With modern work practices evolving, remote working is now becoming more and more common. However, working away from the office also presents a myriad of security implications.
Stephen Bowes, Global Practice Director, Information & Security Technologies at BSI, offers his advice on preparing for the evolving and distributed workplace and meeting employee needs.
1. Physical security:
As users are not used to carrying their devices around with them, there can be an increased possibility of asset loss whilst transiting between the office and the home. Having device management technology incorporating asset loss protection, remote wiping functionality and potentially geo-location capabilities should be considered in combination with increased user awareness.
A review of home security should be considered. It is recommended that organizations provide a home security checklist incorporating checks such as ensuring Wi-Fi password security is set to be WPA2 or higher with a complex password, the use of locks if required and physical security such as alarms and physical locks. The check list should be submitted to an IT security officer for review and approval or remediation advice.
In an office you are surrounded by fellow employees and team members who are trusted. In a remote scenario that may not be the case and visibility of screens especially when it pertains to confidential information should be mitigated with the use of privacy screens to prevent unauthorized disclosure of information.
2. Software patching:
Whilst on the organizations network, administrators can push out software updates to client devices, monitor deployment status and take remedial actions. This may not be the case should the user be working from home and limiting the use of the corporate VPN. In the event of an extended work from home scenario, Administrators might consider switching client devices from using Microsoft or other centralised patch deployment to using Windows Update directly and configuring the client for automatic download and installation.
3. Passwords:
The use of passwords has had much debate recently and it is advisable that passwords with reasonable length are utilised. The use of passphrases which are specific to a user provides even greater security. Device security settings should be set accordingly to include display timeouts, lock screens, pin codes and or biometric security settings where that functionality is available. Also, important to consider changing the password expiration requirements to extend beyond a predicted isolation time to avoid password expiration coinciding with an inability to connect to some systems.
4. Encryption:
Encryption is one of the key data protection steps that organizations should complete irrespective of the location of the data. Disk encryption on the devices is there to protect data should the device fall into the wrong hands. VPN or virtual private networks are available to protect users when establishing a connection to the organizations network or utilising the internet from a non-trusted network. Additional encryption functionality such as email encryption or secure file transfer facilities should be utilised to ensure that data is secured whether at rest, in transit, being shared or in use. there should also be some serious considerations on how to distribute efficiently and securely the MFA tokens/devices for workers not on a work at home program (WAHP).
5. Identity and Privilege Access Management:
Ensuring that only authenticated users using approved devices can access authorized resources is key to safeguarding an organization. The use of an identity provider is recommended which ensures a centralized management portal to administer users and to enable advanced security features such as multi-factor authentication, policy management, account and application provisioning and reporting. Privilege Access Management applies to privileged users, who are those with higher levels of systems access and enables features such as least privilege, just in time and baseline user behaviour resulting in a more secure and risk aware experience. There should also be an evaluation of the license and capacity requirements to ensure new workers joining a WAHP will not exhaust the system.
6. Backups:
Data is created by users on end point devices. From there it is transferred to repositories such as cloud-based containers, servers or data centres. Whilst most of the organization’s focus is on those data repositories, consideration should be given to protecting the data on the endpoint. Were the asset to be lost or stolen or subject to a ransomware attack the recovery time to provide a new asset and bring it back to the point before the incident can be substantial, resulting in lost productivity. It is recommended that companies complete a data mapping exercise to understand where their data resides, classify their data accordingly and review their corresponding backup policies to ensure that they have data resilience in the event of data deletion, destruction, outage or manipulation.
7. Networking:
In an extended remote working model network connectivity is key to a successful transition. Users connectivity should be established to ensure they have both the speed and quality of connection and the required level of concurrent users to complete their working requirements. Resilience can be assisted with the use of the 3G and 4G networks to supplement the Wi-Fi should outages occur with their providers. In addition, consideration should be noted for slower performance by ISPs if the number of workers in a specific area climbs due to the shared network and network contention increases.
8. Attacks:
Bad actors take every opportunity to exploit scenarios as they evolve as they primarily target people as opposed to targeting systems. When people are at their most vulnerable these actors have the greatest success. With the stream of information emanating from the media, Governments and other sources it is easy for scammers to insert themselves into those information flows with emails pretending to be from these bodies potentially citing new information or false websites setup to pose as health information sites. The current best practice guidance around monitoring URLs, hovering over links to ascertain the validity of the address, not clicking on emails you are not familiar with and overall having a zero-trust view of Internet originated traffic and communications holds.
9. Hygiene:
Following officially issued advice regarding personal hygiene is particularly key as this moment in time. This holds true not just for the team member working remotely but also the people they are surrounded by and the devices that they use as the environment is only as clean as the weakest link within it. Failure to do so can result in a loss of productivity, the asset, and data if they become ill or must quarantine for that time period.
10. Policy management:
People in organizations utilize policies and procedures to ensure that they are operating in a systematic, repeatable and reportable way. Centralised policy management and enforcement can be stretched as the workforce transitions to a remote model and it is recommended that organizations look at a cloud-based policy management platform to enforce security, data protection, other related policies and are in a position to report on same. Lastly, try to minimize change as much as possible to prevent confusion and further add situations that have forced the remote working paradigm.
