As organizations hustle to enable employees to work from home, they'll inherently expand their attack surface. Here are five simple steps that can mitigate the risk in the months ahead.
Don't allow OneDrive to sync to personal home computers.
By default, users can sync their files down to their home device. The organization can no longer control or remove access to those files. A policy can be applied to all (or specific) users to block the sync. See the process. Users can still access, edit, and share their files from any web browser, after authenticating.
Implement MFA and Conditional Access
Speaking of authentication, consider this opportunity to implement multi-factor authentication (once the initial spike of work dies down). If home workers are required to login only with a username and password, then those credentials (if compromised) can be used by a bad actor to log in from anywhere. MFA can stop 99.9% of identity compromises.
You can set Azure Active Directory to allow logins only if devices meet certain conditions. You could deny access to home PCs completely through Azure AD. If users are taking their domain-joined laptops home, then the machine can be trusted more than the home PCs that others may use, and be prompted for a second factor. More on Azure AD Zero Trust.
Protect company data with Intune
If users are to use home PCs, they won’t want to enroll them in MDM. You still need to protect the apps and data that you provide to that PC. The solution is App Protection policies in Intune. You can use App protection policies to prevent company data from saving to the local storage of the device (see the image below). You can also restrict data movement to other apps that aren't protected by App protection policies. More on Intune.
Be prepared for forgotten passwords
Your help desk will be burdened enough. Use Azure AD’s Self-Service Password Reset to eliminate helpdesk calls. SSPR can be set up quickly and Enabling has packaged services for user communication.
Don’t be socially engineered
People will less focused and out of 'work mode' while at home. They’ll be more susceptible to social engineering and phishing. If you are using a Security Awareness tool (like KnowBe4), use their content about working securely from home. Either way, remind them of the need to be diligent and the bad actors taking advantage of Corona virus news will help a real-world current event to the real behavior that you want them to exhibit. Free access to online security awareness content.
Or - We have an upcoming LEARN FROM HOME webinar for our Education Community scheduled for March 17th