Will we ever return to our offices in the same way?

COVID-19 has forced workplace exodus all over the world. How can organisations stay productive and safe at this time? Tony Anscombe, ESET We Live Security shares some advice
Will we ever return to our offices in the same way?

In the rush to provide remote access, don’t sacrifice cybersecurity or the ability to manage systems and devices.

THE coronavirus (Covid-19) outbreak has officially been categorized by the World Health Organization (WHO) as a pandemic, meaning infection is accelerating in multiple countries concurrently.

For modern tech companies, the infrastructure and policy needed for remote working are unquestionably already in place and the vast majority of staff members are probably already laptop users.

For many smaller companies and organisations, however, the situation is likely to be very different. Remote working is probably limited to a few, and realistically mainly for email and other non-operational systems.

In order to be productive, there are common requirements that all remote workers need. As someone who has worked remotely for the majority of his working life, I can attest to the last two:

  • A computer
  • A good internet connection
  • Chat and conferencing applications
  • A dedicated workspace (preferred)
  • Optionally, a phone
  • Self-motivation and discipline
  • A strict routine

Why is the phone optional? In today’s environment it may not be necessary, especially as most chat applications allow direct calling. The need for a phone may be a business requirement rather than an essential device.

Importantly, companies and organisations also need to prepare themselves and their employees for the increased cybersecurity risks associated with remote working. What are some of the challenges that may need to be addressed?

Physical security of company devices

Employees will be exposing company devices to greater risk as they leave the safety and security of the workplace. Devices need to be protected against loss and theft with options such as:

Full-disk encryption ensures that even if the device falls into the wrong hands, the company’s data is not accessible.

Log out when not in use – both at home and in public places. An inquisitive child accidentally sending an email to the boss or a customer is easily prevented, as is limiting the opportunity for someone to access the machine while your back is turned in the local coffee shop.

Strong password policy – enforce passwords on boot, set inactivity timeouts, and ban sticky notes with passwords on them: people still do this!

Never leave the device unattended or on public display.

What’s in the home technology environment

Ask employees to audit their own home environment for vulnerabilities, before connecting work devices. There are continual disclosures regarding vulnerable Internet of Things (IoT) devices, and this is an excellent time for employees to take action on securing them with strong passwords and updating their firmware/software to the latest versions.

Consider promoting, or even mandating, the use of a connected home monitoring app before allowing work devices to be connected to home networks. The scan or monitoring will highlight devices with known vulnerabilities, outdated software or firmware, or default passwords that need to be changed.

Accessing the company network and systems

Establish if the employee needs access to the organization’s internal network or just access to cloud-based services and email. And take into consideration whether the same level of access to sensitive data enjoyed on-site should be granted when the employee is off-site.

If access to the organisation’s internal network is needed:

I recommend this is only achieved from an organisation-owned device so that full control of the connecting device is under the management of the technology security and IT team.

Always use a VPN to connect remote workers to the organisation’s internal network. This prevents man-in-the-middle attacks from remote locations: remember that since you’re now working from home, the traffic is now flowing over public networks.

Control the use of external devices such as USB storage and peripheral devices.

Allowing access to email and cloud services from an employee’s own device:

Enforce the same endpoint security policy for antimalware, firewalls, etc. as with an organisation-managed device. If necessary, furnish the employee with a license for the same solutions used on the organisation-owned devices. If you need extra licenses, then contact the provider. They may have solutions to cover you through this unprecedented event.

Limit the ability to store, download or copy data. A data breach can happen from any device that contains sensitive company data.

Consider the use of virtual machines to provide access: this keeps the employee in a controlled environment and limits the exposure of the company network to the home environment. This may be more complex to set up, but could be a superior longer-term solution.

Multifactor authentication (MFA) ensures that access, whether to cloud-based services or full network access, is by authorised users only. Wherever possible, use an app-based system or physical hardware token to generate one-time codes that grant authenticated access. As there may be time pressure to deploy a solution, an app-based solution removes the need to procure and distribute hardware. App-based systems provide greater security than SMS messages, especially if the device used to receive the codes is not an organisation-managed device and could be subject to a SIM swap attack.

Collaborative tools and authorisation processes

It may seem strange to put these two items under the same heading, but one can help prevent issues with the other.

Provide access to chat, video and conference systems so that employees can communicate with each other. This provides the productivity tools needed and helps employees to remain social with their colleagues.

Use the collaborative tools to protect against unauthorised instructions or transactions. Cybercriminals will likely use the opportunity of remotely located workforces to launch Business Email Compromise (BEC) attacks. This is where a bogus urgent demand is sent by a bad actor, asking for the urgent transfer of funds, without the ability to validate the request in person. Be sure to use video conferencing/chat systems as a formal part of the approval system so that validation is made “in person”, even when remote.

Training

There are numerous COVID-19 scams in circulation, leading to face masks, vaccines, and disinformation. When employees are relocated out of the workplace and placed into the more casual, they may consider clicking on links.

Cybersecurity awareness training is typically an annual requirement for employees. It would be prudent to offer a refresher to help avoid the human element that cybercriminals attempt to exploit.

Support and crisis management

In the rush to provide remote access, don’t sacrifice cybersecurity or the ability to manage systems and devices. The ability to support users remotely will be essential to ensure smooth operations, especially if users become quarantined due to health concerns. Remote workers need to have clear communication protocols for IT support and for crisis management if they encounter unusual or suspect issues that could be the result of a breach.

There are, of course, additional considerations from a technology perspective; for example, removing or limiting the use of RDP, as detailed in a recent blogpost by my colleague Aryeh Goretsky.

Beyond technology and functional processes, there are other key factors to effective remote working:

Communication – Consider having team calls once per day, brief people on the status, and give everyone the opportunity to share experiences and issues.

Responsiveness – Establish clear guidelines of how quickly a remote worker is expected to respond to a request depending on the communication type, email etc.

Reporting – Line managers need to implement procedures that allow them to ascertain whether the remote workers are getting the job done: mandatory group meetings, team collaboration, daily/weekly/monthly reports.

Working schedule – Agree a method of clocking on and off.

Health and safety – Working from home does not remove the responsibility to provide a good working environment.

Liability – Ensure coverage for the company assets while in the employee’s possession.

Tech support – Distribute the contact details: all remote workers need to know how to get help when needed.

Socialisation – Bring remote workers together, particularly virtually. Consider a buddy or mentor scheme so that every employee is paired and can problem solve, vent, share or socialize virtually.

Accessibility – Establish a virtual open-door management policy, just as there is in the office. Make sure people are accessible and can be easily engaged.

Don’t assume that all employees can switch to remote working effectively and with little assistance or guidance.

Philosophically, the world may never be the same again as this mass remote working mandate could prove to be a social/work experiment that few companies would have ever undertaken on such a scale. Will we ever return to our office in the same way?

Stay safe — and healthy!

More in this section

Sponsored Content