Do you have a development team that works remotely? It can be scary thinking about all the confidential data that gets passed between various locations with distributed teams.
Or maybe you are a developer who works remotely and want to be proactive in protecting the company’s assets, or you've been tasked with helping to build out a plan for security measures for other remote workers on the team.
The good news is that security best practices are not secrets. You just have to know where to find the information. So we’ve compiled this brief guide of security best practices for remote software developers.
Here’s what you need to know…
Security problem #1 - No remote worker security policy is in place.
If you’re concerned about whether it is secure to have employees working remotely, the first thing you need to ask yourself is whether a security policy is in place specifically for remote employees.
With no plan in place, you’re definitely asking for trouble with sensitive data. And you can’t really blame the team members if you didn’t plan ahead. (But if you are the remote worker, you can likely wow your boss by bringing up this issue proactively!)
Take the time to create documentation that clearly states how remote developers should keep data safe. There should be one security policy across-the-board for all team members working remotely. That way, no confusion about security practices can lead to accidental security breaches.
Security problem #2 - You think it doesn’t matter because full cybersecurity isn’t possible.
Sure, company data gets leaked sometimes. But that doesn’t mean you should give up on trying to protect the company network at all.
Pretty much every large company that stores their data on cloud servers has implemented policies that keep production data secure. If they can keep whole companies secure, you can secure your remote teams.
Understand that the cloud is not really something new and different. It’s basically just storing your data on third-party servers rather than hosting your own datacenter. When you keep that in mind, it makes it easier to determine what security measures you’ll need to put in place.
So no, maybe there isn’t perfect security, but implementing reasonable measures can definitely mitigate preventable security breaches.
Security problem #3 - You haven’t prepared for adversarial attacks.
Adversarial attacks come in the form of intentionally malicious security breaches. They include:
- Social engineering
- And malware
Phishing is when attackers create a fake website to steal login credentials. They set up a site that looks just like the one you safely log in to, tricking users to enter their usernames and passwords.
Social engineering involves directly manipulating a member of your organization. Often, the victims of these attacks had no intention of acting maliciously against the company, and don’t realize that they’ve let an unsafe individual into the company network.
Malware comes in several different forms, but its basis is malicious software that tricks you into downloading it by getting attached to existing software or your website.
So, one of the best ways to avoid a lot of adversarial attack issues is to simply use proper password management. First of all, humans are terrible at generating random passwords. Get your team using password generating software that saves the passwords for them. This ensures that every login has a unique password (something humans tend to fail to do on their own).
These types of apps are called password managers. They instantly make your team’s login credentials safer. And they won’t get tricked to log in to one of those phishing sites.
Any password manager you use will, of course, require a master password. The most secure option is to use a strong passphrase. Phrases are longer than conventional passwords, and you can make it something that is easy to remember, yet it will still be difficult for someone else to guess.
Security problem #4 - You’re not using multi-factor authentication
Just using login credentials to get into company data, as you have seen, is risky. When you add an extra step, it prevents more malicious individuals because it makes breaking in more difficult for them.
Make attacks more difficult to complete with multi-factor authentication. There are a few different ways to do this. Some apps use question and answer authentication in addition to login credentials, such as when they ask you to give your mother’s maiden name or the name of your first pet.
Other apps use text or email authentication. They send you a code, and you enter the code in addition to your login information.
Another method is biological authentication. This is when the app uses your physical data, such as fingerprint authentication or facial recognition.
Requiring distributed teams (as well as local teams) to set up one of these other authentication factors for company apps decreases the likelihood that attackers can get into the company network. Keep in mind, however, when creating mandatory policies, that not all remote employees will have devices that allow them to use biological authentication methods.
Security problem #5 - You use SMS as your second factor of authentication
Although codes sent by text can be used for multi-factor authentication, they are not the best choice. It’s becoming more common for attackers to take over someone’s phone number.
Instead of SMS, you can use TOTP (time-based one-time passwords). These authentication services encrypt the authentication token sent to the user.
Security problem #6 - You’re giving access privileges to people who don’t need them
Just because you hire someone to work for your company does not mean they need access to everything. By giving more people access, you open more avenues for security breaches.
Instead of increasing your cybersecurity risk level, only give employees access to the apps and data they absolutely need. You can always give someone more privileges if and when they need access to something. It’s a lot safer than giving everyone open access.
Security problem #7 - Users don’t have firewalls turned on.
Firewalls are a basic line of defense on a computer system. But something as simple as not having the firewall turned on while working can open the opportunity for an attack to get through.
This one is fairly self-explanatory. Make it a required policy that all developers have firewalls turned on, on all their devices that are used for remote work. They’re developers, so they should know how to do this.
Security problem #8 - You don’t require developers to encrypt the disk on their devices
Some attacks start when a device is lost or stolen. If the device is not protected in some way, malicious individuals can gain full access to nearly everything on the device.
Full disk encryption makes it so that a password is needed to gain access to the content on a device. Many laptops have this feature included, and so do modern smartphones. Make it a requirement on all devices that developers use for remote work.
Security problem #9 - You don’t encrypt the backups
Apps, web sites, and hard drives fail. Or they get infected with malware. Your cybersecurity plan should absolutely include a data backup plan. But that alone is not enough because attackers can steal and access your backups.
All backups should also be encrypted. Once you have encryption in place, if backups are lost or stolen, the data will still be safe.
What to do if a breach happens
When you’re working with distributed teams, having security measures in place is the best thing you can do. But sometimes a breach happens anyway, and when it does, you’ll also need a response plan.
Here are a few of the scenarios you should plan for:
- A developer loses a device.
- An unauthorized party accesses your infrastructure.
- A team member is let go under unfriendly conditions.
In order to respond appropriately, you’ll want the following components in place:
- Documentation procedures for developers’ work.
- Breach containment for disabling user accounts, shutting down production, or taking a server offline.
- Established internal communication for remote teams, like a dedicated Slack channel.
Preventive and containment measures should give you a leg up on any security issues you face with your remote dev team.