Cyber security and working from home
Robin Clive-Matthews and Steve Mair
With the outbreak of the Coronavirus (COVID-19), there are an increasing number of employees working from home—either to prevent the virus spreading or because they have been required to self-isolate. While this will hopefully lessen the impact of the virus on business continuity, it is likely to put significant pressure on IT and security infrastructure as many businesses are likely not set up for a large contingent of the workforce to work remotely.
We thought it was timely to share some key suggestions for keeping your organisation running smoothly.
Non-technical mitigations for business continuity
Make sure that users know whether they can print when out of the office and, if they are permitted to do so, how to securely dispose of any sensitive documentation they print off. For example, using a cross-cut shredder may be acceptable while putting confidential documents in a recycle bin at home may not.
Update crisis plans
Review your business continuity and disaster recovery plans. Are there key personnel who must have corporate devices and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
Check client contracts to confirm whether remote working is permitted and under what conditions—this will be relevant if your staff are embedded on a client site or your team are working with sensitive client data on your own site. If working from home is specifically excluded, talk to clients to develop appropriate acceptable working practices for the duration of the COVID-19 season.
Make sure that you have implemented two-factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
Make sure that all devices (company or personal) have been patched and have antivirus software installed, active and up to date. Ideally use Application allow listing, which is built in to Windows. Importantly, ensure your remote access solution itself is kept up to date.
Check for vulnerabilities
Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties and helps ensure remote access for legitimate users is maintained.
It is also important to consider user support issues; for example, should employees need to print from home on devices outside of your normal printer fleet how would you facilitate the installation of drivers? Or manage job storage on personal printers.
Make sure you also consider the implications of requiring staff to use their home internet connection for work, including whether it is fit for purpose and how to handle technical issues with that connection. Consumer internet support tends to be considerably worse than business-grade internet.
Additionally, ensure that portable devices have appropriate firewalls to protect them from other devices on untrusted networks.
Consideration should be given to stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period while your network is experiencing higher numbers than usual of remote users.
Some organisations have chosen to split mass home working into groups, e.g. 50% of the company works from the office one week and the remainder from home, then the next week they switch over. Does your remote access solution have sufficient licences for mass remote working? Some solutions give short time licence over-use, but this may only be for a few days or a week.
Mitigations for Bring Your Own Devices (BYOD)
Cyber security is even more important if your organisation permits employees to use their own devices. Staff using their own devices bring about a number of other cyber security risks, such as sensitive data leakage and lack of central control.
To mitigate the risks around employees using personal devices:
- Make sure employees’ machines are updated to the latest operating system and security update.
- If you allow BYOD to be connected to corporate networks consider enforcing Network Access Control or limit the machines to a segregated wifi network.
- Make a risk-based decision on whether non-corporate devices can be used if they do not have full disk encryption installed.
- Consider granting a temporary waiver for these extraordinary times, but beware of GDPR and requirements for company certifications, e.g. Cyber Essentials and ISO 27001.
- Issue users with temporary corporate devices even if the device may not have the full specification the user is used to.
As with nearly all cyber security responses, it’s your people who have the most influence over how smoothly your organisation copes with disruptions, such as enforced large-scale remote working. Good communications are key – every individual should be asked to confirm that they understand what’s happening and why, and commit to identifying potential problems early rather than in a last-minute panic. Some people will have to come to grips with applications and working techniques that they either haven’t encountered, or haven‘t bothered with up until now. In this sense, remote working could even be a positive in illustrating how the right technology (and behaviours) can keep us resilient in the face of this type of challenge.