Building an effective remote working security policy
While most government organisations prefer employees to work in central offices, there have always been occasions when remote working is necessary, whether this is from a home office, a hotel, an airport or even a battlefield.
This trend accelerated during the Covid-19 pandemic, which forced organisations across the world to enable many of their employees to work from home. Industry sectors from financial services to charities, and from government bodies to law firms, mobilised their remote workforces with remarkable speed.
However, many governmental organisations and agencies had not previously contemplated such a large-scale change, nor had they put remote working security policies in place. Almost overnight, they expanded the surface area of their operations far beyond the office environment, together with potentially thousands of points of weakness in peoples’ homes that could be exploited by cybercriminals. At the same time, organisations are living through an unprecedented era of cyber incidents, including high profile attacks on companies such as Colonial Pipeline, which operates the largest fuel pipeline on America’s east coast, Marriott Hotels and the Irish healthcare system.
Fixing the weakest links
It’s often said that people are the weakest link in any IT security system. There are two broad areas of risk: disaffected employees or ex-employees who want to inflict harm on their previous employer, and current employees who make mistakes or are careless with corporate devices and systems. Employees in the second category have become even more of a risk because of the pandemic. Remote access to an organisation’s network services provides powerful and productive working opportunities, but also creates additional risks to central IT systems.
The point is that ever more resourceful cybercriminals will find ways to exploit emerging weaknesses, whether that’s targeting home wireless routers or IoT devices, sending fake emails relating to Covid-19 help, or even intercepting Zoom online conferences.
Introducing IT security policies
IT security is therefore of paramount importance to every organisation, and is a matter for the senior management team, not just the CISO or CIO. The potential financial and reputational liabilities faced by any business or public sector body that fails to protect corporate data can be significant, and can even pose an existential threat.
The first step towards ensuring data security is to undertake a thorough risk assessment process, which will determine the content of a policy. The risk assessment needs to consider factors such as anticipated threats, known vulnerabilities, and the potential severity of impact when the safety of systems or data is breached.
An organisation can then decide on which level of policy implementation is necessary, depending on how they need employees to work and in line with requirements of customers and partners. The next stage is to establish a clear policy that must be followed by all employees when working remotely.
There are two main ways to use policies to guard against the risks posed by remote workers: strong IT governance, and employee training and guidance. To mitigate risks, organizations need a powerful blend of IT security policies and a set of rules for user behaviour.
Taking care of IT
The IT security policies that apply for home office work should start with IT installation itself. The safest option is to use a virtual private network (VPN), which connects corporate workstations to HQ via secure portable VPN devices. The corporate workstation should be installed in a set location within the remote worker’s home where only residents of that home setting can have unattended access. Further to that, wireless connectivity (Wi-Fi and Bluetooth) on workstations should be disabled so that potentially unsecured home Wi-Fi is not accessible.
Organisations should ensure that they keep their VPN equipment updated and have enough bandwidth to support variable volumes of remote workers: an overloaded or slow VPN can bring its own security risks. Depending on the level of security adopted, organisations may decide that only whitelisted USB devices should be used. A risk assessment should determine the specific whitelisted/approved devices.
Organisations with a stricter policy may decide that using a USB on a remote endpoint would never be an option, so would include this in their policy. The same principle applies to carrying out so-called “split tunnelling”, which is when traffic destined for the internet can bypass the VPN tunnel. Organisations do this because they don’t want to overload the central VPN server, or wish to save the costs of implementing a larger capacity VPN server. However, split tunnelling can create an unnecessary risk of data breach.
Guiding local behaviour
Employees working from home should follow a set of rules laid out by their IT teams and mandated by line managers as well as the senior leadership team. The rules (and the consequences of not following them) should be clearly communicated and employees asked to sign up to the new terms and conditions of their employment contract.
If a portable VPN device is used to connect the home workstation to core systems it should be switched off and disconnected overnight, and whenever the employee leaves their workplace. Employees should only store and edit documents on shared corporate drives with central back-ups, and avoid working with temporary files.
Where there is a facility to store data or documents locally, this should only be allowed on a secure private disk with back-up copies saved to a USB stick, which is kept in a secure location and is not removed from the home office.
Employees should also be made aware that the corporate workstation is for work use only, and that nobody else should be given access. Even when leaving their desk for a short time, they should lock their computer.
When leaving the flat/house and during non-office hours employees should shut down their corporate workstation and unmount their private secure disk.
Employees should never print out confidential or higher classified information on their private printer, and if left unattended, paper documents must be locked away.
Once again, organisations may adopt different scenarios in line with changing business requirements. They could start with a maximum reduced endpoint, for example, where no USB sticks, are allowed, users are limited to a minimum, restricted way of using local storage, and are restricted to a maximum hardened endpoint based on a dedicated operating system, reduced set of applications and multi factor authorisation.
In this scenario, very specific user behaviour is expected and enforced. However, if it proves too restrictive and affects employee productivity or customer behaviour, then the organisation may decide to open up its security policy to a greater or lesser extent by allowing users to achieve the same outcomes in different ways.
Finally, employees should be made aware of their responsibility to inform the IT team of any irregularities or requests for information. Suspicious changes to the remote access installation or environment should be immediately communicated to the Head of IT or CISO
The way forward
With remote and hybrid working predicted to continue in the years ahead, organisations cannot take any chances with corporate data and documents. Breaches have the potential to impact everything from the loss of intellectual property to data theft, and from the introduction of dangerous viruses to full-on ransomware attacks.
The message for employees must therefore be that data security is the responsibility of everyone in the organisation. Without strict policies in place, the future health and success of the organisation could be under threat.
Asperiq offers the next generation technology and in-depth expertise in the field of secure remote work. The Asperiq IQN-4300 device enables portable network access at the highest security level. Quantum-proof encryption for secure remote access to HQ networks and classified files, is combined with secure local data storage, and centralised device management.
