COVID has created a range of security and privacy issues globally for nearly every organization. These risks have been amplified by several factors including the sheer magnitude and immediate need to support new remote workers who have a broad range of technical competencies and skill sets. Combined with the "hockey stick" growth and the sharing of networking resources with family members or roommates and the dozens of IoT devices many of which are unpatched, the security and privacy risks for every organization have increased.
The following recommendations can help minimize the risk and exposure to every organization;
- Network Issolation - Use a dedicated home network router limited to only work usage. Do not connect other devices to it or permit other family members. Ideally the work router should be hardwired to your cable modem.
- Disable open networks on your home routers such as the public Xfinity network.
- Do not broadcast the name of the new router's SSID (Service Set Identifier).
- Deploy a VPN (Virtual Private Network) for all users.
- Use a browser who maximizes privacy setting including blocking of third-party cookies and automatic deletion of all cookies at the end of a browser session. Consider using Microsoft Edge, Firefox or Brave. Disable location tracking.
- Set updates to automatic and enable real-time protection including running AV scans automatically at least twice a day. By default include scanning for rootkits, memory, startup items, registry and file system.
- Email - Enable DMARC checking and enforcement on all inbound email (Domain-based Message Authentication, Reporting and Conformance). Isolate and disable non-work related email from corporate email to reduce the risk of BEC, (Business Email Compromise).
- Deploy whole disk encryption such as Microsoft Bitlocker device encryption.
- Enable automatic cloud backup such using Apple iCloud, Microsoft OneDrive or third party back up services.
- Consider the need for physical security of corporate devices and the need to maintain security of confidential documents including cross-shredding of any discarded documents.
- Last but perhaps most important is to enable a 24/7 support and incident response mechanism for employees to report and document any data loss or security incidents.