printer friendly version

Working from home securely

In terms of the COVID-19 situation, we read too much about isolation and work from home, but we go through even more on how to organise our work-from-home processes. As a security expert, I will not tell you about tools or life hacks for productive remote work. I want to talk about the risks a company faces when businesses have to move employees urgently to a home office and how to organise everything to prevent risks.

In my opinion, there are three main risks:

1.) Employees who are not familiar with remote work will most often take this kind of work for a holiday break and the employer will not only lose revenue due to loss in productivity but also will remunerate these employees for a service not delivered.

2.) Security issues include the limitation small businesses experience due to lack of resources and infrastructure trying to move employees off-site in such short space of time. It is also important to realise the risks that are involved in such an operation. It is also a major challenge for large enterprises, moving several thousand employees to work remotely from home.

Sergey Ozhegov.

3.) Challenges that companies face with staff working remotely include: unstable Internet connections, unsuitable working conditions (an employee is unlikely to be productive if he/she lives in a small apartment with their partner and a couple of preschool children). However, the responsibility remains with the employee to ensure that they create a workable environment in their homes as they still have a responsibility towards the service delivery of their company.

If the last risk is entirely left to an employee, then the first two can be neutralised by implementing and managing information security processes properly. I’d like to outline three main approaches that describe options for a quick and relatively inexpensive solution for business implementing remote working conditions:

1. Remote access to corporate services

The approach assumes that employees use their personal laptops to connect to all the necessary services: CRM systems, VoIP telephony, workflow systems, task trackers and corporate mail. Access to the familiar IT infrastructure, as a rule, is provided simply through a browser.

How fast can it be done? Time frames depend on the choice: either provide access to services from the Internet or to securely connect them to the platform of a hosting- or cloud-service provider. If a company has not worked with the listed corporate services before, then it makes no sense to implement this service from scratch to arrange remote access as it will take a lot of time and effort.

Financial expenses: The costs of organising this kind of work are close to zero or equal to the amount of the monthly subscription for the services of a cloud service provider.

Risks: If the protective measures are taken, sensitive corporate information will be safe. I’d like to outline the following minimum:

• Two-factor authentication when entering services e.g. SMS.

• Strict access control (this is normally ignored).

• Cryptographic protection of data transmission channel.

• Maximum restriction for copying and downloading (for example, blocking the right mouse button, clipboard - this can be done in the settings of the corporate service).

If there is no data protection, I would not recommend this approach, because the employer is almost completely losing control over corporate data.

Pitfalls: If you use the platform of a hosting/cloud service provider for your services, you need to make sure that they comply with local laws and corporate information, including the protection of personal data of employees that are stored on these servers.

2. Remote access to corporate IT infrastructure

An employee can access his/her corporate PC or desktop of a terminal server from his/her personal device. This option is convenient, as an employee will be able to use the standard tools and will see the usual desktop and icons.

Here we could talk about access through VDI, which is considered one of the safest approaches for remote work. Nevertheless, deploying it quickly without a well prepared IT infrastructure is costly and time-consuming. This option might be viable for large corporates. but it has a major financial impact as VDI workstations are expensive and the logistics in a lockdown environment might become a nightmare to manage.

How fast can it be done? This option will require time training employees on how to use the remote connection software accessing the corporate PC or terminal server.

Financial expenses: There are practically no costs, because the issue is resolved in the settings of the operating system and network devices. If you need to organise access to the desktop of the terminal server, additional costs may be required to expand the bandwidth and the procurement of additional hardware as they will be overloaded.

Risks: Although, in this case, the data does not leave the corporate perimeter, the employee is the weakest link in this scheme. An employee may compromise his/her account if a username or password becomes known to outsiders. Therefore, as in the previous approach, the level of security depends on additional security measures. Two-factor authentication is required to access corporate services, including electronic mail. In addition, you must completely prohibit, through security policies, the downloading of data to personal devices, as well as access via open, unencrypted connections.

3. Mobile workplace

This approach assumes that an employee takes his\her corporate laptop home. Since it is a part of the employer’s IT infrastructure, all information security policies remain valid, but need to be adjusted. In particular, it is necessary to ban employee’s access to the BIOS so that he/she can’t boot an OS from a flash drive. Frankly speaking, all external ports should be blocked; usually in the office this not a requirement.

These are the approaches and measures that any business can implement quickly and with minimum budget. But you’ll probably need to spend extra money on strengthening technical support from the outside, because the resources of your employees - IT and information security experts - may simply not be enough. This applies especially when it comes to SMBs, where specialists often are not employed due to the cost of such an expert or the scarcity of this skill.

Therefore, when planning remote work, you will have to realise that you may not be able to cope with everything yourself. Obtaining outsource support can be a robust solution that saves time and money. Besides, many vendors and service providers, including us, are meeting clients’ needs by offering different solution including, but not limited to, free software licenses, consultations, and a wide range of other services.

Share this article:

Further reading: