With the Government’s latest measures that people should work from home wherever possible, it’s an important time to remember these key security considerations for remote working.*
IT departments around the world are probably feeling a bit smug right now. At least they would be if they weren’t so busy.
After years of explaining why it’s worth investing in modern IT that can support remote working, even if staff are mostly on-premises, whether it be for a Business or future proofing your school, suddenly remote working is all the rage. In fact, it’s mandatory wherever possible.
For businesses who have already shifted to the cloud or have their VPN or other remote access solution set up to support the whole business, this won’t be a problem. But a lot of us won’t be so lucky.
When it comes to IT, there is often a trade-off between agility and security. The fastest solution is rarely the most secure. In the rush to get staff up and running, business owners and IT departments can leave themselves exposed to new risks.
Threat actors know that businesses will be trying to get their users set up for remote working as fast as they can. So there’s likely to be more hacking attempts over the next few months than usual.
We recently caught up with a cybersecurity expert to find out what businesses can do to secure their workforce. He didn’t want to be named - drawing attention to your cybersecurity skills can give hackers a reason to target you - but he was happy to share some advice.
“If you make a snap decision and get hacked, that could be the end of your business. But if you take step back and spend a few days sorting things out, yes you might have some downtime, you might even lose a bit of money, but you’re not leaving your business exposed.
“Travelex were down for a couple of months after a hack that cost them an estimated £25 million - they couldn’t sell currency in airports or online. People need to step back and think.”
Before you deal with outside threats, you need to think about staff behaviour. Careless and uninformed staff are often just as instrumental in a breach as hackers. For a lot of non-IT people, cybersecurity isn’t a priority and things like installing updates are little more than an inconvenience.
It’s also much harder to monitor and control the behaviour of staff who are working from home, especially if they’re on their own devices. So a clear policy that details what’s expected when people are working from home is important.
“A lot of businesses don’t have any kind of policy for this situation. We would usually provide training, create a policy to reinforce that training and then get sign off on that policy from the users."
“The policy should say: ‘This is what you’re allowed to do, this is what you’re not allowed to do, and this is how to behave when you’re working from home.’ It just gives the company some protection if someone does step outside of what they’re supposed to be doing.“
The way that people use the internet in their own home is often very different from how they use it in work. But it’s important for staff to understand that if you’re running a VPN, the chances are all your traffic is being routed through the business’ network.
“If you’re downloading copyrighted material or looking at content you shouldn’t be, the business is liable for that because that traffic is coming from a work IP address. So you need to make it clear to all staff that they need to use the internet the same way they would at work, even if they’re sat on their sofa in their pyjamas. It’s down to policy and education.“
A lot of workers are not only working from home, but also using their own devices. ‘Bring Your Own Device’ (BYOD) policies have gained popularity over the last few years, but they also present a range of security risks that need to be managed.
“A lot of companies are supplying staff with a device to remote work on - as the device is supplied by work it should be up to date, and locked down so end users can't just go installing anything they want on there.“
“But what we’ve seen is that those laptops can run short, so they started giving people software to install at home. And that’s only OK provided that the employee’s own machine is up-to-date, and no one’s been downloading things that they shouldn’t be, because once that PC is dialled into the VPN it’s the same as if it’s plugged into your network at work. You have to take the security of other people’s devices seriously."
Changes in the way we work will have an impact on the services we rely on. You need to make sure that your licensing can handle remote working at scale. Some licenses can take longer than others to upgrade or change, so it’s worth reviewing your licenses ahead of time, rather than waiting until you hit capacity.
“What a lot of people have found is that they usually have ten remote users, then they try to onboard 100 all at once, but the licensing on their VPN device doesn’t cover them for that. What we’ve seen across the industry is that the people who supply licenses have started to struggle because they’re waiting for distributors who sometimes take a week to process things. There’s never normally a rush and suddenly VPN licenses are at the top of everyone’s priority list."
When faced with capacity or bandwidth issues, some businesses can be tempted to take shortcuts in order to keep people working. But as we’ve already mentioned, these quick fixes sometimes undermine security.
“A lot of companies are cloud-based these days, so bandwidth isn’t as much of an issue. But if you’re giving someone a VPN connection into the office, it can be. There is a workaround to reduce bandwidth consumption called split tunneling. What that means is you tell the VPN software to send work traffic to work but normal internet traffic goes straight from your machine to the internet."
“It saves bandwidth but is also very insecure. If you’re about to add 100 users, you need that bandwidth because 100 new users will slow everything down and upgrading bandwidth can take some time. But they shouldn’t really be using something like split tunneling unless it’s part of a temporary continuity or disaster recovery scenario."
Speak to anyone who works in cybersecurity and they’ll recommend using multifactor authentication (MFA). It may take users a second or two longer to log in, but your account will be 99.99% less likely to get hacked.
“We have a simple software token that installs on your mobile device and it gives you a sixty second password you can use to log into the VPN. So even if someone gets hold of your laptop & credentials, they’d have to also steal your mobile and know its pin to get into your network."
Times of change and uncertainty provide the ideal environment for threat actors to make their move. Things are up in the air, security processes are disrupted and users are so busy trying to figure out how to keep working that they look for shortcuts or ignore advice.
Taking a step back, reviewing your policy, your processes, your licensing and adopting simple changes like MFA can make all the difference. Hackers look for easy targets, so even small steps can make your business a less viable target.