In the time of Covid-19, many businesses have been forced to ask their employees to work from home. As a result, the work from home (WFH) model may become a permanent alternative for many workers who can effectively complete their required tasks in their own private quarters. Whatever the benefits, the WFH solution comes with its own challenges — perhaps the greatest of which is network and data security. Every company with remote workers should follow a set of best practices for remote access security.
What Is Remote Access?
The National Institute of Standards and Technology (NIST) offers some good ideas on the subject at hand in their document “Security Concerns With Remote Access”. Of great benefit is their well-honed definition of the term remote access. According to NIST, it is “the ability of an organization’s users to access its nonpublic computing resources from locations other than the organization’s facilities” (NIST SP 800-114).
I think most of us already have a good idea of what it means to log in remotely. The reality of remote access is that the user is no longer on the campus of the business. They are dependent on the resources of their home, or a coffee shop, or whatever place they’ve chosen to sit and work. The main requirement is the ability to access any pertinent resources on the organization’s network that are part of their daily work responsibilities.
An Awareness of Security
Perhaps the most important security asset for a remote worker is a high level of vigilance when it comes to protecting the company’s IT resources. Employees should receive education and documentation on best practices for remote access security. While coronavirus precautions are in place, face-to-face or in-classroom training may not be possible. But that does not preclude the use of video chats, emails, online documents, or training videos to communicate the necessary information. That said, every remote employee must earnestly accept the responsibility of maintaining proper IT security at all times.
Road warriors learned long ago the need to secure their connections with a virtual private network (VPN). Especially important in public wi-fi environments such as cafes or libraries, a VPN will encase all your data in an encrypted tunnel as it travels through the public internet. That just means that the information is scrambled in such a way that no one can read it without the proper encryption key. Organizations often have their own VPN, but there are also commercial VPN solutions that are available for a nominal monthly or annual fee.
Antivirus and Firewall
Computers and devices provided by the company will generally come with the required anti-malware and firewall software installed and configured. But many businesses are counting on what is called bring your own device (BYOD), meaning the employed uses his own laptop, smartphone, tablet, or workstation. If that is the case, the user will need to follow the clear guidelines of the organization to install accepted security software on the device.
Because of their security vulnerabilities, many IT departments forbid the use of certain software on company computers. That may not be an issue if the user doesn’t have the proper permissions. But if the user has admin rights for the device, they should be aware of which applications are permitted or disallowed on company equipment.
A lost or stolen laptop with sensitive information can be a disaster for an organization — and a possible career ender for the employee. The user should not leave a company device unattended while in a public cafe or other venue. At home, the user should be careful not to let children or guests use or play with company laptops. And privately owned equipment should be guarded with the same vigilance if it’s used to access company data.
Software and Firmware Updates
Application and equipment vendors generally provide frequent updates, sometimes called “patches”, for their products. Security patches can correct vulnerabilities discovered by the vendor — but they are of no use until they are applied. Users should be sure to coordinate with the IT department regarding any required updates to software or equipment. If there is a particular schedule, such as nightly updates or occasional maintenance windows, these should be clearly communicated to all affected users.
Virtual Site Inspection
Training and documentation is a good idea, but the best way to ensure proper remote access security is for the IT department to have a look for themselves. Using a remote support method, an IT professional can log into the user’s home device and check that everything is set up correctly. It might help to have a quality control checklist when verifying antivirus, firewall, and other settings. Some IT managers may see fit to add user devices to a remote monitoring system that automatically detects and reports security problems.
Any computer devices that employees use for business while outside the office should remain under regular scrutiny. Accessing confidential company data from a remote device significantly increases security risks, and can cause considerable problems for both the worker and the organization. IT managers must ensure that both IT support personnel and remote users are fully aware of the best practices for remote access security, and that they are strictly followed. Even after the coronavirus crisis has passed, the same care should be taken whenever handling company data in the capacity of a remote access employee.