During this unique and uncertain time as we face the COVID-19 pandemic, organisations have had to set up employees to work remotely where they can and ensure that workers can connect securely to their company systems is of paramount importance, by making sure they have the correct cybersecurity controls to protect their data.

Consequently, IT Departments are facing unprecedented challenges around providing remote working access solutions that are both fit for purpose, and more crucially, secure.

Used to Remote Working?

For organisations with a mature remote working model already in place, the challenge is to keep everyone connected, with enough bandwidth to support the increased demand for communications, such as videoconferencing or VOIP calls.

Remote working newbie? 

However, for organisations that don’t have a formalised remote working policy, or those where remote working was only practised by a small subset of employees, there are additional challenges to face. For example, there may not be enough organisation owned devices for all employees, meaning that some could be asked to use their own personal devices, usually referred to as ‘BYOD’ (Bring Your Own Device). 

So, with this in mind, what are the critical areas that remote working policies, processes and technical solutions need to cover?

2. Accessing Corporate Resources 

Organisations need to ensure that only authorised users can access their systems and data.  Usually, this is achieved through the use of a Virtual Private Network (VPN); this creates an encrypted tunnel from the end– user device to the corporate network, allowing them the same access to corporate systems that they would receive when working from the office. 

With an increased remote workforce comes additional considerations relating to remote workers.  

Things to consider adding to your organisation’s remote working could be:

• Additional VPN licenses.  
• VPN client software pushed to end– user devices (or in organisations where BYOD usage is prevalent).
• ‘How To’ guides to be produced and circulated. 
• New user accounts.
• Multi-factor authentication integrated with the VPN solution.

All of these considerations could have an impact on the security posture of the organisation if not addressed. For example:

• Not having enough VPN licenses would impact the availability of corporate resources for affected users.  
• Users might download and install an outdated version of the VPN client software or may already be running an outdated version. Outdated software often contains security vulnerabilities that can threaten the integrity of the application itself, or the data it contains. 
• A VPN solution protected solely by password-based authentication is a prime target for automated, brute–force password guessing attacks. 

Furthermore, there could even be employees accessing non –internet facing corporate systems via methods not approved by, or potentially known about, by the organisation. This is commonly known as ‘Shadow IT’ and could arise when a resourceful department takes it upon themselves to broker their own remote access solution, such as installing a remote assistance tool onto a desktop or server within the corporate office, thus giving them access and circumventing the organisations security controls and usage policies. 

‘How To Guides’ covering common questions 

You might have these already within the organisation. If not, now is the perfect time to put something together! 

For example:

1. How do I connect to the VPN? 
2. Picking a Perfect Password/Passphrase  
3. Enabling BitLocker Full Disk Encryption 

Make sure to include clear headings, step by step instructions and screenshots where you can.  

What to do if there is a problem? 

In a work office environment, it’s easy to ask a colleague what to do or call the IT helpdesk extension. However, when an employee is working from home and encounters an issue, they may be distracted by other events in the home (such as young children requiring attention), and may not recall company procedures, such as what to do if you think you might have clicked a link within a phishing email.  

To make sure that employees are aware of the businesses’ requirements relating to reporting security– related incidents regular reminders of the policy, along with contact details of the relevant departments/people (telephone numbers, email addresses) should be circulated to ensure continued compliance. Any changes or updates made must be notified to staff. 

Be aware of your surroundings 

Consider publishing guidance relating to company policy on hard–copy document disposal for home workers. In the work office environment bins or shredders for secure document disposal are usually clearly marked and available in abundance, but in a home working environment are unlikely to be present. Users should be made aware of what to do with any confidential waste such as this, and also of the need to ensure that they are not inadvertently allowing others to view their screens (for example, working on a laptop with your back to a window when you live in a ground floor apartment). 

Importance of physical security 

Users should be reminded that physical security takes on a greater importance outside of the confines of the work office; controls that users take for granted such as physical barriers, access control systems and CCTV cameras are less common within the home office environment. They should take the same precautions as they would in an office to ensure the security of company assets and information. 

These tips are here to help you rather than scare. If you have questions or concerns, please email services@surecloud.com and we will do our best to assist you.  

Or check out our Q&A with our Principal Cybersecurity Consultant as he discusses COVID-19 risks, including the exposure consumer-grade video conferencing could bring.