For some time, several organisations have been providing flexible working practices for their employees. However, the onset of COVID-19 is posing numerous challenges, even for those that had already adopted remote working. From the logistical issues to the shortages of equipment, it has been an incredibly busy time setting up employees to work from home.
One significant issue that many didn’t anticipate was how the change of environment would impact information security. It causes decentralisation of the control and management of data and devices. Therefore, updates to devices and applications may go missed, creating a cyber security risk.
Not only that, but the pandemic has become a window of opportunity for cyber criminals. More than ever, we are heavily reliant on electronic communication rather than face-to-face communication. Therefore, online threats such as phishing are rapidly increasing on a day-to-day basis.
It is paramount to consider the risks flexible home working can bring. Let’s take a look at some common areas to focus on when implementing remote working within an organisation.
Understand your systems
Believe it or not, understanding and documenting your systems, information, and data is key to becoming cyber secure. It is vital to know the various ways in which your employees access the organisation’s systems, information and data. After all, this becomes incredibly more complex when working from home.
Regardless of whether you have an internal or external IT resource, they should document what you have, how it works and location of data. If they don’t, it will be a considerable struggle to provide secure access to systems, information and data. Therefore, if either your provider or your organisation doesn’t know, this is where you must start first.
Once this is complete, you will have a clear picture of all your internal systems, information and data points which your employees will need to access securely from home. It allows you to define specific and tighter security policies. Especially around who, how and when your employees can access systems information and data remotely. This creates a cyber security approach to the basics of home working.
Prepare your staff
Working remotely can sometimes be a challenging experience as it is. Even more so when we rapidly had to adopt home working in lockdown. It is essential to communicate with your employees clearly and regularly, so they understand how they should access systems, manage data as securely as possible.
Employee training and education is fundamental to the success of secure remote working, especially in a remote working environment where cyber risk increases rapidly. Helping your employees to understand cyber risks, how to prevent getting caught out, and how to report them is vital. Employees can’t help your business be as secure as possible if they do not have the proper knowledge and information. It can be advice from how to spot a phishing email, being wary of links and downloads, to the escalation process if your employee spots a risk.
You may have implemented new systems and applications to allow your employees to work from home. But have you made sure your train your employees know how to use them? Often confusion and a lack of understanding will lead to your employee finding their own solution resulting in a high risk to your cyber security. For example, if you haven’t trained your employees to use a new file-sharing system, they may use an alternative like DropBox.
Check all the devices your employees are using at home are approved devices, whether a company device or a managed personal device. It will allow you to control the security of the device from completing system and application updates, managing anti-virus and firewalls, to encrypting the device. And should you need to, the ability to wipe devices if the employee leaves, or the device is lost or stolen.
Implement secure remote access
Your systems must be only accessible via secure methods remotely. Whether this is via VPN, RDS, Citrix, Microsoft or Amazon, make it as secure as you possibly can.
Layering security up around your data and systems will make it far more challenging for an unwanted guest to gain access to your systems. Multi-factor authentication (MFA) is a great starting point by protecting users accounts for systems and services. It adds an extra step which allows your employees to approve the log in via mobile device. MFA can specifically help protect your assets from phishing, poor password management and account hygiene. Implement complex passwords as well; you might as well make it as difficult as possible for someone using a brute force attack.
It is probably obvious but make sure all employees are aware that they should only access the internet through a secure network. Most will be at home, but for those that may be accessed from an untrusted outside source, it is crucial to secure access via a VPN or RDS/Citrix to protect data that is in transit.
If it is difficult to find a secure method to access your systems, you could tether to your phone securely. This is safer than publicly accessible Wi-Fi and in conjunction with the other methods mentioned will be relatively secure.
So to close
Cyber security is an ongoing challenge for all organisations. Given the current situation, it’s essential to ensure you can create a secure remote working environment.
We think taking a blended approach to your security will pay off. A mix of physical security, software and investing in training will give your business greater protection in the long term. Don’t forget your internal security policy it will define how staff use your systems and what your expectations for them are.
If you don’t have any policies or systems in place, speak to your IT department or external provider. They should be helpful and engaged in the subject and help you develop your overall systems and policies.
Want to speak to us about secure remote working? You can book a meeting online with one of our directors.