Among the many staff members suddenly forced to work from home last year, there’s a growing realisation they’ll be doing it for a long time yet.
While some of the heaviest restrictions brought in to battle the spread of the virus have been lifted, a full return to the workplace is not yet on corporate radar screens. Home offices, spare bedrooms, and the kitchen table are going to remain occupied for much of 2021 at least.
As a result, organisations are assessing what additional steps they need to take to ensure staff, the devices they are using, and the resources they are accessing are secure at all times. A hastily set-up VPN service is unlikely to be sufficient.
Even within organisations that are letting some staff back into the office, very few will return to the way things were before the virus. Many are looking at establishing hybrid working patterns where staff attend at different times or spend a portion of each week working from home.
Across the board, organisations will need to tackle a number of different challenges. These will include being prepared for phishing and ransomware attacks, improving the security on home networks, and ensuring endpoint devices remain protected from attack.
Enhancing security
There are a range of clear steps organisations should consider when striving to improve the security of remote workers and hybrid workplaces and those using SaaS-based applications. Some may have already been followed while others will need to be added to the mix. The steps include:
- Assume hostile threats exist: When planning remote-working security measures, make the assumption that cybersecurity threats are likely to be encountered. Methods of reducing risk for users include encrypting storage on user devices and not storing sensitive data on those devices. Security can be further enhanced by requiring the use of multi-factor authentication to gain access to centralised resources.
- Expect network threats: When using external networks that are outside of the organisation’s control, such as the public internet, be aware that users could fall victim to eavesdropping and interception. These threats can be reduced through the use of data encryption as well as the authentication of endpoints.
- Monitor for malware: It was a problem for office-based staff and remains one for remote workers, so it’s best to assume that client devices will at some point become infected with malware. Steps to take include the deployment of anti-malware technologies and network access control solutions that verify each client’s security posture before granting access.
- Create an organisation-wide security policy: Put in place a comprehensive policy that defines telework, remote access, and BYOD requirements. The policy should define which types of remote access are permitted and which devices can be used.
- Review remote access methods: Security issues can be encountered when remote workers are accessing centralised IT resources. If malware is transferred to corporate servers, for example, an attacker can then move laterally and seek out data and other resources. Ensure all remote access servers are kept fully patched and monitored by the security team.
- Place servers at the perimeter: When deploying remote-access servers, they should be located at the organisation’s network perimeter. In this way, they can then act as a single point of entry to the network and enforce telework security policy before any remote access traffic is permitted to enter.
- Secure all client devices: It’s vital to ensure that all telework client devices are secured, including desktop and laptop computers, smartphones, and tablets. Security capabilities and options vary widely by device type and specific products, so organisations should provide guidance to device administrators and users on the steps they need to take.
- Adopt a Zero Trust Approach: In summary, a security framework for mobile workers which enables users to access private applications securely, without connecting to the network on which they’re hosted, or exposing those applications to the internet. What determines the level security applies is the users and the applications they’re seeking to access and not the devices they’re using to do so, or their physical locations or IP addresses.
By following these recommendations, organisations will have a much better chance of having the levels of security required in an era of widespread remote working. With the situation unlikely to change anytime soon, making the effort now will reduce the change of problems in the months ahead.