Secure home working for your staff through the Coronavirus pandemic
Many companies are now actively encouraging their employees to work from home due to issues surrounding the spread of the virus.
Many larger organisations already have the infrastructure and working practises in place to accommodate large scale home working by employees – Google’s parent company Alphabet (yes, Google is actually owned by a bigger company!) has asked its North American staff to work from home to reduce the potential spread of the coronavirus.
The problem many smaller organisations will have if they face the prospect of offices being closed (particularly if they rent office space in a multi-tenanted building) is that they have never had the requirement to enable home working en masse for staff, which may lead to significant issues with cyber security.
This article will cover some of the issues as well as potential solutions that organisations can implement to ensure their work-force can continue to be productive and secure when working remotely.
Potential connectivity issues
Are your employees’ home internet bandwidth capacities sufficient for them to work effectively from home? The answer is probably yes, but you may need to take into consideration additional factors – for instance, if their children’s schools are closed and they are using the internet for remote schooling (as well as a bit of YouTube/Netflix chill out time), bandwidth capacity may suffer.
If an individual needs to upgrade their service because of the demands being placed upon them by work then, assuming a better service is available, this may raise a more complicated question about who should pay for the upgrade. In addition, some upgrades may incur a bit of downtime or involve a lead time of several days or weeks before the service goes live, which are issues that could create additional problems for a mass move to remote working. Speed and capacity are not the only issues.
Arguably, the biggest real-world problem is likely to stem from the fact that many businesses simply aren’t properly set-up with the right software, networks (VPN etc.) or processes to support the full range of remote working across all of their departments.
It is vitally important that security awareness is not limited only to technical solutions, but company communications sent both internally and externally. Ensure any corporate-wide messages (e.g. press releases/bulletins/company blogs) highlight the need for individuals to be aware of their security responsibilities.
If you are allowing your staff to connect to your corporate resources using their own personal computing equipment it is important to have policies in place to define what they can and can’t do. You probably will not want users downloading company information onto their personal devices, ensure staff are aware of the security aspects of what is expected from them.
Remote Working – What resources do your staff require?
Many organisations are already using cloud services such as Office365, which means most users will already be able to access some corporate resources remotely.
Most organisations, however, will not be fully cloud based, and their users will need to access some resources that won’t be available remotely. It is important to assess which of these services employees will need access to, and how businesses can provide this access. The most common services that will not be available remotely are documents on corporate file shares and legacy business applications.
If your organisation is using cloud services (e.g. Office 365), ensure that all of your employees know how to access the cloud services you use (Links etc.) and provide training on how to access the services.
An often-overlooked service is telephony when working remotely. Can your telephone system provide a divert facility to send calls to a user’s mobile or home phone?
Will your users need to print documents when working remotely? Will they have the ability to print to their own printer, if so, what ramifications could the uncontrolled printing of documents have on the security of your intellectual property?
Are you still using legacy applications and services?
If you haven’t migrated all of your corporate applications and services to remote cloud-based services, you will have limited options available to your organisation. You will still need to allow some employees to remotely access resources within your corporate network, but still maintain the security of your IT assets.
Virtual Private Network (VPN)
If your employees are using company supplied laptops they should use an agreed VPN client to connect to company resources. Ensure any legacy applications have already been installed onto company laptops. Test access to legacy applications and the opening and saving of documents across a VPN onto a file share, as these services will generally perform slower than normal and it is important to highlight this to your users.
Multi Factor Authentication
If any of your staff are working remotely and accessing company resources, you should implement Multi Factor Authentication to ensure that the security of your infrastructure cannot be compromised in the event that any user accounts are breached. There are many solutions on the market at varying price points based on your requirements and/or number of users. As mentioned below, Cisco are offering free licences for their Duo MFA solution until July 1st 2020.
Remote Access Applications
If you do not have the capacity to provide all users with corporately owned equipment it may be necessary to allow staff working from home to use their own personal computer equipment. If this is the case, then you should provide users with a remote access application (e.g. TeamViewer) rather than allowing then to connect via a VPN (This could create a significant security issue as they may connect an insecure device to your secure corporate network). If you are intending to allow your staff to use a remote access application, you should provide guidance on how your employees must secure their home internet connection.
It should be noted that if you go down this route, this option requires having multiple computers available in your corporate environment for each employee to connect to.
What if you don’t currently use a cloud solution?
Some of the world’s largest IT companies including Microsoft, Google and Cisco have made significant efforts to help businesses during the COVID-19 outbreak.
- Microsoft are offering a free 6 month trial of their Office 365 E1 product. This only allows web-based office and collaboration applications, the ability to use desktop applications is not included.
- Google are providing free access to their advanced Hangouts Meet video conferencing facilities for all existing G Suite and G Suite for Education customers.
- Cisco are providing free licences for their Webex conferencing solution, Unbrella security protection, Duo Security and AnyConnect Secure Mobility VPN. These offers will be available until July 1st 2020
Security resources/considerations around flexible/remote working
You should remind employees about connecting to all work resources securely. Your advice should cover areas such as how to use Wi-Fi securely and refrain from using public Wi-Fi wherever possible, tethering of mobile devices, your approved file-sharing solutions and how to use them, and use of corporate VPNs etc.
You are likely to be affected by an increase in remote working, so you should consider reviewing your organisation’s resources, policies, and procedures to ensure that the relevant aspects are fit for purpose, and that they are clearly communicated to all staff members.
If you need to remove work equipment from the normal work environment this can result in additional risks, including theft/loss of devices and damage. Ensure that employees are aware of the need to keep devices secure and protected for extended periods of time. If you are providing corporate devices for your staff to use at home, ensure they are encrypted to prevent any data loss should the device be lost or stolen.
If you are allowing remote users to access your systems, it is vital that they are as secure as possible. Ensure that all software security patches have been applied and that only the relevant applications, network ports and protocols are enabled. You may have systems that were never intended to be used remotely, so making them now available remotely can mean that additional security measures need to be put in place.
The following are some issues/questions that most SMEs will have to consider in order to allow their workforce to work remotely:
- How will users connect securely to your back-office systems?
- Is it even possible to provide access?
- Do you have sufficient hardware (laptops etc.) to enable staff to work remotely?
- If not, are going to allow them to use their own computers to access your systems and how do you know their systems are secure?
- Do you have a VPN (Virtual Private Network) solution in place? You may already have something in place for occasional use by a few members of staff, but do you have sufficient licences for all of you staff to work remotely at the same time?
- How are you going to stay compliant?
- If your staff work remotely for a couple of days, keeping their company laptops up to date isn’t a major issue, but what happens if the requirement for home working is prolonged?
- How will you ensure security patches are deployed in a timely manner?