Working from home securely

Issue 3 2020 Security Services & Risk Management

In terms of the COVID-19 situation, we read too much about isolation and work from home, but we go through even more on how to organise our work-from-home processes. As a security expert, I will not tell you about tools or life hacks for productive remote work. I want to talk about the risks a company faces when businesses have to move employees urgently to a home office and how to organise everything to prevent risks.

In my opinion, there are three main risks:

1.) Employees who are not familiar with remote work will most often take this kind of work for a holiday break and the employer will not only lose revenue due to loss in productivity but also will remunerate these employees for a service not delivered.

2.) Security issues include the limitation small businesses experience due to lack of resources and infrastructure trying to move employees off-site in such short space of time. It is also important to realise the risks that are involved in such an operation. It is also a major challenge for large enterprises, moving several thousand employees to work remotely from home.

Sergey Ozhegov.

3.) Challenges that companies face with staff working remotely include: unstable Internet connections, unsuitable working conditions (an employee is unlikely to be productive if he/she lives in a small apartment with their partner and a couple of preschool children). However, the responsibility remains with the employee to ensure that they create a workable environment in their homes as they still have a responsibility towards the service delivery of their company.

If the last risk is entirely left to an employee, then the first two can be neutralised by implementing and managing information security processes properly. I’d like to outline three main approaches that describe options for a quick and relatively inexpensive solution for business implementing remote working conditions:

1. Remote access to corporate services

The approach assumes that employees use their personal laptops to connect to all the necessary services: CRM systems, VoIP telephony, workflow systems, task trackers and corporate mail. Access to the familiar IT infrastructure, as a rule, is provided simply through a browser.

How fast can it be done? Time frames depend on the choice: either provide access to services from the Internet or to securely connect them to the platform of a hosting- or cloud-service provider. If a company has not worked with the listed corporate services before, then it makes no sense to implement this service from scratch to arrange remote access as it will take a lot of time and effort.

Financial expenses: The costs of organising this kind of work are close to zero or equal to the amount of the monthly subscription for the services of a cloud service provider.

Risks: If the protective measures are taken, sensitive corporate information will be safe. I’d like to outline the following minimum:

• Two-factor authentication when entering services e.g. SMS.

• Strict access control (this is normally ignored).

• Cryptographic protection of data transmission channel.

• Maximum restriction for copying and downloading (for example, blocking the right mouse button, clipboard - this can be done in the settings of the corporate service).

If there is no data protection, I would not recommend this approach, because the employer is almost completely losing control over corporate data.

Pitfalls: If you use the platform of a hosting/cloud service provider for your services, you need to make sure that they comply with local laws and corporate information, including the protection of personal data of employees that are stored on these servers.

2. Remote access to corporate IT infrastructure

An employee can access his/her corporate PC or desktop of a terminal server from his/her personal device. This option is convenient, as an employee will be able to use the standard tools and will see the usual desktop and icons.

Here we could talk about access through VDI, which is considered one of the safest approaches for remote work. Nevertheless, deploying it quickly without a well prepared IT infrastructure is costly and time-consuming. This option might be viable for large corporates. but it has a major financial impact as VDI workstations are expensive and the logistics in a lockdown environment might become a nightmare to manage.

How fast can it be done? This option will require time training employees on how to use the remote connection software accessing the corporate PC or terminal server.

Financial expenses: There are practically no costs, because the issue is resolved in the settings of the operating system and network devices. If you need to organise access to the desktop of the terminal server, additional costs may be required to expand the bandwidth and the procurement of additional hardware as they will be overloaded.

Risks: Although, in this case, the data does not leave the corporate perimeter, the employee is the weakest link in this scheme. An employee may compromise his/her account if a username or password becomes known to outsiders. Therefore, as in the previous approach, the level of security depends on additional security measures. Two-factor authentication is required to access corporate services, including electronic mail. In addition, you must completely prohibit, through security policies, the downloading of data to personal devices, as well as access via open, unencrypted connections.

3. Mobile workplace

This approach assumes that an employee takes his\her corporate laptop home. Since it is a part of the employer’s IT infrastructure, all information security policies remain valid, but need to be adjusted. In particular, it is necessary to ban employee’s access to the BIOS so that he/she can’t boot an OS from a flash drive. Frankly speaking, all external ports should be blocked; usually in the office this not a requirement.

These are the approaches and measures that any business can implement quickly and with minimum budget. But you’ll probably need to spend extra money on strengthening technical support from the outside, because the resources of your employees - IT and information security experts - may simply not be enough. This applies especially when it comes to SMBs, where specialists often are not employed due to the cost of such an expert or the scarcity of this skill.

Therefore, when planning remote work, you will have to realise that you may not be able to cope with everything yourself. Obtaining outsource support can be a robust solution that saves time and money. Besides, many vendors and service providers, including us, are meeting clients’ needs by offering different solution including, but not limited to, free software licenses, consultations, and a wide range of other services.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Key timelines to ensure compliance
Security Services & Risk Management
Regulations to the Occupational Health and Safety Act that apply to major hazard installations require that certain actions be taken to manage health and safety risks – some with timelines for compliance that must be monitored.

Best practice tips for strengthening data privacy system
Security Services & Risk Management Cyber Security
International cybercriminals are increasingly targeting South African organizations, making data privacy more difficult to maintain. A standardization expert offers insight to help combat this threat.

Is AI the game-changer for streamlining anti-money laundering compliance?
Financial (Industry) Security Services & Risk Management
In the aftermath of South Africa's recent grey listing, companies are now confronted with the imperative to address eight identified strategic deficiencies, while simultaneously reducing their financial crime risk through anti-money laundering compliance processes.

Five ways to reduce your cyber insurance premiums
Security Services & Risk Management News
With the global costs of cybercrime expected to soar to $13 trillion within the next five years, cyber insurance is booming as organisations try to mitigate the risk of financial losses.

Client satisfaction boosted by 85% at Thungela Mine
Thorburn Security Solutions News Security Services & Risk Management Mining (Industry)
Thorburn Security, a division of Tsebo Solutions Group, has announced its recent collaboration with Kwa-Zulu Natal security company, Ithuba Protection Services, as part of its Enterprise Supplier Development (ESD) initiatives across Africa.

Migrating to the cloud? Beware the many hurdles
IT infrastructure Security Services & Risk Management
While there are undoubtedly many benefits, there are also numerous hurdles to cloud adoption. Some of the biggest challenges revolve around managing cloud spend, understanding the cost components of cloud infrastructure, and how those costs can scale.

Key strategies for businesses in the face of cyber threats
Cyber Security Security Services & Risk Management
Businesses face severe financial and reputational consequences due to data breaches and daily website hacks, and not all organisations are adequately prepared to combat these escalating threats.

Planning for the worst is key to success
Technews Publishing Security Services & Risk Management
Planning for the worst is key to success when disaster strikes. Amidst frequent load shedding and often unpredictable stages of power outages, many businesses are concerned about the possibility of a total blackout.

Protecting South African systems through XDR cybersecurity
Cyber Security Security Services & Risk Management
Carlo Bolzonello, Country Lead for Trellix South Africa, discusses how the country can protect its valuable digital assets through the artificial intelligence-enabled Extended Detection and Response (XDR) cybersecurity approach.

[Sponsored] Protecting Against Ransomware Attacks: Lessons from Recent POPIA Fine
Cyber Security Security Services & Risk Management
According to Sophos' most recent ransomware report, an alarming 78% of the South African organisations that Sophos surveyed experienced ransomware attacks in the past year.