Posted 7th October 2020
When we first went into lockdown earlier in the year it was unknown how long for, organisations of all sizes did their best to keep businesses operational, but some of these original temporary measures carried inherent security risks. This week the government has announced revised measures to slow the spread of the coronavirus, including working from home if at all possible. These new measures "could" be in place for up to 6 months and therefore we believe each business that intends to implement or continue to utilise remote working solutions for their staff, should be now approaching this with a more long term and secure perspective.
What does a secure remote working solution need to consider?
Every business is different, so we know not every one of these items may apply to all, we also appreciate that not all businesses or roles can be undertaken from home.
Let’s start with the location of where people are working within their residence. During lockdown there were many stories of employees sitting feet up on settees, working from bedrooms or we even came across people working on the stairs due to noise and lack of space where multiple people were working from the same location.
It’s essential that to get productivity from your employee, they have a space where they can concentrate.
As your already aware DSE Assessments are the responsibility of the employer, they are still relevant with employees temporarily working from home. The recommendation to head off any claims in the future is to carry out an assessment sooner rather than later. (https://www.hse.gov.uk/msd/dse/)
Slow Wi-Fi is the bane of many households with causes from other 'Work From Home' users, streaming services and gamers competing for bandwidth through to fairly rural locations with minimal speeds available to the property. In the modern world we expect everyone to have fast internet connections, certainly fast enough for a computer device to be connected to the corporate network, but please be mindful that not all staff truly have the connection speed that they need.
If we were to quote from the Government Cyber Security standard – Cyber Essentials, "every business device should connect to the corporate network using a VPN. If there is no VPN solution in place, then the home firewall/router needs to be under management."
Seems very drastic I know, but what is the state of your employee’s home firewall, do you know if it has the default admin passwords still configured? How secure is your business data if the employees home network is compromised? To remove the complexity and cost of bringing all employees home equipment up to standard, then we would recommend using a VPN solution back to the office, some of you will have a solution in place.
Some employers will provide their employees, with a laptop, tablet and/or mobile phone.
In 2019 we increased the level of security on your devices and enabled a patch management service. Additionally, every device should have an up to date Endpoint Security solution (containing Anti-virus and Web filter as part of a tool suite).
In relation to the tablet and mobile devices, similar to patching on computer-based devices, we would recommend that the IOS (Apple Devices) or Android OS is always kept up to date. A requirement of the basic Cyber compliancy looks at the business having the ability to remotely wipe the phone, in case it is lost or stolen. It’s fair to say that this would be the case regardless of any pandemic situation.
The recommendation for all computer-based devices is to enable Windows firewall (assuming the device is a PC, not a MAC) or install a 3rd party firewall. By default, we would enable this when we configure the windows-based devices.
We would recommend that BYOD devices are generally an unwise strategy due to the lack of visibility and awareness on the security status of the personal device.
If however, you are allowing employees to use their own equipment to access your network and business data, do you know if this device is compliant? How are you controlling if it has an up to date Anti-virus or Endpoint solution installed?
For some clients, not all, they have extended the level of support to include their employees home devices. This includes enabling controlled patch management and delivering their corporate anti-virus and or anti-ransomware product to the home devices.
Is BYOD an approved strategy of the business?
Microsoft Teams is a well-established and respected collaboration tool, it is one we use at LP Networks and have found invaluable from video calls, instant messaging through to central storage of data files.
Aside from the business collaboration and efficiency elements of Teams we have used it to keep our employees’ relationships strong. From regular meetings to internal social events like our frequent quiz night are all run on Microsoft Teams. There are alternative collaboration tools that may be preferred by your organisation.
Dependent upon the employee’s equipment there may be a need to provide headphones or webcams for them to fully interact with their fellow team members, managers or clients.
Working from home has increased the risk of phishing attacks, the 'Work from Home' workforce are being actively targeted, mainly by phishing attacks. You may already be aware if you follow our security updates through the year (and now our new Lowdown newsletter)
Just a few examples of phishing...
All designed to trick users into downloading hidden software, giving out logins or maybe even transferring money or paying bills to a supposed new bank account. Indeed referring back to ‘The Environment’ section we heard of one story where a £15,000 payment was made to a scammer, using an impersonation email (a director) and the reason for the error given was ‘the house was in chaos with noise and people distracting them from focusing’ and they missed the (now obvious) tell-tale signs.
We would recommend that there are constant reminders to employees in respect of checking email authenticity. There are tools that can manage this for you, but they won’t stop the employees from their actions, therefore it’s important that all employees are trained to be vigilant of phishing and other types of user-targeted cyber-attacks.