Maximising Security Whilst Working From Home
Published on 08/12/2020
With the outbreak of the Coronavirus (COVID-19), there are an increasing number of employees working from home—either to prevent the virus from spreading or because they have been required to self-isolate. While this will hopefully lessen the impact of the virus on business continuity, it is likely to put significant pressure on IT and security infrastructure as many businesses are likely not set up for a large contingent of the workforce to work remotely.
We thought it was timely to share some key suggestions for keeping your organisation running smoothly.
Make sure that users know whether they can print when out of the office and, if they are permitted to do so, how to securely dispose of any sensitive documentation they print off. For example, using a cross-cut shredder may be acceptable while putting confidential documents in a recycle bin at home may not.
Review your business continuity and disaster recovery plans. Are there key personnel who must have corporate devices and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
Check client contracts to confirm whether remote working is permitted and under what conditions—this will be relevant if your staff are embedded on a client site or your team are working with sensitive client data on your own site. If working from home is specifically excluded, talk to clients to develop appropriate acceptable working practices for the duration of the COVID-19 season.
Make sure that you have implemented two-factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
Make sure that all devices (company or personal) have been patched and have antivirus software installed, active and up to date. Ideally use Application Whitelisting, which is built in to Windows. Importantly, ensure your remote access solution itself is kept up to date.
Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties and helps ensure remote access for legitimate users is maintained.
It is also important to consider user support issues; for example, should employees need to print from home on devices outside of your normal printer fleet how would you facilitate the installation of drivers? Or manage job storage on personal printers.
Make sure you also consider the implications of requiring staff to use their home internet connection for work, including whether it is fit for purpose and how to handle technical issues with that connection. Consumer internet support tends to be considerably worse than business-grade internet.
Additionally, ensure that portable devices have appropriate firewalls to protect them from other devices on untrusted networks.
Consideration should be given to stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period while your network is experiencing higher numbers than usual of remote users.
Some organisations have chosen to split mass home working into groups, e.g. 50% of the company works from the office one week and the remainder from home, then the next week they switch over. Does your remote access solution have sufficient licences for mass remote working? Some solutions give short time licence over-use, but this may only be for a few days or a week.
Cyber security is even more important if your organisation permits employees to use their own devices. Staff using their own devices bring about several other cyber security risks, such as sensitive data leakage and lack of central control.
To mitigate the risks around employees using personal devices:
As will nearly all cyber security responses, it’s your people who have the most influence over how smoothly your organisation copes with disruptions, such as enforced large-scale remote working. Good communications are key – every individual should be asked to confirm that they understand what’s happening and why, and commit to identifying potential problems early rather than in a last-minute panic. Some people will have to come to grips with applications and working techniques that they either haven’t encountered or haven‘t bothered with up until now. In this sense, remote working could even be a positive in illustrating how the right technology (and behaviours) can keep us resilient in the face of this type of challenge.
If you need assistance with your cyber or information security measures, please get in touch.
This article was originally published by our Cyber Partners PGI and can be found here. The article has been updated for the benefit of our clients.
© SES Secure Limited and ses-escrow.co.uk, 2020. Unauthorised use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.