Building a remote workforce serves as a necessary business tool and contingency buffer in the event of business disruption. With millions of individuals in the UK now working remotely due to quarantine restrictions, it’s safe to say that “business disruption” has been taken to a whole new different level.
While remote working has generally been driven by modern business requirements, the sudden necessity to capitalise it is also bringing a series of security challenges and possible pitfalls to look out for.
Cyber attacks are always likely to occur, but more so during a national lockdown. Therefore, when employees are pulled away from their day-to-day work environment and routines, the two main questions to ask yourself are:
Are your systems and business software secure enough to cope with the risk of working from home?
To help you build your security checklist, we’ve handpicked our top tips on how to maintain security when employees are working remotely.
1. Implement a remote working security policy
It’s essential to have clear guidelines that explain how to use services and software securely for your remote working staff. Explaining how and when to log on and use video-conferencing tools, access internal resources and data is not only key to ensuring that best practice is established to begin with, but also that staff are fully briefed and in control of their working day.
2. Secure and manage the endpoints
Although many businesses issue remote workers with a dedicated company laptop, some will still be using their own PC. Personal equipment will not be centrally managed and configured in accordance with your internal data policies, so it’s essential to ensure that your staff have installed reputable anti-virus tools, such as Kaspersky AV or Carbon Black, and that the AV is up to date with the latest signatures.
Commercial mobile device management (MDM) tools also allow devices to be set up with a standard configuration saving time and effort. MDM tools usually include the ability to remotely lock a missing device, erase data or retrieve a backup, all essential services that will be appreciated by workers and the IT department alike.
3. Be wary of Coronavirus phishing scams
Arguably the greatest single threat to companies today comes from phishing, whether untargeted volume fake coronavirus updates that deliver ransomware, or spear phishing attacks aiming to pull off Business Email Compromise (BEC) scams, the risk is significant. Remote workers should therefore be trained by the business to spot suspicious emails and query (or simply ignore) them.
In addition to initial training, it’s essential that remote workers act as their own first line of defence, by double-checking the authenticity of messages, emails and phone calls. If in any doubt, the exchange should be reported to a pre-agreed internal security team contact point. Be especially wary when presented with sudden ‘emergency’ situations, where a caller or email contact asks you to break protocol due to a poorly explained crisis.
4. Operate or subscribe to a VPN and implement 2FA
A corporate VPN is an essential security measure, especially for remote workers that may be using suspect connections. However, it is worth bearing in mind that more licences may be required to support larger numbers of remote workers, and that bandwidth may be restricted at certain concurrent user numbers.
It is also particularly important that VPN endpoints are fully patched, as with any other software. VPN use should be subject to two-factor authentication (2FA), which is simply set up on VPNs from the likes of WatchGuard and Palo Alto Networks. Read the NCSC guidance on VPN here.
Mandating strong passwords is just as important and adding an extra layer in the shape of two-factor authentication is highly recommended. Larger corporates are likely to have two-factor already in place, but if not, there are a range of options to suit businesses of all sizes right down to the sole trader. When selecting any product, ensure that it offers 2FA.
5. Make the most of your resources
It’s recommended that any device containing corporate data be encrypted at rest, especially highly desirable devices like smartphones and laptops. The good news is that most devices support some kind of encryption natively, so ensure that this is activated and configured correctly.
Additionally, many businesses will already be familiar with elements of Microsoft’s Office 365, but by building on top of the usual desktop suite of Word, Excel, PowerPoint and beginning to take advantage of powerful collaboration tools such SharePoint and Teams, not only saves service duplication, but also simplifies data security and policy enforcement.
Some of the best tools out there for remote working are probably already a staple of your business operations, from Secure Cloud Storage and Microsoft’s tools through to Google’s G-suite. However, be mindful that some of these big names could be a poor fit for the processes that remote workers are required to carry out in the course of their everyday role. The result is typically a ‘workaround’, involving third-party services or USB drives, especially where data sharing and storage is concerned.