Many remote employees must access a corporate private network from home to continue business as usual. Organizations are turning to virtual private networks (VPN) as never before to keep remote workers connected to critical information and tools. To protect sensitive data and network bandwidth, however, companies must secure and control that network access such as by incorporating digital certificates into their cybersecurity strategy. Follow these five VPN best practices for secure remote worker access.
Best practice #1: Choose a corporate VPN wisely
Confidence with your corporate VPN starts with selecting the right one. VPNs enable employees to securely connect to enterprise applications over the public internet. Be cautious with free VPNs as the provider could be making money by selling information about user behavior, according to the Gizmodo UK article Why You Need a VPN and How to Choose One. Look for well-established VPN providers with a good cybersecurity record. In particular, scrutinize the provider's data policies.
"Using a VPN isn't going to protect your online privacy if that VPN is busy logging everything you're doing and handing records over to governments, so you want to do some digging," according to the article. "The ideal VPN provider promotes a zero logs policy and encrypts transmitted data using a well-established open-source protocol."
Best practice #2: Train employees on VPN user etiquette
While the employee dress code may have loosened (business attire on top, pajamas on the bottom, anyone?), company cybersecurity standards shouldn't. Remote employees shouldn't extend the comforts of working from home to lax attitudes toward the corporate VPN.
Accessing the corporate VPN should happen only after remote employees register their devices with IT (IT-issued devices are even better), and make sure email and storage are encrypted, according to Security Intelligence article Develop Tailored Cybersecurity Self-Assessments to Help Secure Your Remote Workforce.
Prevent potential problems by adding corporate VPN guidelines to the employee handbook. Include them in any login instructions provided when handing out laptops during onboarding so everyone is clear on what's expected from the outset.
VPN usage guidelines aim to prevent bandwidth overload and protect against cybersecurity threats. Consider the following suggestions for the types of online behavior to prohibit on a corporate VPN:
■ Streaming Netflix, Spotify, YouTube, Twitch or other services
■ Personal web-browsing (shopping, checking personal email, posting to Instagram and other personal social accounts)
■ Meeting via Zoom, Microsoft Teams or other videoconferencing applications that don't require VPN
■ Downloading or uploading large files
■ Updating software
Best practice #3: Monitor remote employee VPN usage
While developing — and sharing — VPN guidelines should decrease issues, it won't eliminate them entirely. Closely monitor VPN usage to ensure that remote employees aren't inappropriately using the corporate VPN. If necessary, you can block problematic sites from being accessed on the company's network.
Even the most cybersecurity-savvy employee has an occasional lapse in judgment. One of the most common errors is for employees to mistakenly view the corporate VPN as an endless, renewable resource rather than as a costly, limited one. Monitoring can capture overall bandwidth usage and make sure nobody is slowing the network down for other remote employees. With so many more employees reliant on a corporate VPN, infrastructure will likely need to be built out if VPN performance suffers.
Best practice #4: Adopt multi-factor authentication
With the huge recent increase in VPN users, "the pool of potential victims who lose their credentials is higher than ever before," according to the eWeek article How to Make Sure Your VPN Access Remains Seamless. The former access default of a username and password no longer cuts it. Instead, anyone attempting to access the corporate network should first provide some evidence (or factor) of their identity.
■ Something they know (like their mother's maiden name)
■ Something they have (like a bank card, or private key- per below)
■ Something they are (a physical characteristic like a fingerprint or typing speed)
Experts disagree on whether requiring that people offer two factors (two-factor authentication) is sufficient or whether asking for three factors (multi-factor authentication) is best. I strongly recommend multi-factor authentication (MFA) for increased VPN security, especially since remote employees connecting to the VPN from home probably don't have an Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS).
Best practice #5: Incorporate public key infrastructure (PKI)
Another way to increase security for your remote employees is with modern public key infrastructure (PKI), which is a system of processes, technologies and policies that enable companies to encrypt and/or sign data as well as attest to strong identity of the user. By incorporating PKI into their remote work security policies, companies can better control virtual network access via digital certificates and public-key encryption. Access can be revoked if an employee leaves the company.
Additionally, a digital certificate is an incredibly strong second (or multiple) factor of authentication as mentioned in point 4 above. The combination of a user name/password AND digital certificate creates a cryptographically strong authentication process that drastically decreases account hijacking threats.
The number of businesses using PKI as part of their cybersecurity strategy more than doubled over a decade, with 65 percent using it in 2018, according to an IDC study sponsored by DigiCert.
"PKI, if properly deployed and managed, is one of the most powerful tools organizations can use to avoid costly and reputation-damaging data breaches," said Rob Westervelt, Research Director, Security Products at IDC.
Offer secure remote worker access with VPN best practices
Sixty-three percent of U.S. employees reported working from home in mid-April — twice as many as the previous month, according to a Gallup survey. With some companies extending remote work through the end of the year and many others likely to continue to support a larger remote worker population than they did before the coronavirus, the corporate VPN offers essential connection. Take steps now to keep that connection secure.
Recently, a regional healthcare organization wanted to retire its legacy monitoring tools and adopt AIOps. The organization asked Windward Consulting to implement an AIOps strategy that would help streamline its outdated and unwieldy IT system management. Our team's AIOps implementation process helped this client and can help others in the industry too. Here's what my team did ...
You've likely heard it before: every business is a digital business. However, some businesses and sectors digitize more quickly than others. Healthcare has traditionally been on the slower side of digital transformation and technology adoption, but that's changing. As healthcare organizations roll out innovations at increasing velocity, they must build a long-term strategy for how they will maintain the uptime of their critical apps and services. And there's only one tool that can ensure this continuous availability in our modern IT ecosystems. AIOps can help IT Operations teams ensure the uptime of critical apps and services ...
Between 2012 to 2015 all of the hyperscalers attempted to use the legacy APM solutions to improve their own visibility. To no avail. The problem was that none of the previous generations of APM solutions could match the scaling demand, nor could they provide interoperability due to their proprietary and exclusive agentry ...
The DevOps journey begins by understanding a team's DevOps flow and identifying precisely what tasks deliver the best return on engineers' time when automated. The rest of this blog will help DevOps team managers by outlining what jobs can — and should be automated ...
A survey from Snow Software polled more than 500 IT leaders to determine the current state of cloud infrastructure. Nearly half of the IT leaders who responded agreed that cloud was critical to operations during the pandemic with the majority deploying a hybrid cloud strategy consisting of both public and private clouds. Unsurprisingly, over the last 12 months, the majority of respondents had increased overall cloud spend — a substantial increase over the 2020 findings ...