The pandemic has forced an increase in the number of people working remotely and working from home. There is a considerable discussion right now about whether this is a permanent state of affairs, but whatever happens, right now, IT needs to consider the implications for data security and the protection of corporate information and intellectual property.
Add BYOD to the mix, and the situation becomes even more complicated.
It must be clearly understood that security is not just an IT issue, it’s everyone’s concern. IT can provide the tools to enhance security measures, but ultimately it is up to the end-user to make sure that security is enforced.
There are two basic types of remote workers, the road warriors, and those who have in effect moved their office desk to their homes. There are issues specific to each, and some common to both.
The common problem here is remote management of the device that the user connects with. It is probably a BYOD smart device like a tablet for a road warrior and a home desktop for a work-from-home user.
The first issue is local storage. There is probably some sign-on information and some data held on the device, report drafts or emails for example.
If a device is lost or stolen, or the employee leaves the company, there is a risk that information could be compromised. IT must be able to remotely clean the device, perhaps set it back to factory settings in the case of a smart device. Many major brands of smart device have a facility to allow this, but there could be an issue with some of the more exotic brands with tailored functionality.
A home desktop is slightly different in that it is probably a family desktop, used for many other purposes than work. Simply taking it back to the bare operating system is not an option here. However, that does not prevent the user from copying corporate data onto removable media or sharing it with another user profile.
An option is to hold corporate data centrally and not allow it to be downloaded to the home computer. Most network systems can support that environment.
Road warriors have been around for a while, linking up via public WiFi services and cellular connections. WiFi has become common in public spaces, such as malls and hotels. Some municipalities have made WiFi a public resource.
The security needs are pretty much sorted, being a secure VPN and authentication credentials to allow them to use corporate systems and data. A common danger is a man-in-the-middle attack, where a hacker jumps into the link between the user and the corporate systems, and copies credentials for their later use. They may also load malware onto the user device.
As discussed above, IT needs remote access to the device to ensure the security of corporate data if the device is lost or stolen or the employee leaves the organization.
In their turn, staff must be careful when surfing the Internet and working with email. Phishing attacks are increasingly common, as is the use of remote access to install malware on corporate systems.
Working from Home
In most domestic environments, the home desktop is a multi-purpose device used for different purposes. It could be a games machine, a communications machine to video-call friends and family, a research machine for school projects, and a work from the home machine. The danger here is that malware introduced in one environment affects the others. Also likely are malfunctioning backup and anti-malware environments.
All these factors represent a serious security threat.
Two things must be put in place. As set out above, a separate user environment is needed to support home working, with distinct authorization credentials and storage space. It might be advisable to prevent downloading from corporate servers to the desktop, although interim and draft material will be stored locally.
Again, the user must be vigilant to avoid phishing attacks.
Working from Home and remote Working have brought additional security concerns, but these must be addressed at a corporate level. It’s not just IT.
IT must have remote access to the desktop to ensure that anti-malware and connectivity defences are in place, running and up to date. They must also be able to remove the work environment and it’s associated data.