Remote Working for Small Organisations
The Covid-19 pandemic in 2020 accelerated the need for all organisations to consider remote or home working in ways that nothing else before it had or could have had. Previously, this may only have been considered by Small Organisations as they grew. Even then this would have been in different conditions that the ones we find ourselves in now.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
Today we're going to be looking at working remotely or from home for Small Organisations. The Covid-19 pandemic has forced employers to adapt to survive or cease operations. As it was something that was forced onto them, most organisations did so in less-than-ideal circumstances and did so very quickly. Where organisations have conducted operations abroad and travelled to meet partners and customers in person, now that type of remote working is very unlikely.
All organisations have learnt that work can continue without travelling using video conferencing tools – which have improved more since the start of the pandemic. Today's remote working, mostly means working from home rather than the office; and doesn’t involve travel or an overnight stay in hotels. So, we are exploring some of the things Small Organisations can do to not only ensure that they are secure now but that have some points of action to continue to be secure even when staff start to come back to the office and what may be required for a hybrid model.
The starting point in exploring this is to consider what changed and the impact of those changes to the security of an office-based organisation. Some of the key changes include:
- Security technologies have often been focused around the office – most organisations had not implemented many controls for remote working. This meant that they had to start considering additional controls in a very short time period, and in some cases some organisations didn’t put these in place until several months later.
- The lack of working laptops and devices – organisations had previously invested in desktops for office-based work, to they had to very quickly commission laptops or to allow staff to work from their own devices. This meant that those organisations were (even if it was temporary,) not complying with their own security policies. This was an unusual operating risk that all employers had to consider.
- Home networks are not necessarily secure - since most organisations’ security controls were all focused around being at the physical office, most never had to concern themselves with individual employee home network setups. As, staff are not necessarily technically knowledgeable to secure their home networks this was a risk that employers had to accept as part of the working from home at short notice.
- Home environment not necessarily secure - it is not only is the network not secure, but nor is the whole home environment, including the lack of shredding facilities for printed material, and the lack of physical security for work assets from any intentional and unintentional interference, etc.
- Implications for data protection - these were and have been very apparent to employers, and since all security is to be based on risk management practices, most organisations had to accept that being softer on data protection was preferable to a complete stand still. It is highly unlikely that any data protection authority anywhere will attempt to take any action for non-compliance, even if there may have been some element of gross negligence and lack of adequate consideration for data protection.
These changes had several impacts, which is what we will explore now.
These changes affected many areas of risk, for most organisations, including the following. We won’t go into much depth here as we’ll explore some of these further today and some in episodes:
- Devices for accessing work data and services - the requirements for the use of devices in the office are different from ordinary home use where many people may share devices. Further, due to not being ready, many organisations had to accept that some staff may use several devices to access the services needed to undertake their responsibilities.
- Networks - the change from everyone being on the same network in an office, to one where accessing a central point from multiple networks (and devices) made it difficult in the early stages to identify what is an authorised network connection and what is not (without the use of specialist security tools).
- Infrastructure - employee home infrastructures became part of the unknown, especially since home networks may have many unrecognised and, in some cases, compromised devices. If there are compromised devices, be it mobile devices or IoT type SMART devices (like CCTVs) they could be used to spy on traffic or attack other remote targets.
- Use of Data Sharing tools - when staff are all based on one site it is easier to share data between them using the existing infrastructure. However, for some organisations, the changed working practices necessitated the use of additional tools and services they had not previously used and staff were unfamiliar with.
- Use of Conferencing and other apps for remote working – the use of Zoom and Teams has been talked about often, as these had not been extensively used, although there has also been the use of many other related apps and services. The use of encryption in such apps was a topic that was regularly in the news.
- Physical location - the move from all staff working from a central location to having as many locations as the total number of staff had to be accepted by all employers. Organisations had no idea of how secure employees’ homes were to ensure a similar adequate level of security in every location. The reality varied from some people being in a single room accommodation to family and shared environments where work and even home schooling took place with five people all in very close proximity.
- Phishing attacks - the immediate period of lockdown saw criminals registering domain names that were later used for phishing scams. These varied from the sale of bogus PPE equipment to applying for or getting government assistance.
- Mental & physical health - the lockdown happened very fast for so many people across the world and they had to adapt to new ways of working. In many cases, as people were no longer making their daily commutes and worked in front of their computers all day, every day for several months without leaving their homes, where the only people they met were during conference calls. This has affected the mental and physical health of many people, and in some cases still not be recognised by employers.
- Job Security - many organisations have been affected by the pandemic where they have to let their employees find alternative work. This lack of job security has continued to loom over the heads of many employees around the world, where many question their loyalty to their employer.
Although there are many other areas of risk that have been affected, we focused on the most obvious ones.
The changes we’ve mentioned have had some very fundamental impacts to the way organisations operate and to the existing policies, procedures and guidance.
Selected documentation changes to consider include:
- Adherence to security and data protection policies - these will need to consider not just working from the office and whilst travelling, but when working from home on a continuous basis. Since different people have different home environments, changes in these policies must include key areas of data protection and how employees will be able to comply easily, for example, leaving confidential printed data in open view, shredding printed data, etc.
- Back-up approach – backing up data from employee devices is vital, especially as many may download data to avoid network connection problems while they are working. Depending on what is considered to be critical data for the organisation, it will need to ensure that its previous approach will not leave it any less vulnerable to attacks or losses.
- Disaster Recovery and Business Continuity planning - these may need to change, depending on where and how the data is backed-up.
- Reporting and responding to incidents - this will have to change, where the new required responses may not be so easy to test out and prepare for. Each employer may have its own set of challenges to deal with depending on their individual setup and locations of the services and staff.
- IT Support - providing remote support is vastly different from local office-based support, and will need to be reviewed in light of what is possible and the speed at which it can be provided if something goes wrong.
- Other related policies – the examples we’ve given will most likely impact other policies like Starters, Movers and Leavers Policies, and perhaps some related to human resources or employment.
Since each business is unique this is just a starting point, and organisations will find that there are probably other policies and documents that need to be reviewed and amended.
To enable safer remote and home working, there are some very simple things that organisations should ensure. We’ll cover the very obvious ones here, before we explore them in a little more detail later, these include:
- Locking Screens - the importance of the use of the lock-screen or screen saver isn’t necessarily because employees shouldn’t trust those that they live with, but often has the additional benefit of avoiding any accidents when not sitting at the device. There are many examples of employee’s children or family dropping something or pressing keys which result in data loss or changes to data. This is simple and should normally be assumed as good practice.
- Admin and non-admin accounts and logons - all devices regardless of if they are work or personal should be set up with only the required number of users and that all users only every logon as non-admin users unless they are installing software.
- Network devices - routers and other network devices should be set up securely. We cover this topic in more detail in another episode and since it is an obvious one, we will leave the details for another time.
- Network wired/Wi-Fi and network segregation - we normally recommend the use of wired connections for work activities, but realise that this isn’t always possible. This is also true for segregating the home network for the other network devices and users, but this is often considered to be too technical for most and we will cover this in a future episode.
- Device configuration - this should have already been undertaken appropriately for all work assets and equipment, and includes the automated updates for all relevant software, apps and services, especially browsers.
- Anti-malware software suite – this includes relevant internet filtering, device firewall, anti-phishing, etc. This is considered to be too obvious to consider in any detail here.
- Passwords - this includes following policy for admin and privileged passwords for every device provided to each employee, and all work infrastructure services that are being accessed remotely.
- Firewall settings - the standards relevant settings for each organisation are different and should already be implemented to ensure security on all devices.
- Admin accounts - should be protected and configured using multi-factor logons.
- Virtual Private Network (VPN) - should already be in use by organisations to protect organisation communication.
- Encryption – of data, devices, communication, etc. Should already be in use by most organisations.
Some of these involve no additional costs and should be set up immediately if they are not already in place. However, others do involve some additional costs, but are considered as basic controls.
In most cases things should not be different, because most controls should already be in place, and assuming that these are in place, special attention should be given to the following:
- Safeguarding privileged admin accounts - these include admin access to email servers and services, cloud services, back-up services, etc. They are of high value to attackers and organisations should pay particular attention to ensuring that they don’t fall into the wrong hands. This may require additional monitoring or controls to be used.
- Use of VPN - the use of such services by all employees is essential, and monitoring that the VPN is being used is important, how it is being used, and its performance and impact on users. There are many stories of the levels of service that some organisations sign up for may not be adequate for their employees to work effectively from home.
- Installation of OS and device updates - although this is something that should already be in place, it is something that should be monitored to ensure that no devices are left without updates for the whole of the period since the first lockdown started in March 2020.
- Email / phishing - since it is a fact that phishing scams have increased astronomically, it is up to employers to protect their staff from not only falling for scams, but also to protect itself from any subsequent ransomware that may get installed. Phishing takes so much employee time in keeping updated on the latest scams to avoid falling victim to them.
- Web access monitoring - using these services to help keep employees away from the latest malware, ransomware, scams and known bad sites is important to protect staff, devices and save the organisation time should anything go wrong.
There may be somethings that we haven’t listed above which are particular to your organisation, please do consider those as well as the above.
In addition to the above areas most large organisations normally have a whole range of checks that they perform on a regular bases, we recommend Small Organisations regularly check the following to ensure that things are as they should be.
- The security control mechanisms on end point devices are still working and up to date – this includes anti-malware, VPNs, web-protection, firewalls, etc. However, where the devices used are not owned by the employer, there must be a balance of what controls employees should have in place to be able to use them for work purposes; which shouldn’t be widely different from what is expected and in place for employer owned devices.
- Access to Physical buildings - who has been accessing and using the office regularly who shouldn’t have been there. This includes services that shouldn’t have been continuing while the lockdown has been in place, for example, internal window cleaning while there is no one in the office. Such activity may be a sign of an attacker and should be followed or investigated to confirm who and why access was granted. Further, this may necessitate additional controls, as existing controls may have been placed on the assumption that there would always be someone in the office during normal office hours.
- Location of assets – knowing that all un-allocated and allocated devices is one aspect of this, another is physical records being locked in their location. Further, other examples include where devices are logging in from, etc. Location of assets can cover so many things, and will be individual to each organisation and the assets in question that are of highest value.
- Network access - who and where are users logging in from, are there any suspicious or anomalous connections requiring further investigation.
- Data location and access - similar to device monitoring, it is important to monitor what data is being accessed from where, who and what devices. Attackers take advantage of the fact that during the pandemic there are many more unknown locations used to access resources.
- Sharing of data, services and devices - monitoring what data, services and devices are being shared is important to know that new shares are not being set up by attackers on one user devices to copy or remove or amend any data, configuration or devices.
- Conferencing controls and access – even though most employees are used to the idea of using conferencing facilities, doesn’t mean that they are completely in control of all the functionality. Things like recordings of important meetings could be copied or shared inadvertently, falling into the wrong hands.
- Restrict access to archived data – when employees are all based in a single office location it may be acceptable to give each team access to relevant archived data, but when they are working from home, this may not necessarily be relevant, and access should be restricted to those who need such access.
- Remote support - this is one of the most important services that employees need when working from home. However, any remote-control software that is used should only ever be provided on the individual device where it is needed and then uninstalled when the support call is completed. This is because such software can be used to attack users.
- Staff well-being - many organisations were so busy dealing with the preparations of working from home, and then playing catchup, that not many of them actually had the chance to pay attention to the well-being of the staff. Staff well-being and morale is not a cyber security issue, but is one that if no attention is paid can result and employees making bad decisions leading to vulnerabilities or compromises. Asking and listening to employees and responding to their needs have a huge impact on cyber security, because disgruntled employees have been known to cause big issues.
Again, your organisation may need other regular checks not included here, this is just a starting point.
During the Covid pandemic, employees around the world have coped amazingly well given the speed that lockdown happened for most. This list is included for completeness and in no way meant to increase the responsibilities of employees, although we believe that many of these checks are probably already considered by most.
- Physical security – theft of devices is a serious concern, not necessarily from those employees live with but any guests who may enter the home.
- Passwords – adhering to the password policy and using a password manager.
- Lock-screen - make sure it is set to no more than a few minutes before the lock is implemented.
- Network router – update firmware, there has been several vulnerabilities in routers during the pandemic, and ensure that you have changed the default admin password in line with recommended advice, as well as a separate guest network.
- Wi-Fi devices - update firmware and reset password in line with recommended advice.
- Printers and other mobile devices - update apps and firmware, drivers, and apps where applicable.
- Home devices (smart speakers, CCTV, etc.) - update firmware, and apps where applicable.
- Phishing – there are more phishing messages now than there were before the pandemic, use the guidance we have provided previously to reduce such messages getting through and where they do, they are easier to identify without having to be super alert.
- Synched and backed up data - backup all data regardless of whether you are sure that it is encrypted or not.
- Store or hold no or little local data - don’t print unless necessary, then shred, do not make portable copies unless necessary – the less you have, the less that can be stolen or lead to authorised copies.
Many employees may already be doing most of these things, if they have been ingrained as part of an Awareness Programme. However, where employees are not already doing most of these things, changing their habits to be more secure will involve a well thought our Awareness Programme.
The checks for employers and employees where some have been furloughed may include:
- Where employees are not expected to logon for any period longer than a few weeks should have the email account access changed to ensure that any urgent emails are managed so that the work that still needs to continue can do so.
- Furloughed employees VPN and other access should be blocked or changed according to the strategy. All access should be monitored and blocked, in line with other changes.
- Some organisations may feel it relevant to recall any laptops and other equipment, others may not want to do that and allow staff to use any equipment they have access to.
- Policies should be reviewed for all scenarios, firstly employees to be working from home as if they are home based workers, then to be able to return back to the office, but also the option of the hybrid approach that may end up as the reality for most office-based employees.
- Furloughed employees should be offered support and information on the phishing scams that are targeting anyone looking to make extra money due to being furloughed.
- Offer support for employees who may be living on their own or with no or little contact with others. It is important that all employers consider the mental health of employees, not just because it is possible that such things may affect their work, but more importantly because so many people are isolated and need support but won’t want to ask for it.
As employers, organisations have many responsibilities to many stakeholders, and supporting those who have been furloughed is very important.
As it is likely that most small organisations have been working from home, it is important to secure employee home networks. Many of the above tips for working remotely do and will apply if employees are having to work anywhere outside the normal office. One of the most important things that any organisation can do is to show its employees how much it cares for its employees in such unusual times.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.