10 Step Guide to Working from Home Securely: for Investment Managers, Hedge Funds and Private Equity Firms
By George Ralph, RFA Managing Director
Understandably, this has been causing a lot of issues.
So, what can you do to ensure that corporate data stays safe when your entire workforce suddenly needs to access services remotely?
- Re-write your policies and communicate out to all staff. Most firms will need to rework existing documents to suit the very specific circumstances surrounding COVID-19. Some employees haven’t worked from home before and need clear guidance and concise policies. Video training can be really useful here. If you’re showing one member of staff, I recommend recording it and sharing with everyone on the team.
- Provide corporate devices for staff wherever possible and mandate that these are used by employees only, not for personal activities or by other members of the household. By providing company approved devices, you can ensure they are properly configured with appropriate AV software and endpoint protection. Separating the use of personal devices is key to keeping your data safe. The control tools put in place for corporate owned devices by the firm will keep corporate data managed, secured and backed up.
- Encourage staff to use a password manager so they can accommodate long, complex passwords for the device itself and any web-based applications and services. It is highly likely that you have moved to SSO by now if not you should seriously consider this move.
- Configure services centrally to enforce the use of multi-factor authentication, as it is not often enforced. Many firms don’t realise that Office 365 doesn’t require users to utilise multi-factor authentication when accessing webmail as standard, for example. As with all public cloud platforms, the out of the box configuration will not keep you secure. MFA is one of the first configurations you should invoke.
- Consider remote desktop solutions, such as a Citrix infrastructure that can be managed and maintained centrally and accessed via a web browser, using multi-factor authentication. A containerized environment will allow you to quickly deliver desktops to staff in a segregated way to their end points, if you haven’t already have moved to a SaaS based solution.
- Employ tools to monitor your environment 24/7, inspecting devices, data connections, networks and user behavior, alerting to anomalies. Our Managed Detection and Response services is free for a limited period to support firms through the current crisis. Moving from a central / office-based security solution onto an end point-based solution is critical.
- Install email and data encryption software to protect data at rest and in transit. If defenses fail and a user’s machine is successfully hacked, the data is rendered useless. Following on from above. It’s important that end points are encrypted. Files will inevitably be saved on the end point if a containerized solution is not used.
- Ask staff to take steps to secure their home WiFi network, setting long, strong router passwords which are changed frequently and not shared outside family and friends. Request that they change the admin credentials of the router from the factory settings, otherwise a hacker could easily gain control of the WiFi network configuration. Ask them to change the router name so that hackers can’t look up the default username and password for that brand of router, or better yet, hide the network altogether by blocking the SSID. If the router has a firewall, instruct employees to switch this on. They should find this in the console settings. All these activities make it harder for hackers to connect to employees’ home WiFi networks. Always change the password on the routers as the default passwords are published online.
- Train users to identify suspicious activity such as phishing attacks, malicious links and malware. Spoof phishing tests and online training courses are a great way to reach remote staff. Firms are at an increased risk of phishing attacks and other behavior currently, due to the unstable environment. People still 99% to blame for breaches, so training and increased awareness are vital.
- Ensure you operate in a way which preserves the integrity of your data. Have a single source of truth. Restrict users from downloading data and making local copies wherever possible.
If you have rushed into a remote working arrangement, like the rest of the world, it’s not too late to implement some best practice retrospectively.
RFA and our team of experts can advise on the right approach and the tools to help you secure your employees and protect your corporate data.