise to revoke an individual certificate where needed.

Using digital certificates will allow you to tightly control access to your VPNs and use digital certificates as a supplementary factor - along with passwords - in enabling MFA for your VPNs.

Secure Email Using S/MIME

Installing S/MIME for remote workers can be a tremendously useful step in keeping them secure. S/MIME is used to encrypt and digitally sign emails with certificates, so that recipients can know the emails are sent from a trusted source.

IT departments can distribute digital certificates to users and activate S/MIME with a single exchange of digitally signed emails. This can be a strong defense against the ubiquitous threats of phishing and whaling which rose significantly over the pandemic.

In the last year, Enterprise Security has largely been shoved into the hands of remote workers, who are now burdened with a responsibility they were not prepared for. They need support from the enterprise to ensure they can keep themselves and their workplaces safe.

What’s Hot on Infosecurity Magazine?