What remote work means for your company’s IT security
As an IT company in Atlanta, we have seen explosive growth in employees working from home in the last decade. In industries like construction and architecture, a large percentage of employees work remotely from a job site. Other more office-bound industries have seen an increase in remote work too. In some cases, remote work is a perk to help retain talent. In others, it’s an absolute necessity due to increasing traffic in Metropolitan areas like Atlanta. According to a recent study done by Gallup, 43 percent of Americans spend at least some time working from home.
Yet, the impacts remote workers have on cybersecurity is rarely considered.
After hours work further complicates things. During non-business hours most employees don’t have access to the on-site IT staff either and have to fend for themselves. This coupled with the fact that they tend to use their own equipment (router, wireless and in some cases home PC’s) makes it difficult to manage security.
Remote work leads to the following security risks:
- Remote networks – whether an employee is working from a coffee shop, from home or on the road, it is often impossible to know what networks they are using to access work resources.
- Personal equipment – Often the machine used to access the corporate IT environment is a home PC, often shared between the various members of a family. This makes it very difficult to enforce corporate security policies or insist on certain basic safety systems.
- Cloud services – Due to the growth associated with cloud services like Office 365 and G Suite, employees are often working outside of the corporate security umbrella but still accessing corporate resources. These services often make more complicated systems like remote machines and VPN’s redundant but impact security if not secured.
So how to manage the security risk but still be able to offer this to your employees? The answer is quite simple in theory but tricky to get right. It’s also dependent on what the employee is doing. A supervisor on a construction site does not need the same level of security as a doctor doing a remote diagnosis.
To be able to protect your corporate system regardless of the specific job requirements, consider these guidelines:
- Assume the access (remote) network is always insecure.
- Assume that any non-corporate owned equipment is compromised.
- Prepare for the end user network to be compromised at some point and design accordingly.
- Consider contextual security – roles and work cultures vary, so you may view a remote worker as a vital office employee or as a background player.
Technologies available to put your remote infrastructure together include the following:
- Remote desktop services
- Cloud services (office 365, SharePoint. etc.)
- Cloud file shares (box, drop box etc.)
- User-based permission enforcement (directory services)
- MFA (multi-factor authentication and Single sign-on services)
Depending on your context you may need some or all of these. The exact recipe you follow will be unique but a strategic plan should be in place.
A doctor works from home on Mondays and Fridays and spends weekends being on-call for emergency consultations. The doctor’s home office must act the same as a corporate office because they will access confidential information.
It could look something like this:
- Separate internet connection paid for by business
- A separate corporate firewall that handles a site to site VPN between doctors home and office
- Corporate owned PC running corporate owned anti-virus and security systems
- Corporate security policies in place addressing web filtering and conduct
- Multi-factor authentication into all systems needed.
The actual system will look and feel exactly like a corporate office but located in the doctors home. The goal here is to duplicate the office environment for the user and duplicate the security profile in use.
Construction supervisor that works 90 percent from a construction site. The construction is non-governmental and not sensitive in nature.
Their setup could look like this:
- No PC or laptop needed. They use a tablet only.
- Office 365 with MFA for email access on tablet and phone.
- Cloud file access through a third party like Box.com and integrated with Azure active directory and MFA.
This system is not anything like the one in use at the head office and supplies only the systems and data required to fulfill the specific duties inherent to the role. The user can get remote access to email and files required for that specific job only. This way limited damage occurs should any of this information be compromised. It is very important with remote infrastructures like this to follow through on least access privilege. Make sure the user only has the access they need. Don’t give access to the accounting drives if all they need is blueprints.
Your exact system will fall somewhere in between, but the basics stay the same. Understand the context and understand what your risks are. Always design for the specific job and understand what happens when (not if ) your remote office or worker gets compromised. You need to have a plan in place to address the situation and limit spill-over.