Dream Firms Talks 05/2023


Topic: Basics / Baseline Security – Remote/Hybrid Work

Basic Security

  • 12 Character Minimum for all passwords
    • Anything 8 characters or less is vulnerable to immediate brute force attacks
    • Complexity – Must include: 
      • Upper Case Characters (ASDF…)
      • Lower Case Characters (asdf…)
      • Numbers (1234…)
      • Symbols (!#$%…)
    • Last Changed – Change at least Twice a Year best practice
  • Businesses should use Premium Business versions of Anti-Malware software
    • Premium Version on every work system
    • BitDefender or Malwarebytes are both good options
    • Make sure it is updated regularly
  • Don’t use Gmail as your business email. Businesses should have their own domain
  • Employee training is a very important part of your Cyber Security plan. Frequency should be at least twice a year
  • Monitor your internal networks and systems for alerts and changes.

Baseline Security for Businesses with Remote/Hybrid Workers

  • Remote and Hybrid workers have become an increasingly common staffing structure that can be beneficial to both the worker and the business
  • An attractive benefit to workers
  • Makes businesses more competitive when searching for new talent
  • Increases the pool of available talent when looking for the best candidate for your team
  • Add scheduling flexibility and adaptability that rigid in-office hours do not
  • Less corporate office space needed

Risks associated with Remote and Hybrid Work

  • Security is inherently more difficult to set up and maintain
    • Individual systems are outside your safe office
    • Connections to your data from outside your firewall
    • Necessary Cloud Services can be difficult to evaluate and configure securely
  • Standards may relax or blur between corporate and personal use
  • File Exchange/Collaboration is more complicated
    • No data should be stored on remote systems
    • Cloud or Network Server for data storage – backups/one version/no data on lp to steal
  • BYOD – Bring Your Own Device 
    • Very difficult to secure a BYOD environment – no control/visibility/not your hardware/support
    • Better approach – Supply all the devices employees need to do their job
    • Focus on how to secure corporate devices when employees take them home
  • Public use adds risk – working in airports/coffee shop/café/etc
    • Shoulder surfing is possible – sightlines should be blocked from view!
    • Hacking is easier – use a hotspot AND a VPN
    • Public WIFI = NO
    • Private conversations and meetings in public are PUBLIC conversations for all to hear
  • Remote support will be necessary
    • Your IT Provider (in house or contracted) needs to be able to connect to remote user’s device
      • System maintenance
      • Helpdesk Support
      • Application install
  • Home Network 
    • No control of other systems on the network
      • Free to browse ‘dangerous’ sites
      • May not be protected with current anti-malware
      • May be infected with malware that is watching the network traffic
    • No guarantee the router and firewall are set up properly and are secure
  • Physical Security – Cyber Security Audit
    • Can you prove your systems are physically secure?
    • Is PII stored on any remote device?
      • FL Law – Florida Information Protection Act – Security of confidential personal information
      • Proactive component (which specifies what organizations must do to protect all personally identifiable information they control)
      • Reactive component (which specifies what must be done after an organization experiences a successful breach)
      • Contains provisions that authorize Florida’s Legal Affairs Department to bring enforcement action against entities committing statutory violations
      • We can share a list of important laws if attendees email us and request it
    • According to a recent study – a laptop is stolen every 53 seconds in airports alone
    • Laptop should always be with you, never left unattended.. even in a locked car

Hardware best practice

  • Should be company issued to maintain consistency and control
    • Laptop – should be of the same quality, type and configuration for consistency and supportability
    • Accessories – monitor, keyboard, webcam, docking station – should be of the same type, make and model for consistency and supportability
      • laptop mics are terrible – please provide a webcam with mic that has been well tested by you

Software best practice

  • Should be preconfigured on company issued laptop or web based with logins tested and working
  • Paid (not free) Business (not home) versions of software only
  • All software that supports MFA should have it active for all employees
  • Update frequently with all patches and version updates
  • VPN – Virtual Private Network
    • Provides an encrypted, anonymous tunnel between your remote laptop and your companies’ network
    • We use HMA.    https://www.hidemyass.com/en-us/index
    • There are many options – You want military or bank grade encryption
      • AES256 – Advanced Encryption Standard and uses 14 rounds of encryption
  • MFA – Multifactor Authentication
    • Additional layer of security adding two or more identity checking steps to user logins.
    • We use Duo.    https://duo.com/product/multi-factor-authentication-mfa
  • Data Encryption – At Rest and In Transit
    • Especially important for PII!
    • 2BrightSparks has a Utility Package called OnClick Utilities
      • https://www.2brightsparks.com/onclick/index.html
      • Includes an easy to use and effective data encryption utility
    • HTTPS will encrypt in transit data but using an additional utility to encrypt the file prior to sending is better security
  • Password Manager – Current PW complexity requirements make memorizing them nearly impossible
    • Management should have access to all employee passwords for employee software and hardware
    • Can be Cloud-Based or Network Server based
    • We use IronVest – https://ironvest.com/app/
    • Keepass – Prior company – Login restricts areas of company Passwords available
      • Admin managed
  • Business Applications – Consistency is Key – same version for all employees
  • Anti-Malware – Provide the same brand and version for all employees
  • Browsers – This can be tricky. Some applications run better, or not at all, on certain browsers
    • Lock down an approved shortlist of accepted browsers 
    • Make sure they are updated regularly
    • Add-Ins – Anti-Malware (Malware Bytes, Bitdefender) additional security / PW Manager
    • Don’t Store Any Passwords In The Browser
  • Remote Access/Support – Your IT/Helpdesk Support (in-house or contracted) should have this software so that they can connect any of your remote systems – Should be pre-installed and tested before issuing 
  • Monitoring – Logs employee activity on computer (Manictime)
    • We use for Productivity and Billing
    • Tracks Apps used and for how long
    • Tracks sites visited
    • Tracks documents worked on
    • Data collected is stored on system – or your network server 
    • Works offline 
    • Easy timesheets
    • Can do company wide reporting
    • https://www.manictime.com/
  • IDS/IPS – Intrusion Detection System / Intrusion Prevention System
    • Both analyze data traffic and compare to known threats
    • IDS – Monitoring device or service that Detects intrusions – Won’t take action on its own. 
    • IPS – Device or service that can take action to accept or reject data packets based on set rules. Needs to be updated to recognize latest threats.


  • Remote Work Policy should detail clearly, your expectations. Including:
    • Work in Private – not public areas
    • Always use a VPN 
    • Always use a Hotspot instead of public WIFI
    • Company rules on double dipping
  • Computer Use Policy should detail clearly
    • What is an acceptable use of company hardware and software
    • What is an unacceptable use of company hardware and software
    • Define acceptable web activity
    • Define acceptable social media activity
  • Cyber Security Policy
    • Who to contact to report an attempt or breach
    • No circumventing anti-malware blocks
    • Defines the expected (mandatory) training frequency
    • 2FA Fatigue

Training – Important and frequently overlooked

    • How to identify phishing attempts
    • What to do when an attempt is found
    • What to do when the attack is successful
  • MS Office Skills (and other applications) – don’t assume everyone is at the same skill level 

Resources We Use

Contact Us

For decades, we have been helping clients dealing with legal issues of all sorts. Our firm is committed to simplifying the legal process and achieving effective results for each client.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.