The better solution is to host company data in a cloud solution. The same protection then applies to anywhere an employee is allowed to access the cloud solution from. In my experience it usually is not the protection of business data that is the risk - the bigger risk is data that gets copied onto offline or personal devices. With cloud solutions, this can be totally restricted or specifically restricted to essential data.
Thanks, Gerhard. With regard to cloud solutions, the challenge arises when an entity does not have an appetite for storing the data in the cloud. This is especially the case for some government entities who are worried about the data sovereignty if there is no guarantee that the cloud provider will store the data within the borders of the country.
Another big issue, which may not be considered by many, is that employees may use google translator for more than one or two words. What if there’s one who translates a whole strategic document or a new concept?
That’s not made up out of thin air. I did work for a few worldwide operating companies and saw something like this several times.
I’m a project manager and risk management is part of my work. Maybe this led to me being more aware of such issues. You definitely cannot think so stupid how one or another will act. ;-) You cannot bet on common sense.
A few examples?
- Leaving the room without locking the computer (even at home) when you’re not alone
- Printing out documents for a better reading experience and than putting it into the waste bin without shredding or let the kids play with it, using it for private notes as a second use for the paper
- Doing conference calls in the garden or on balkony with neighboor being (too?) close
When you start thinking about it from the points above you’ll find more and more.
How to address these issues?
- as management: set clear expectations with regards to the (new?) work experience
- as management: create and lead a digital culture that includes regular security education
- Send out an (at least) weekly newsletter to your team/employees, which includes security tips as well as usage tips for the different tools you use for working remotely
- set up short videos featuring the security issues and increase your team awareness
Just a few ideas.
I hope I could help.
In reality, there are four specific steps that all companies need to follow to effectively protect against cyber-attacks, whether in the office or at home:
Secure your hardware,
Encrypt and back up all company data on a different device, or on the cloud,
Educate, encourage and enforce a security-centered culture,
Use a robust firewall and anti-malware and anti-virus software.
Further minimize your risk by seeking specialist help to select the best type of insurance for your company, based on the risk of attack and the financial impact of such an event.
Remote work is not an overnight decision (although the current lockdown forced us down that route). It needs to be considered very carefully and take into account I’ll the wonderful mentions in the previous posts. Governance, control and protection of the employees, processes, applications, data and the equipment used must all be considered.
Usability, performance and trust are also major considerations.
You mention the data, but don’t forget the processing of the data. If you use a proprietary application, there are license fees and other considerations to get the application to the remote worker. If you use an in-house developed application, you are probably much worse off, because that application was probably never designed to be used outside the internal network.
Each business and its environment will call for solutions that are fit for purpose for its own unique scenarios.
I’m not going to be able to give an exhaustive list but here are a few things which spring to mind:
On the “Client Side” (In a Client-Server sense of the term). 1. Endpoint Security, so Anti-virus (Anti-malware, ant-ransomware, web content protection all of those things). 2. Encryption of communication or transfer of data. OS and Application patch maintenance. 3. Wardriving / attacks against wireless infrastructure (The Wi-Fi AP). External “attacks” by which I mean attempts to gain access to network resources. 4. The Employee themselves, since they aren’t under any kind of supervision they’re free to send data, insert flash drives and use any services they may not be able to use through a corporate content filter. 5. Loss, damage or theft of equipment may be a bigger issue than it would be at an office which has physical security measure in place (Cameras, security guards, security panic services and the like). 6. Dumpster diving becomes more of an issue since the individual is unlikely to own a shredder or receive a shredding service. 7. Any sort of SIEM service and 8. configuration management service will probably be in need of attention too (SCCM or the like). 9. The home office may make use of additional equipment over which the company has no control or of which they are not aware (Additional workstations, printers and various other devices which would not be controlled by the company and which may introduce vulnerabilities). 10. The ISP connection equipment (ONT / FTTh Termination equipment, DSL router etc) is likely to be controlled by the user or by the service provider and may introduce vulnerabilities and limitations. 11. Communications services not usually needed will be needed, so perhaps VOIP Services or Video Conferencing Services (Teams, WebEx those sorts of things). 12. Employees will need to be given access to existing internal systems.
Some internal systems may not support remote access, others may require the installation of MS App Server or Citrix Service and the like.
Some of these issue will have existed in the office environment also and aren’t added by remote working, but they may need new or additional services or products which provide solutions on the small scale.
The potential solutions are:
1. Endpoint Security Suite, which included a web content filter and the usual suspects.
2 & 12 A VPN Service, preferably one which supports access to the corporate infrastructure either via a cloud service or directly over the corporate wide area network. (This introduces a few potential issues since a corporate may have multiple office locations, so resource allocation may be in need of some attention to be able to facilitate the requirements). Options exist, software based clients which run on the workstation, Java (or other) based clients exist which help to overcome some of the practical difficulties around installation and software maintenance).
3, 9 & 10 A Policy regarding Wi_Fi access (password Strength and format, interface isolation, channel isolation, MAC binding, IP Allocation and Firewalling) Which may require the purchase of new hardware and possible renegotiation of ISP Service agreements.
4. Installation of a system like Zscaler (Or a corporate Proxy and content filter) which will scan all documents sent by means other than e-mail (Nothing is bulletproof in this regard and Zscaler has it’s own issues, but solutions do exist).
5&8. A Policy about security services and Insurance, together with hard disk encryption and remote destruction features on the corporate equipment (Bitlocker or similar and policy regarding documents on non office equipment), Policy can be enforced to some degree by SCCM over VPN, but isn’t completely without loopholes.
6. Dumpster diving can be solved if the office is willing to provide shredders, or a service. The Physical Security issue may not have a graceful solution, perhaps a company contribution towards a service would be viable if , while somewhat incomplete as a solution. Perhaps a distortion of BYOD in the form of Bring your own Service (Or invoice for partial refund)
7. SIEM data streams (logs / syslog services, snmp services and the like will function over a corporate VPN service too, but may need reconfiguration.
11. A very well secured cloud VOIP Service is probably ideal, assuming they’re able to map numbers, alternatively internally controlled session border controllers and call managers, but that’ll be costly and time consuming and resource allocation will need to be considered. If the company already has solutions in place then a product like starleaf may be useful to integrate remote video conferencing clients with existing Cisco, Huawei, Polycom, Snom etc etc solutions.
This list isn’t exhaustive and is very general. there may be a host of additional proprietary considerations and this kind of thing would need to be understood on a case by case basis.
The “Server-side” (The corporate office or head office or branch) constitutes a whole new set of considerations, but most of them will have existed regardless of remote working. Off the shelf solutions will exist for the vast majority of those too. Small businesses will have different requirements and capabilities too.
One of the troublesome things about remote working is that people still need Managed IT Services, if not more than they usually do. If Engineers must travel from their homes to help employees when problems arise then pay structures may need to change and costs will change (Outsourced service providers contract or billing structures will need to change). Personal privacy may become a hotly discussed topic too, particularly since non employees will share infrastructure with work related traffic / communications.
It’s a very broad question, we could literally go on for hours.
I think the challenge is for small businesses. Big businesses will have IT teams to flex muscles. Small businesses, and remote teams will need somethign to protect them end to end. Two of our portfolio companies are targeting this. Loki (getLoki.com) is securing teams, very very simply, in a SaaS model. IDBlender another unique solution does team VPN and wifi encryption in 1. So together they are a powerful solution. Check them out if it helps!
This will mark this comment as best reply and close your question.
Are you sure?
This will close your question without a Best reply.
Are you sure?
This will report this content as inappropiate to the moderators.
Are you sure?