Alexander Lewis
Cyber Assessment Services Technical Practice Lead
Over the years we’ve seen a huge uptake in companies granting employees the opportunity to work from home. In fact, 52% of workers work from home at least once every week globally. But with this increased flexibility comes an increase in potential security issues. The question remains then, how do we do this securely?
The industry has seen this challenge before, and whilst the concept is not in itself new, recent world events have raised this issue again, especially when you consider those who are in medical self-isolation, working from home over extended periods of time consistently as opposed to the odd one day a week.
The good news is, its not all doom and gloom. Here at Softcat we’ve put together some information that can help you increase your organisations flexibility, whilst ensuring the security you expect for your organisation extends all the way to your employee’s home. I’ve grouped these under THREE core topics:
Access
When working from home, or anywhere remotely for that matter, access security is hugely important. You should expect users to authenticate using multiple factors, when not on a company site. This serves a dual purpose; firstly ensuring users are legitimate – Multifactor authentication makes it harder for an attacker to gain access, even in the event the user’s password is compromised. Secondly it gives the organisation something called non-repudiation. Essentially this is a posh security term meaning: the user cannot deny it was them, which can help where trust is concerned.
Additionally encryption plays an important role, not so much in securing the user, but more the connection itself. Using some form of encrypted channel, such as a VPN (Virtual Private Network) or RDP (Remote Desktop Protocol) session can provide a level of security to the connection between the user’s home, and the company infrastructure. One word of warning here is to remember, these systems can be vulnerable – remember to keep the VPN software up to date, and ensure your organisation is using the latest RDP clients to ensure optimum cryptography.
Data
This one shouldn’t be a shock to anyone, but where data is concerned, when working from home the adage of ‘controlled access based on the need to know’ couldn’t be more important. The objective we’re looking to achieve here is not just limit what a user needs to access in order to do their job, but also limit what a user needs to access in order to do their job when specifically off site. Certain systems, network and file shares to a level of sensitivity should not be exposed to users who are not purporting from a trusted IP. The data should be secured regardless of whether directly access or sat on a relevant share.
Additionally, working from home doesn’t mean any data created during that time falls outside of the organisation, it’s classification framework and the relevant controls. Systems in place to categorise and secure data proportionally should operate regardless of the geographical location of the employee.
Monitoring
This final bit is probably the trickiest. Where possible and appropriate, when users are working away from an office location the organisation should be able to monitor the employee’s session. Both to verify the successful operation of all the above points, but also to ensure productivity. Additionally when using relevant threat intelligence and alerting systems the greater context fed into these systems, the quicker we can obtain clarity in the event of a security alert.
This can also be valuable when looking at the impact working from home has in the context of phishing, social engineering attacks and any other human interaction-based threat. Where in an office setting someone could ask a colleague if they were unsure of an email, or a link etc. in a working from home setting this is not available. Users working from home need clear guidance of the remote support available in the event they are unsure or concerned, and therein the monitoring of these users can then inform the relevant team’s investigation of the issue.
The Good News… Finally…
Whilst I said before “its not all doom and gloom” and then proceeded to point out issue after issue, the good news has arrived. In short, there are loads of good things we can do to address these challenges. Whether taking a governance based approach by writing acceptable use policies specific to working from home, a technical approach utilising VDI (virtual desktop infrastructure) or a marriage of both, Softcat can work with you to build a security solution right for the culture of your organisation, whilst maintaining your high standard of security your organisation and your clients expect.