Allowing employees to work remotely is a common occurrence today, but there are issues around real-time data needs.
Business demands are rapid and pervasive these days. More and more enterprises allow employees to work remotely—and may suffer losses without the flexibility for mobile productivity and connectivity. Preparing your enterprise to provide seamless and secure connectivity for remote employees can require a variety of considerations.
What constitutes a remote employee can take different shapes and may be someone who works from home full-time, is traveling or on vacation or simply working from a coffee shop for the afternoon. Whatever your remote employee situation is, security begins in the corporate headquarters with a general operational security and security awareness culture. A properly equipped and secured workforce will build the foundation for a secure and productive enterprise.
Before considering how to securely facilitate remote or mobile employees, examine your network and security infrastructure.
The concept of “least privilege” applies whether the employee is remote or in the office. No employee should be granted access to systems, networks or data beyond what is necessary for them to perform their job. This includes executives and senior staff!
Email remains the top mechanism for most corporate communications. An encryption policy using certificates or other encryption will reduce the risk of sensitive communications being read by unauthorized or third-party recipients.
Any third-party services such as chat applications should provide encryption to prevent man-in-the-middle eavesdropping. Some enterprises may prefer no logging of chats or conversations for privacy issues. Others may need full logging of conversations for incident response purposes. Conversation or chat logging policies should be understood and meet the privacy needs of the enterprise.
Compromise of credentials is one of the biggest security risks to any enterprise. Having a strong password creation and change enforcement policy for all assets is still one of the best defenses against sustained unauthorized access. No user should use the same password across different assets. Some enterprises may find password managers are a good solution to minimize password reuse across more than one asset.
To further reduce the damage resulting from credential compromise, two-factor authentication (2FA) can be effective. Even if password credentials are stolen, the extra layer of security with a 2FA model will in most cases eliminate unauthorized access, allowing an enterprise to respond with minimal or no loss of data.
Documents and spreadsheets can contain sensitive data that, if stolen or accidentally emailed to unauthorized recipients, could cause substantial damage to an enterprise. Employ an encryption policy for securing documents with a high business impact from accidental disclosure or unauthorized access. Major office productivity applications such as Adobe Acrobat and Microsoft Office support document encryption or file classification infrastructures that enable management of sensitive document encryption for any sized enterprise.
Many organizations with sensitive proprietary information or which handle sensitive customer and other private information can suffer serious damage from a malicious or accidental insider breach. Deploying a User Activity Monitoring (UAM) or User Behavior Analytics (UBA) solution will help identify internal risks, detect fraudulent employees, alert to unauthorized transmission or offline storage of intellectual property and make incident response and damage assessment more effective.
Whatever your industry, you have data that if lost would cause serious disruption to the organization. Leverage a data protection and backup solution to reduce downtime resulting from data theft or destruction, system failures and malicious attacks such as a ransomware infection.
Your enterprise firewall and anti-virus solutions should handle the amount of traffic your enterprise will generate and seamlessly integrate and cooperate with your full security architecture. Some traditional security technologies are better than others at protecting you from cyber threats, reducing system and network latency, and interoperating with your complete enterprise needs. Consider your entire security architecture and discuss your infrastructure needs with an anti-virus or firewall vendor before investing in these expensive solutions.
Preparing for secure remote employee access
Once the foundation of a secure infrastructure and security culture are in place, managing secure remote employees will be easier.
Secure remote access generally starts with a virtual private network (VPN) solution that provides reliable uptime and flexible connectivity when shifting from one location to another. Ensuring and managing least privilege access for VPN connections is vital to ensuring access controls are in place. Also, consider the strength any VPN solution offers against man-in-the-middle or replay attacks to minimize the risk of unauthorized access or eavesdropping. Most commercial and open source VPN solutions will protect against these types of known attacks. However, selecting the wrong VPN could put your network and data at risk.
Using full disk or device encryption for any laptop or mobile devices is vital to protecting data if a device is lost or stolen. Most modern mobile phones and tablets now support full device encryption that enterprises can manage with any mobile employees. Full disk encryption for laptops and computers is integrated into most modern file systems such as Microsoft’s NTFS file system as well as file systems used on Mac and Linux. Plan to configure any computers with full disk encryption for remote or mobile employees.
Beyond anti-virus blocking malicious applications, further protection from employees installing unnecessary software might be needed. If this fits your security model, computers and laptops should be configured to prevent installation of unapproved software. A software restriction policy architecture can help reduce unapproved software from being installed on corporate systems. Additionally, consider restricting access to Google Play, Microsoft App and Apple App stores to admins only.
Some enterprises should be concerned with the unauthorized use of external devices such as CD/DVD ROMs, SD Cards, and USB devices. While some of these are on the way out (e.g., CD/DVD drives), most laptops and mobile devices will support external devices that can be used for unauthorized download or storage of sensitive data or intellectual property. If external devices are an increased risk to your enterprise, consider corporate equipment that does not include these or deactivate them prior to deploying to mobile or remote employees.
If data backup for remote employees is still a concern, choose a secure cloud backup as an alternative to external drives or devices. A corporate cloud storage solution can provide secure upload, encrypted storage, and manageability by your organization.
Having too many computers for remote employees can be expensive and increase the risk of stolen, compromised or damaged data due to hardware failure. To reduce the amount of costly hardware, your employees could use cloud-hosted computers that can be easily deployed or decommissioned. Leveraging cloud-based systems can be just as secure as a physical system while keeping control of corporate information and assets in the hands of your corporate IT or information security team.
Most connected employees use a mobile phone or tablet to communicate with other employees and business contacts via email, Skype, chat or other apps. Since business contacts – whether internal or external to the enterprise – may be considered sensitive, use an encryption and security policy for mobile devices to protect the devices from unauthorized access to email, documents, conversations, call logs and contacts if it is lost or stolen. Most mobile devices now offer security profiles that can be set by your security team to provide VPN access and enforce device encryption as well as password policies. Additionally, security software can also destroy (wipe) all data remotely on a mobile device once determined it is lost or stolen.
Customize any security model to your enterprise. Your security and mobile needs may go beyond what we discussed. Thoroughly evaluate your infrastructure and security needs internally before deploying employees remotely. Having a secure foundation for your enterprise infrastructure and deploying a well-planned model for secure remote employees will ensure minimal risk and increased security for all of your intellectual property and digital assets.