As the entire world is bravely fighting the menace of COVID-19 pandemic, a majority of the global
workforce is working from home. Companies are on-boarding new hires remotely which adds another
set of challenges from an information security (or infosec) perspective.
There is a common saying in the infosec community i.e. Security is only as strong as its weakest link.
Employees are the greatest asset for any organization. As infosec is everyone's responsibility,
employees have to play an active role in ensuring the company operates in a risk free environment in
today’s testing times. Out of people, processes and technology, I find people to be the most
vulnerable or weakest link. A significant amount of data breaches occur due to employees exposing
sensitive data inadvertently. You can refer to the 2020 Insider Data Breach Survey for more insights.
For organizations, it is now more imperative to ensure new hires are well versed with the infosec
best practices from day one considering they will be working remotely. The basic idea behind this
blog post is to cover common sense infosec best practices and guidelines for new employees that
will join any organization remotely.
I have divided these best practices in four major sections to keep things simple. The infosec guidelines
listed in this post are very generic and may not cover all aspects for an organization but can be
considered as a good reference point to start with.
Thanks for reading this post ! As usual, If you have any comment/feedback please feel free to share.
Technical Security
This section highlights generic but impactful security best practices for new employees when
dealing with internet access, hardware, software and network access:
Periodically patch all systems/hardware which you own (Computer, Phone, Bare Metal Servers,
Cloud Instances etc)
Always keep your workstation locked when you are away
Always use a secure wireless network for internet connectivity
Always use the latest available version of VPN as provisioned by your company for network access
Never check any secrets or passwords in plain text in software version control systems such
as Git, Bitbucket etc
Ensure you have two factor authentication enabled for critical business applications or flows
such as Single Sign-On, Git etc
Never trust any external USB drives or external storage devices on company hardware. They
might be infected with ransomware or malware.
Use only authorized software, as specified in your company’s IT security policy for your day to
day work
Use privacy screens for your laptop webcams.
Password Security
Passwords form the first line of defense. These specific guidelines can go a long way in securing
passwords for new hires:
Choose a complex, unique non guessable password for company specific accounts such as
Single Sign-On as per your company’s password policy
Periodically change your password. Best practice is to rotate every 3 months (or 90 days)
Never store or write passwords in plain text for e.g. google doc
Never disclose your password to anyone including family members
Choose different password for company accounts vs personal accounts
Use a password manager (again as dictated by the infosec policy) to manage multiple passwords
Immediately contact the IT Support team/Incident Response team to reset your password in
case your company account gets compromised.
Data Security and Privacy
This section highlights very basic but extremely important data security and privacy best practices
that will be helpful for new employees:
Always classify data and accordingly provision access. For example, company’s internal news
like hiring policy can be accessible to all employees whereas confidential information like
trade secrets can only be accessible to select employees with necessary clearance level.
Production data should always remain in production. Never clone or create a local copy of
this data on your laptop/google drive/cloud data buckets etc unless necessary and you have
proper approvals from various stakeholders along with business justification.
Always involve infosec and privacy teams whenever dealing with sensitive data such as
Personally Identifiable Information (PII), Payment Card Data etc
Never store or collect user data or unique identifiers without specific user consent.
Always encrypt user data such as PII or payment card data in transit as well as at rest.
General Security
This section highlights general security tips that new hires can apply in there day to day work life:
Never download or open attachments from untrusted email addresses or sources.
These attachments might be infected with malwares, ransomwares, trojan horses etc.
Never click on arbitrary links or images from untrusted email this may lead to phishing scam.
Never use your corporate email addresses for registering into social networking sites or
subscription services such as Facebook, LinkedIn, Instagram, News Feeds etc
Never share company specific internal employee updates/news on social networking/public
forums
Never trust and click on SMS messages originating from untrusted cell phone numbers. This
could allow attackers to remotely compromise your phone.
Never fall prey to or be a victim of fake news or phone calls.
Never disclose any personal information like SSN, Passwords etc to any anonymous callers.
Ensure you are attending remote web meetings from a trusted place with good personal privacy.
No comments:
Post a Comment