According to ONS research conducted in 2018, 13.7% of the UK workforce work remotely, that’s 4.4m people and the number is only set to increase, with some predicting that the figure could be as high as 50% in 2020.
There are a several reasons for this increase: the availability of technology, geographically remote teams, the productivity benefits, the growing need/want for flexible working options, the reduced costs that come from not having a physical office location, even the urgent need for remote working when faced with a developing public health situation.
Whatever the reason, or reasons, companies thinking of adopting remote working need to consider information security.
At Pentest, not only are we information security experts, we can also operate 100% remotely, so what would we advise based on our security expertise and our experience of remote working?
Whose kit are you going to use?
Technology costs money and one of the key questions when it comes to remote working is, do you have enough laptops and phones to support your workforce?
In answering this question, companies can take three potential routes, each has their own considerations/cost implications and it is important to remember that not all routes may be applicable to every business, this could be due to factors such as industry regulation.
Option 1 – Full corporate ownership
This is where the company provide IT kit such as a laptop and a phone (or a headset with microphone and voice communication software) to their employees. The key here is control and the company oversee the sourcing, build and usage of any such device.
This comes at the cost of hardware and for IT to build and ship devices to employees.
Option 2 – Full employee ownership
Implementing ‘Bring Your Own Device’ (BYOD) as a policy enables people to work from their own personal devices. Taking this approach requires significant work to achieve securely because the device is not a corporate asset. Employees would have to volunteer to use their devices and you could face legal and privacy concerns when doing so.
For example, what happens if you decide it is best to install a corporate anti-virus and data loss prevention solution on a personal device. The employee can refuse to install either on the grounds that personal files could be accessed or uploaded for inspection.
Also, what process will be followed to reimburse staff for work calls made from personal mobile phones and how to ensure the individuals privacy in a situation where you ask for their call statement?
Option 3 – Hybrid approach
Accessing work resources from a personal device can be a minefield, but the cost of buying laptops can also be prohibitive. In this case you may want to consider providing users with bootable USB drives which contain a secured operating system configured by IT. The employee would need to boot into this to work and would be unable to use their personal files during the workday.
This solution takes advantage of the CPU, Network, and memory of a personal device while leaving the data on the hard disk untouched, therefore nullifying any privacy concerns.
The business will retain control because IT would have to source and configure the bootable devices and the cost of hardware will be reduced to that of a decent sized USB hard disk/pen drive.
Setting a gold standard
If you are going down the full ownership approach or the hybrid approach, then you will want to be confident that your build image is as secure as possible, a gold image as we call it. That means that all subsequent builds will be to the same standard and you can avoid potential issues further down the line.
Imagine a scenario where laptop builds are based on an insecure gold image, that could mean 100’s of devices now being potentially vulnerable and the cost of patching the things once shipped could be significant.
So, make sure your gold image is up to standard (a build review can help here) before you install it on all devices.
Where is your data hosted?
What data do users need access to when completing their jobs and where is that data hosted? Is it on an internal network or is everything stored in the cloud? Understanding where key data resides is fundamental to planning what software and security measures you need to provide to give users remote access.
If things are internal you 100% need to install a VPN. There are open source solutions such as “openvpn” which can be configured quickly and offer good encryption, or there are always good commercial alternatives which come with support.
If something needs to happen super-fast. Then consider relocating data to the cloud. This makes it remotely accessible from any location. While this can be done rapidly, it is also important to ensure it is done securely. We recommend enabling 2FA for access to resources this way as a minimum. You may also want to consider a full security review of your cloud services.
Enabling remote communication
The most important part of working remotely is communication and it’s vital that staff are contactable when at work. But being contactable isn’t the only concern, you also need to ensure that staff don’t feel socially isolated from the rest of the organization. Nobody wants to miss out on any key business information or even those vital water cooler chats.
There are several options available to organizations to achieve these goals, from phones through to online instant messaging tools. Whatever you choose, there are security and social considerations that need to be thought through.
For cell phones, the key security issue is device control, a device management solution can help you here and will allow you to manage devices securely whilst providing flexibility to the remote user.
When it comes to instant messaging services, there are a myriad of options available that will help your team collaborate remotely (think Slack/Microsoft Teams/Mattermost etc..). Security should be high on the agenda here as conversations may be confidential in nature. Therefore, companies need to consider providing connection over VPN to help tighten security.
There’s also the social side to instant messaging services and tools can often benefit professional relationships and organizational culture. When it comes to the social side of things it’s important to set out the ground rules/expected standards early on and it’s always beneficial to provide an area where employees can discuss topics that aren’t related to the organisation.
Schedule regular team calls to ask how things are going and if anyone needs help. An agenda favoured by us is:
- What are you working on?
- Are there any blockers preventing you?
Anyone used to an agile morning stand-up meeting should recognize this. It is short and punchy, but it helps people stay in touch. Given our business, we are frequently working on different projects entirely so this cohesion is vital. We often go further because someone listening on the call steps across and helps when necessary.
Enabling remote collaboration
Collaboration is another important aspect of remote working and you will want to enable your workers to collaborate with each other, in real-time, even if they are at opposite sides of the world.
SharePoint in Azure and Google drive are some of the most popular solutions for this, but whatever solution you choose always be mindful of security. Passwords is a key issue here and you will want to ensure that employees are using complex, as well as unique passwords, you will also want to ensure privacy settings are in place, and robust, ensuring that documents aren’t publicly available.