NCSAM: Tips for Safe and Secure Remote Working
Editor’s Note: In honor of National Cyber Security Awareness Month (NCSAM) we are focusing our content on tips and best practices in the area of cyber security. With the increased use of mobile devices, cloud and remote working, users now more than ever need to consider the security ramifications of not having the proper security controls in place. Our partners at BeCrypt, who focus on enterprise data protection solutions, are well versed in best practices for securing the mobile and remote worker. In this piece, James Scott, CISSP, Senior Pre-Sales Engineer for BeCrypt, provides best practices for remote workers.
The benefits of teleworking are normally understood and recognized when a business is developing a plan to enable more flexible working, from obvious things like lower operational costs to improved staff flexibility and morale. There are also many approaches to enabling remote working, from embracing “bring your own device” (BYOD), to issuing new corporate equipment designed to better support a remote worker.
However, the number of complications and potential risks that should ideally be understood before embracing or increasing the number of remote workers is extensive. The list of key things to consider will also depend on the type of business and the style of applications that the user needs to access.
For many IT departments, the idea of expanding what is currently a well understood and supported environment to embracing a BYOD environment that can introduce new flavors of Windows, OSX, Linux and even Chrome Books is a daunting one. When you add to that the possibility of having to support multiple types of client applications like Internet Explorer, Chrome and Firefox (not to mention versions of Java, Flash and Anti Virus), things can soon spiral out of control.
Because of this it is often advisable to set a standard list of supported applications/configurations (for example enforcing minimum browser and OS versions); however, it is key to understand and document what the official business response is when a user doesn’t have equipment that can support this or the technical knowledge to upgrade/update their personal device.
It is not just the software requirements that need to be defined. Organizations should also consider limiting the hardware they want to support and troubleshoot. Otherwise, the IT team will find themselves having to know how to deal with a never-ending list of manufactures of printers, scanners, headsets and even application compatibility with screen resolutions and form factors.
One of the most overlooked areas of remote working is what to do when technology fails, and who is responsible for getting things up and running again. Here are some things to consider:
- Organizations should ensure plans are in place to deal with hardware and infrastructure issues outside of the corporate network to minimize the potential downtime. For example what would be the response (and who is responsible) should there be a major ISP issue which stops all remote access from someone’s home for a few days?
- If you are going to place the responsibility on your remote staff to have a good Internet connection, what will happen if that is not maintained?
- Does the user get the day off while their ISP looks into the issue?
- The SLA’s on residential properties are unlikely to be as comprehensive as it exists in the office, so plans need to be made to ensure work can still be done.
- Then there is the issue of data usage (assuming it is not unlimited). Does the company agree to pay for a percentage of data usage, and what happens if the user goes over a monthly data limit?
- It is also important to understand what is (and is not) being backed up, and how it will be restored.
- If the user decides to buy a new home PC, where does the responsibility reside for the transfer of any existing data and the time needed for setting up a new PC?
It is normally the concerns with data privacy and protection that drives organizations looking at remote working, towards remote desktops and applications as a way to secure company data and separate it from any personal use on the device. However, understanding and accepting any residual risk is very important.
Check back for part 2 in this series where James Scott provides additional best practices for secure remote working environments.