10 Step Guide to Working from Home Securely: for Investment Managers, Hedge Funds and Private Equity Firms
Home working, while always on the agenda, suddenly shot to the top of everyone’s priority list in 2020 thanks to COVID-19. Some firms were be better prepared than others for working from home securely, but most had to move from a position where they were equipped to support 40-50% of the workforce remotely, to 100% of the firm’s staff working at home and for an extended period. Understandably, this has been causing a lot of issues which need unpicking.
It’s not too late to implement some best practices retrospectively. COVID-19 has created a much longer term hybrid work environment than any of us had really expected. I can advise on the right approach and the tools to help you secure your employees working environment and protect your corporate data. Taking some of the following steps will allow your business the flexibility to keep working in an agile way, so take some time to think about these basic security health checks.
So, what can you do to ensure that corporate data stays safe when your entire workforce is accessing services remotely for the foreseeable future?
You will by now have now re-written your policies and communicated the changes out to all staff. Most firms needed to rework documents to suit the very specific circumstances surrounding COVID-19 and will need to look at the bigger picture on policies once we know more about the long term affects of the pandemic. Some employees might not have worked from home before and the clear guidance you are giving alongside concise policies are a good idea. Video training can be really useful here. If you’re showing one member of staff, I recommend recording it and sharing with everyone on the team. This also gives you a great training video for new team members as and when they join.
2. Tech up
Provide corporate devices for staff wherever possible and mandate that these are used by employees only, not for personal activities or by other members of the household. By providing company approved devices, you can ensure they are properly configured with appropriate AV software and endpoint protection. Separating the use of personal devices is key to keeping your data safe. The control tools put in place for corporate owned devices by the firm will keep corporate data managed, secured and backed up.
3. Password security
Encourage staff to use a password manager so they can accommodate long, complex passwords for the device itself and any web-based applications and services. It is highly likely that you have moved to SSO by now but if not, you should seriously consider this move as soon as possible.
4. Configure your services
If you haven’t made the move to already, configuring services centrally to enforce the use of multi-factor authentication is wise, as it is not often enforced on a personal basis. Many firms don’t realise that Office 365 doesn’t require users to utilise multi-factor authentication when accessing webmail as standard, for example. As with all public cloud platforms, the out of the box configuration will not keep you secure. MFA is one of the first configurations that should be invoked in a remote working enviroment.
Consider what infrastructure works best for your firm that can be managed and maintained centrally and accessed via a web browser, using multifactor authentication. A containerised environment will allow you to quickly deliver desktops to staff in a segregated way to their endpoints, if you haven’t already have moved to a SaaS based solution. This is also useful for staff changes; you can replicate your desktop solution quickly to any endpoint.
6. Be alert
Employ tools to monitor your environment 24/7, inspecting devices, data connections, networks and user behaviour, alerting to anomalies. Our Managed Detection and Response services is a great solution for this. Moving from a central / office-based security solution onto an endpoint-based solution is critical as we work to understand what our new working lives will look like.
Install email and data encryption software to protect data at rest and in transit. If defences fail and a user’s machine is successfully hacked, the data is rendered useless. It’s important that endpoints are encrypted. Files will inevitably be saved on the endpoint if a containerised solution is not used.
8. Home Wifi
Ask staff to take steps to secure their home WiFi network, setting long, strong router passwords which are changed frequently and not shared outside family and friends. Request that they change the admin credentials of the router from the factory settings, otherwise a hacker could easily gain control of the WiFi network configuration. Ask them to change the router name so that hackers can’t look up the default username and password for that brand of router, or better yet, hide the network altogether by blocking the SSID. If the router has a firewall, instruct employees to switch this on. They should find this in the console settings. All these activities make it harder for hackers to connect to employees’ home WiFi networks. Always change the password on the routers as the default passwords are published online.
9. Staff awareness
Train users to identify suspicious activity such as phishing attacks, malicious links and malware. Spoof phishing tests and online training courses are a great way to reach remote staff. Firms are at an increased risk of phishing attacks and other behaviour currently, due to the unstable environment. People still 99% to blame for breaches, so training and increased awareness are vital. The training can be fun and informative and also a good opportunity to get the whole team together for a virtual session as well as securing home working.
Ensure you operate in a way which preserves the integrity of your data. Have a single source of truth. Restrict users from downloading data and making local copies wherever possible.
This guide to working from home securely was contributed by RFA, an IT, financial cloud and cyber-security provider to the financial services and alternative investment sectors, and AYU approved Service Provider.
AYU is the digital private members club for alternative investment professionals. Join AYU today and connect with her by applying for membership here.
Want to feature on Hedgebrunch? Click here.