Cyber security and remote working

Hybrid working or full remote working arrangements are the norm now, so here are some suggestions for keeping your organisation running smoothly.

Non-technical mitigations for business continuity

Protecting information

Make sure that users know whether they can print when out of the office and, if they are permitted to do so, how to securely dispose of any sensitive documentation they print off. For example, using a cross-cut shredder may be acceptable while putting confidential documents in a recycle bin at home may not.

Update crisis plans

Review your business continuity and disaster recovery plans. Are there key personnel who must have corporate devices and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.

Contractual agreements

Check client contracts to confirm whether remote working is permitted and under what conditions—this will be relevant if your staff are embedded on a client site or your team are working with sensitive client data on your own site. If working from home is specifically excluded, talk to clients to develop appropriate acceptable working practices for the duration of the COVID-19 season.

Technical mitigations

Multi-factor authentication

Make sure that you have implemented two-factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.

Patching

Make sure that all devices (company or personal) have been patched and have antivirus software installed, active and up to date. Ideally use Application allow listing, which is built in to Windows. Importantly, ensure your remote access solution itself is kept up to date.

Check for vulnerabilities

Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties and helps ensure remote access for legitimate users is maintained.

User support

It is also important to consider user support issues; for example, should employees need to print from home on devices outside of your normal printer fleet how would you facilitate the installation of drivers? Or manage job storage on personal printers.

Make sure you also consider the implications of requiring staff to use their home internet connection for work, including whether it is fit for purpose and how to handle technical issues with that connection. Consumer internet support tends to be considerably worse than business-grade internet.

Additionally, ensure that portable devices have appropriate firewalls to protect them from other devices on untrusted networks.

Stress testing

Consideration should be given to stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period while your network is experiencing higher numbers than usual of remote users.

Some organisations have chosen to split mass home working into groups, e.g. 50% of the company works from the office one week and the remainder from home, then the next week they switch over. Does your remote access solution have sufficient licences for mass remote working? Some solutions give short time licence over-use, but this may only be for a few days or a week.

Mitigations for Bring Your Own Devices (BYOD)

Cyber security is even more important if your organisation permits employees to use their own devices. Staff using their own devices bring about a number of other cyber security risks, such as sensitive data leakage and lack of central control.

To mitigate the risks around employees using personal devices:

• Make sure employees’ machines are updated to the latest operating system and security update.
• If you allow BYOD to be connected to corporate networks consider enforcing Network Access Control or limit the machines to a segregated wifi network.
• Make a risk-based decision on whether non-corporate devices can be used if they do not have full disk encryption installed.
• Consider granting a temporary waiver for these extraordinary times, but beware of GDPR and requirements for company certifications, e.g. Cyber Essentials and ISO 27001.
• Issue users with temporary corporate devices even if the device may not have the full specification the user is used to.

As with nearly all cyber security responses, it’s your people who have the most influence over how smoothly your organisation copes with disruptions, such as enforced large-scale remote working. Good communications are key – every individual should be asked to confirm that they understand what’s happening and why, and commit to identifying potential problems early rather than in a last-minute panic. Some people will have to come to grips with applications and working techniques that they either haven’t encountered, or haven‘t bothered with up until now. In this sense, remote working could even be a positive in illustrating how the right technology (and behaviours) can keep us resilient in the face of this type of challenge.

If you need assistance with your cyber or information security measures, please contact us.