Following the pandemic from Covid-19 never like in these last two months all the enterprises have had to equip themselves to allow their collaborators to operate in smart working, placing, most of the times, the issues relative to safety.
For modern IT companies, infrastructure and security policies for remote work are undoubtedly already in place and the vast majority of business managers have long been users of laptops.
But for many smaller organisations and businesses, the situation is very different. Distance work is probably limited to a few, especially for the use of e-mail and other specific applications.
Remote work and security, the example of school
The school world is a good example: universities have long been offering distance learning, while high school institutions continue to be linked to the fact that staff and students can go to the classroom for training sessions. School administrative offices must also be considered, as it is unlikely that they are mobile workers and that they will use laptop devices.
Differentizing organizations in a few groups with different needs and addressing each one’s requests to carry out mass exodus may seem a simplistic approach, but it is probably essential given the urgency of these weeks.
Always keeping the school sector as an example, there are students (customers), teachers, administration and operational offices. The school certainly cannot function without significant commitment from students, teachers need video conference facilities and administrative teams need access to the network: these are the minimum requirements.
Basic tools and functions
According to Tony Anscombe, Eset Security Community Global Security Evangelist & Industry Ambassador for production, there are basic tools and features that all distance workers need.
They are a computer, a good internet connection, chat and conference applications, a dedicated workspace, optionally, a phone, self-motivation and discipline, a rigorous routine.
Why is the phone optional? In modern economy it may no longer be necessary, also because most chat applications allow direct call. The need for a phone can be a business requirement rather than an essential device.
It is important to stress that businesses must prepare themselves and their employees to manage new cybersecurity risks associated with distance work.
We ask Anscombe, as the evangelist of security issues, what are some of the challenges that might need to be addressed?
Physical security of business devices
Employees will expose the company’s devices to greater risks, leaving the safety and protection of the workplace. In addition, devices must be protected against loss and theft with options such as:
The full disk encryption ensures that if the device falls into the wrong hands, the company data is not accessible.
Disconnect when not used A curious child who accidentally sends an email to the boss or a customer is easily avoidable, as well as limits the possibility for someone to access the system while being distracted to talk to someone.
You need strict password policies • to enforce passwords at boot, set down timeouts of inactivity and ban adhesive tickets that carry passwords: person they still do!
Never leave the device unattended or exposed to the public. If he’s in the car, he should be locked in the trunk.
What is in the home environment
Employees should be asked to verify the vulnerability of their home environment before connecting business devices. There are various communications on Vulnerable IoT devices, and this is a great time for employees to intervene to protect them with secure passwords, updating their firmware/software to the latest versions.
Consider promoting or even imposing the use of a home monitoring application before enabling the connection of business devices to home networks. Scanning or monitoring will highlight devices with outdated vulnerabilities, software or firmware or default passwords that need to be modified.
Access to the network and business systems
To determine whether the employee needs access to the internal network of the organisation or simply access to services and email in the cloud. Also consider whether the same level of access to sensitive data assigned when you are at the premises should be guaranteed when the employee is out of office.
For Anscombe, if access to the internal network of the organisation is necessary, then it is necessary:
Recommend use only from a device owned by the enterprise, so that full control of the connection device is under the management of the security and IT team.
Always use a VPN to connect remote workers to the internal network of the organization. This avoids the’man-in-the-middle’ attacks from remote stations: remember that, since you are now working from home, traffic travels on public networks.
Check the use of external devices such as USB storage devices and peripherals.
To allow access to e-mail services and cloud services from an employee’s device, you need to
Apply the same safety policy as the endpoints for antimalware, firewalls, etc. as with an organizational-managed device. If necessary, provide the employee with a licence for the same solutions as used on the devices owned by the organisation.
for antimalware, firewalls, etc. as with a device managed by the organization. If necessary, provide the employee with a licence for the same solutions as used on the devices owned by the organisation. Limit the ability to store, download or copy data. A data breach can occur from any device that contains sensitive business data.
Consider the use of virtual machines to provide access: this keeps the employee in a controlled environment and limits the exposure of the corporate network to the home environment. This may be more complex to configure, but it could be a superior long-term solution.
Multi-factor authentication (MFA) ensures that access to both cloud-based services and full network access is only done by authorised users. Where possible, Anscombe says, you need to use an app-based system or physical hardware token to generate one-off codes that ensure authenticated access. Since there may be little time for implementation, an app-based solution eliminates the need to obtain and distribute hardware. App-based systems provide greater security than SMS messages, especially if the device used to receive codes is not an organization-managed device and may be subject to a SIM swap attack.
Collaborative tools and authorisation processes
It may seem strange to put these two elements under the same chapter, but according to Anscombe one can help prevent various problems.
Providing access to chat, video and conference systems so that employees can communicate with each other provides the necessary productivity tools and helps employees stay in touch with colleagues.
Use collaborative tools to protect themselves from unauthorised transactions: cyber criminals will take the opportunity to engage our employees who work remotely to launch attacks with business-type techniques of Compromise E-mail (BEC). In this case, an urgent request is sent by a false sender, requesting urgent money transfer, without the possibility of validating the request in person. Therefore, it is always necessary to ensure that videoconferencing/chat systems are used in the formal approval phase, so that validation can be done by person, even at a distance.
Culture and security training
Unfortunately, there are numerous COVID-19 scams in circulation and when employees work outside the workplace, they can consider clicking on the various links they receive because they have no colleagues around who could watch them watching a fun video or consulting a specific
Training and awareness-raising in the field of cybersecurity remains key to employees. We recommend appropriate updates, before people engage with smart working, to prevent cyber criminals from exploiting the emotional component of their employees.
Crisis management and support
In the rush to provide remote access, you must never sacrifice computer security or the ability to manage systems and devices. The ability to support users remotely will be essential to ensure unhindered operation. Distance workers must have clear communication protocols for IT support and crisis management if they encounter unusual or suspicious problems that could be the result of a breach.
The ten key factors of safety in smart working
In addition to technology and functional processes, there are other deci key factors for effective remote work. Anscombe lists them:
Communication: consider making video calls from a group once a day, informing people about the situation and giving everyone the opportunity to share experiences and problems.
Reactivity: working at a distance is not the same as working in an office environment. To establish clear guidelines on how quickly a distance worker must respond to a request, depending on the type of communication, e-mail, calendar invitations, etc.
Reporting, the reference managers must implement procedures that allow them to ascertain whether remote collaborators are carrying out the work: mandatory group meetings, group collaboration, daily/weekly/monthly relationships.
Working hours: agree a method of beginning and ending the work, perhaps with a simple good morning group when you start in the morning and end with a video called group to wish you the continuation of the evening.
Health and safety: should the office’s ergonomic keyboards be taken home to provide the same comfort as employees? Working from home does not eliminate the responsibility for ensuring a good working environment.
Liability: to ensure the coverage of the company’s assets while in the possession of the employee.
Technical support: distribute contact data: all workers at a distance must know how to get support if needed.
Socialization: bringing together workers from a distance, in particular virtually. Social interaction is an important part of motivation and increases productivity. Consider a matching or mentoring program so that each employee is joined by a colleague to whom they turn to to solve problems, vent, share or socialize virtually.
Accessibility: establish a transparent virtual management policy, just like in the office. Make sure people are available and can be easily involved.
It should not be assumed that all employees can move to distance work effectively and with little assistance or guidance. The house is not the office and may need significant assistance to adapt.