Remote working is great – but it presents security challenges that have to be addressed.

 

The modern workplace is markedly different from the 9-5 equivalent of even 15 years ago. Mature businesses offer a variety of schemes to entice information workers into challenging jobs and provide hours that suit them. Many employers provide flextime, some offer career breaks and an increasing proportion offer remote working as an option.

Remote working is simply a circumstance in which employees conduct their tasks at home, using technology to connect them to colleagues and teams.

A recent study conducted by the Federal Government, of its own working practices in the USA, showed that nearly half (47%) of Federal employees had the option to work from home if they want to.

Unfortunately, while remote work eliminates commute time and allows work to form around other commitments, like dropping the kids off at school in the morning, it also presents security challenges that must be addressed by the IT departments of these supportive companies.

 

Security for home workers begins with getting the basics right at the user end

These are the most basic aspects of any sensible IT team considering offering remote working to employees. They’re table stakes for any organization wishing to allow staff to work remotely.

  • A clear, enforced password policy: The general rule that it should contain unusual symbols and numbers is actually not correct. The best passwords are long passwords, using a number of words in a sequence which is well understood by the user and hard to guess/crack for hackers using brute force. For example ‘mymumsnameiskate.’
  • Antivirus protection & VPNs (Virtual Private Networks): All employees should have enforced installation of antivirus and VPN software on all of their corporate hardware. Employees should be reminded to use VPN software every time they access the internet and to be especially aware of what’s happening when they use a public Wi-Fi connection if you allow that sort of connection at all.
  • Email warnings: Finally, any basic remote working policy should include warnings about emails. Email is the most used business application and a connection to it is the fastest way to expose corporate assets to risk outside the office. More than 150 million phishing emails are sent each day and hackers never tire of devising another email-based scam – purely because they are so simple and so profitable. It may not be possible to technically prevent sensitive files being sent outside the office on email – but it is possible to warn employees of the risks and to include acceptable behavior standards in the policies associated with use (see below.)
  •  

    Sensible, centrally managed security policies

    Considering the same basic level of enforcement from the server end – within the organization’s firewall:

  • Remote asset management: IT departments should insist on centralized software facilities which enable remote monitoring of the ever-broadening array of mobile / connected products and a remote wipe facility. BlackBerry was really the first company to take this seriously. They implemented over 100 security policies, including the above, when BlackBerry assets were ubiquitous and popular. Those same facilities have now found themselves into many Mobile Device Management (MDM) software tools.
  • A USB Policy: Just as with email, USBs (external ‘memory sticks’) provide one of the key security flaws faced by any organization (just ask the CIA about Edward Snowden.) IBM, for example, has recently banned all removable storage (with a very small number of exceptions.)
  • Encrypted information assets behind the firewall: Finally, depending on the sensitivity of the information you’re dealing with, you may choose to implement an appropriate level of separation, of critical company documentation behind your firewall, and consider encrypting it.
  •  

    Clear, documented, understood procedures and policies for remote working and security

    Whatever technology solutions you have in place need to be matched with input from Human Resources (HR) to cover the ‘people’ component of a successful implementation.

  • Clear policies: Define clear procedures and policies for the use of company assets in the field. One very simple example is ensuring that there is a documented policy on company asset use and pornography – a combination which is asking for trouble if the goal is security for remote workers.
  • It’s not enough to follow these policies: Security is often the opposite of convenience. People need to understand the policies they are asked to oblige and to see the value in them so that they buy in. Managers must support the IT department’s intentions by talking seriously to the staff about any breaches which take place in their team.
  • Policies on physical security: Organization’s remote workers expose company assets to risks that are different from those faced in the office. Inquisitive children and disobedient animals who will both be exposed to company equipment in the home. This is especially true of mobile assets – and, in the case of children, especially true of phones. If the company is paying for the device AND the monthly mobile phone bill, it has the right to determine the circumstances under which the equipment will be employed. Likewise, policies on laptops and taxi cabs should be discussed – the adult equivalent of the risk to pets and animals.
  •  

    Bringing it all together

    The biggest threat to your organization’s IT security policy is the people that work at the company. They are also the company’s major asset and the only path to productive output. Employees expect the benefits of remote working to be available to them now, and they will assume that security is dealt with for them. The reality is, however, that every team in the organization, large or small, needs to have a hand in defining workable security policies, software, and physical security to minimize the risks of remote working.

     


    Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: blog@thesecurityawarenesscompany.com.

    Neil Aitken

    Editor in Chief at WhatPhone
    Neil Aitken is the editor in chief for WhatPhone.com.au. He has worked on small business telephony solutions in the past and has written on the subject of telco trends, innovation and SIM Plans for Business Insider, The Sydney Morning Herald, Vodafone Australia and Savings Room, one of Australia’s leading blogs.

    Latest posts by Neil Aitken (see all)