We have seen an incredible change in how the country is reacting to the pandemic. Many organizations were originally attempting to create or solidify contingency plans “if” the need to transition to a remote workforce arose - that became a reality for a large majority of organizations across the globe. From finance and marketing to technology and education, working from home has suddenly become the “new normal” for the foreseeable future, and securing your remote workforce has become to a top concern.
In light of this rapid changing of gears, there is a pretty good chance that your own organization is not completely prepared and scrambling to implement whatever tools and solutions you can—and as quickly as possible—to ensure your workforce (and network!) remains safe and functional.
From an organizational standpoint, network security and communication are absolutely critical for successful remote working. While communication can more readily be handled in most organizations simply by using existing tools such as email, conference bridges and instant messaging and ensuring the proper protocols are in place to allow employees—especially those that haven’t previously worked remotely—to access business critical applications and documents without opening the network to vulnerabilities may not have previously been on the radar. Additionally, knowing how to maintain security when employees are working remotely looks a little different than when an entire workforce works from a single location.
First and foremost, every business needs to have a work from home security policy that ensures sensitive information receives the same level of protection on a remote network as it would on the company network—and make sure there is a mechanism in place to ensure this policy is being adhered to. Businesses using Microsoft, for example, can leverage Group Policy Settings to help prevent data breaches and make the organizational network safer by configuring the security and operational behavior of company devices through Group Policy (a group of settings in the computer’s registry).
Together with Active Directory, which organizes a complete hierarchy including which computers belong on which network and which users have access to the storage room, Group Policy Settings can prevent users from actions such as accessing specific resources or running scripts.
Mandating that remote users connect to the organization’s network using a VPN (virtual private network) and placing them behind the company firewall with the corporate security policy in place is an absolute necessity. A VPN routes a device's internet connection through the VPN's private server instead of the internet service provider (ISP) so that when data is transmitted to the internet, it originates from the VPN rather than personal computers.
Implementing—and enforcing— a mandatory VPN without the ability to split tunnel as well as ensuring that only network/system admins have the ability to override this policy provides the same level of security at the machine level remotely that the user would have when in the office. Split tunneling is the ability to direct some internet traffic to the VPN without losing access to local network devices (like printers) or public internet connections (like a hotel’s WiFi network). While this method can alleviate bottlenecks and conserve bandwidth, the VPN would then be vulnerable because it is accessible through public, non-secure networks.
In addition to ensuring employees’ connections to the internet and internal networks are secure, the security of cloud-native applications and environments is also critical. “Whether public, private or hybrid, cloud is the true enabler of a remote workforce,” says Steve Roos, Vice President, Technology and Security at TBI. “Confirm that your security policy addresses all of your cloud services, and if it does not, updating the policy to encompasses cloud services should be a high priority.”
While a Fort Knox-level security environment does not need to be constructed, particularly when attempting to build up defenses on short notice, Roos emphasizes that organizations need to ensure all cloud applications are encrypted at the application layer, and, when available, a WAF (web application firewall) is also a great layer of protection to add to your public cloud environment. A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet.
The cloud is typically one of the most secure methods of storage for the simple reason that the data centers are housed in facilities with strong physical protections, redundant power, and tested disaster recovery procedures. In addition, reliable cloud service providers can provide evidence of verification and frequent validation by independent auditors.
Securing Employees’ Remote Environments
Lastly, one of the top security risks with a remote workforce is simply the potential vulnerabilities of employees’ home networks. With the volume of IoT devices in the average American household—from Alexa and Google Home to security systems and appliances—there is no shortage of risks that exist to a remote worker. Something as simple as an infected file unwittingly downloaded by a family member living dormant on the network can potentially impact the organization if employees are connecting their own devices to the corporate network.
Similar to a work from home security policy, organizations should ensure that they have both a BYOD (bring your own device) policy as well as an acceptable use policy in place is a critical factor in keeping your network free from infections or attacks through an unintentional security breach via an employee’s home network.
No one’s sure what’s next for the population at large. Unprecedented numbers of businesses are mandating work from home periods from a couple of weeks to indefinitely in an effort to do their part to contain the coronavirus and keep their employees safe. So, while an organization may not have expected the sudden, critical need to not only roll out but secure a remote workforce, there are still plenty of solutions that are relatively quick and inexpensive to implement that will provide the needed security measures in short order.
That said, if you already have or are in the process of executing security protocols for your remote workforce, you would be remiss if you did not also review the current environment to ensure you are not missing any components to maintaining a safe network.
Now is a good time to revisit business continuity and disaster recovery plans. If you do not have both or have outdated plans, be advised to review or implement plans.
While the world right now is offering up a lot of uncertainties for businesses and individuals alike, some of the most important things we can do to help ease the fear of the unknown include being prepared, making plans and contingencies; maintaining clear, direct communication, and, more than anything else, demonstrating an abundance of patience and empathy toward other businesses, departments and, of course, each other.
In an effort to help businesses to communicate safely across their organization and with their customers, Tech Guidance hosted a live panel discussion on March 26th offering resources for the COVID-19 pandemic and enabling remote workforces. Click here to get a recording and the full remote workforce resources kit.