Every so often an event will occur that will make the time, effort and money spent on contingency all worthwhile.
It’s a new world
Global concern around the spread of Coronavirus (Covid-19) is forcing organisations large and small to look at how they can maintain operations and continue to do business when both employees and customers could be facing travel restrictions or self-isolation.
Enabling your employees to work remotely not only allows more flexibility and efficiency, but it could also form the basis of a solid Business Continuity plan. Some companies have spent considerable time and effort in implementing effective remote working solutions, and can now fall back on those well-established policies and practices. Many other businesses however, are having to rush to provide some form of remote working capability, or are scrambling to scale-up existing solutions to reassure workers and clients that so far as is possible, it’s business as usual.
In the race to enable a ‘mobile workforce’ however, it’s important not to lose sight of the Information Security implications of such capabilities. Whether your IT is ‘in-house’ or managed through a provider or partner, you need to take responsibility for making sure that no matter what, your business maintains visibility and control over business-critical data.
Watch where you click
Security may not be at the forefront of your mind with all that’s going on but be assured that Cyber Criminals are constantly on the lookout for any new opportunities, and this is no exception. We’ve already seen a number of “Coronavirus Map” web pages with embedded malware, and a plethora of phishing emails offering advice or malicious links to purported sites to help you with your “tax refunds”. There are no morals here, and no let-up – far from it.
Working from home security challenges
When allowing your staff to access business resources away from business premises, it’s difficult to extend the same electronic and physical controls that they (and more critically, the data they’re accessing) are usually subject to when within your security ‘perimeter’, so the threat of data leakage should be at the top of your list of concerns.
Home devices and networks carry considerable risk. Typically, these are shared among everyone in the household, with insecure access and simple (or worse, default) credentials used- great for connecting up the kids’ new phones without tantrums, not so great for keeping the network, attached devices and business-critical data adequately protected. This coupled with laptops or computers that aren’t patched, or with out of date or no Anti-Virus software, means that they are at high risk of attack, and may in some cases already be compromised.
If you’re in a position to provide laptops, or Virtual Desktop capability to your team to enable them to work from home, then you’ll have a decent degree of control over the systems and data – but make sure you seek assurances from your IT team or (particularly) your IT provider around how they will be applying security – don’t assume it’s at the forefront of their minds either. You could also think outside the box here, perhaps looking at solutions such as Chromebooks and online-only access to data.
The difficult reality though, is that many businesses venturing into this territory for the first time or massively scaling up work from home capability won’t have stocks of laptops to provide, and may be forced to fall back on letting their teams, at least temporarily, use their own machines.
Businesses with full-blown remote working and active ‘Bring-Your-Own-Device’ (BYOD) policies typically use device management tools and enforce security policies to limit the risk to some of these threats. But these can be expensive and take lots of time to implement and maintain- so what steps can you take to remain ‘Business As Usual’ when working conditions are potentially anything but?
What can you do?
Number one, as always, is awareness. Make sure employees are aware of the threats and encourage practices that could mitigate the risk. Creating and communicating clearly defined policies to tell employees what tools to use and precautions to take will make it clear to everyone what is acceptable and what isn’t – and what the risks are – both to the company, and to them.
Importantly, you really want to avoid a situation where your employees end up with business data on personal devices. Issuing company-owned devices with secure VPN capabilities to protect network traffic will allow full control over those devices and their security-enforcing policy to make unauthorised access difficult and to protect the data they hold through encryption.
Company devices not an option? Aim to provide a secure remote access solution that keeps business data within the corporate environment. Remote Desktop solutions such as Citrix, Microsoft Remote Desktop or another secure ‘Virtual Desktop’ solution can ensure that no data will leave the secure environment, and could also give your employees a familiar user experience as if they were sat at their desks.
If you have no choice but to let employees use their own devices to access business resources, be prepared to help them out to try and secure their environment and devices as much as possible. Make Anti-virus software available to them or provide a reference for freely available software and tools, and include recommendations and best practices in your policies or communications (Do you have Windows Firewall enabled? Here’s how to check!). Utilise online resources and free training such as that available from the National Cyber Security Centre. Think carefully, and ask questions, about how your implement remote access – for instance, a VPN may not be a good thing in these circumstances as it may allow access from compromised home machines into the corporate network, if not configured appropriately for this (unusual) setup.
Collaboration & Productivity Tools
Collaboration and document sharing tools can also be a huge risk, even when employees are not working remotely. Free-to-use tools such as Dropbox or Slack make it easy for anyone to communicate and share documents- but this is often outside of business policy and control. Often referred to as ‘Shadow IT’, the use of ‘unauthorised’ tools that negate or bypass corporate security controls means that data and documents could be leaving the business without ever being seen or tracked- often unwittingly, as employees are just looking for the easiest ways for them to do their jobs.
To tackle this, find out what tools your workers need to work effectively and seek to provide ‘corporate’ options that can be managed, controlled and audited to maintain visibility and security. Tools such as Dropbox or Slack offer ‘Business’ or premium versions that will allow secure collaboration and document sharing, so include these in your standard application set and declare it the tool of choice in your policies- making clear that use of other solutions in the shadows is not acceptable.
Many vendors are offering free or heavily discounted solutions to allow business to respond quickly to the increased demand for secure remote working- but the configuration and the policies put in place around these solutions are just as important as having the right tool for the job.
Agility and Responsibility
Your business and employees are all responsible for keeping your business and your clients data safe – policies and procedures can provide guidance but implementing secure remote access and secure working solutions can ensure the business remains in control and has full visibility of its data assets.
As always, effective security requires a balance between “secure” and “productive and agile”, and times like these put huge emphasis on the latter, but it’s critical not to lose sight of the former.