How To Secure Your Work From Home Clients
By Jennifer Bleam, MSP Sales Revolution
A year ago, the entire globe was thrust into a work from home environment nearly overnight. It’s now clear that working from home is the new norm, at least for some portion of your clients and their employees. Business leaders like Robert Herjavek have said that they will be liquidating some real estate and plan to encourage work-from-home opportunities where possible. And even Forbes has said that work-from-home is here to stay.
For IT service providers, this scenario presents a challenge. As you add a new client to your book of business (and as you continue to support your existing client base) you must consider the unique security challenges that this new normal brings. Clearly, these users are no longer behind your (hopefully fully managed) firewall. That means that the protection that your firewall offers (intrusion prevention, intrusion detection, blocking specific IP addresses based on geography, and blocking access to bad websites) is worthless for your work-from-home people. And yet, you must mitigate security risks for your clients. Here are several things you should consider, at a minimum, to keep those users safe.
- Employee Training. Employees represent the final line of defense, but ironically, they are the weakest link in your security strategy. Hoping that your clients won’t click on a bad link or respond to a request to purchase multiple gift cards is short-sighted. Hope is not a viable approach. It is your responsibility to train your clients (and train them often.) They must understand proper internet hygiene, the basic makeup of phishing emails, and understand a bit of the psychology behind bad actors’ standard operating procedures. This has been important for years, but we are living through a “perfect storm.” Not only are the threat actors getting much more sophisticated but users are unbelievably stressed. They’re working from a cramped kitchen table, while they help homeschool their children, and deal with a boss who insists that they meet their annual goals. This leads to quick (even frantic) decisions, and some of those decisions will be incorrect. The goal of your training is to cause them to hesitate just long enough to realize that “something isn’t quite right” – and keep them from making a bad decision.
- Email Security. Most email is now hosted and not living in an on-prem Exchange server. But just because that email is out of sight doesn’t mean you can forget about security. Indeed, phishing represents 80% of reported security incidents. https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html So you must take this important piece of your security approach into account. During my coaching calls, I frequently hear, “I’m using
so I’m good.” Please understand that an amazing spam solution is not necessarily a great phishing solution. Spam and phishing are two very different things. Spend a bit of time nailing down this important piece of the puzzle.
- Endpoint Security. All of the computers you support must have advanced endpoint security. If you use the same endpoint protection solution that you used 5 years ago, you are likely in danger of falling behind. I guarantee that threat actors have changed their approach in the past 5 years. If you absolutely love your existing endpoint security, at least test it thoroughly to make sure it is really protecting your clients. Strongly consider setting up an air-gapped network and deploy real threats (not code that you or your team wrote.) This will give you a good idea of whether that tool is providing the protection you believe it is. (And if you already know your older antivirus is due for an upgrade, make this a high-priority item!)
- Transition Planning. As some of your clients transition back to the office (or select a hybrid work schedule) think about the devices they’ll carry into the network. You’re responsible for that network’s security. Will you allow them to instantly connect to the network and cloud shares, like nothing has happened? Should you do a manual scan of the machine before allowing it to connect? Are there other security protections you should put in place?
This work-from-home situation is challenging, but it can be managed. The above recommendations are a great start for securing these computers, but every situation is different. Be sure you consider this category of client, and (of course) be sure all your clients are up to date with patches and updates. While work-from-home is a somewhat new dilemma, it is here to stay. This means that “business as usual” is no longer an option. Be sure you have strategies in place to mitigate your client’s risk (and thereby mitigate YOUR risk as well.)
About The Author
Jennifer Bleam is the owner and founder of MSP Sales Revolution.