While the Covid-19 situation is changing rapidly, companies need to prepare for any eventuality. For IT departments, this means that, at any moment, any number of staff might be required to stay at home for a period of quarantine or self-isolation at very short notice.
Where appropriate, companies ought to consider how they can keep their employees productive if they can’t come into work for a few weeks.
In many cases, a remote working setup might be the holy water that keeps your business afloat, should the situation become much more grave in your neck of the woods.
We know of companies that already have remote working policies and even welcome (in the loosest sense of the word) employees Bring Your Own Device (BYOD).
There is usually a spectrum of scenarios that need to be considered to allow people to do their job out of the office. Requirements are different for different teams: some designers need access to powerful systems and large screens, while others might be comfortable with laptops but have never logged in from outside the network.
There are of course IT security concerns regarding remote working, most significant when employees want or are expected to use their own personal computers, but there are many considerations when providing company IT kit as well.
While IT will be mandated to optimize working conditions without negatively impacting the network, screwing up the integrity of data or authentication process. As work today depends on instant digital communication and real-time file collaboration, these can be serious challenges for businesses that might be forced to pull together a remote working policy during a crisis.
Here are a few things that you’ll need to consider. It’s not going to be an exhaustive list because much of it depends on your line of business, your industry and its guidelines, and your setup.
Consider this: If your company makes widgets, and Shirley who operates the Widgetomatic 9000 needs to self-isolate, then the problem of whether the Widgetomatic 9000 can be put on a low-loader, delivered to Shirley’s apartment block and shoe-horned into the service elevator is a problem for someone else to look into.
5 Things to do right now
1 Configure computers for remote working
It’s likely that even in the event of staff having to self-isolate, they will be able to receive deliveries, so it should be possible to ship a desktop computer to them. Preparation for this includes reconfiguring the networking and VPN (If needed), installing Mobile Device Management (MDM) software and ensuring the anti-malware software can update. If you already have remote workers, then you should have a template for an effective home setup.
It might also be worth having a few people from different departments perform a test run by taking their kit home: can they get connect to the network, log in to their various accounts, access files, etc.
One great advantage of people having their work computers at home is that if the office is suddenly empty, there’s a lot less tempting hardware sitting around for nerdowells to consider stealing.
2 Beware “Shadow IT” and enable true home working
If people are told to work from home but aren’t given straightforward access to the files they need, they will tend to find a way to share data with other people in ways that decimate the integrity of your security policy. It is so easy to set up a Google account to use Google Drive; many people will even use their company login credentials (and its associated password) for ease of setup.
If you cannot or will not provide a VPN for people to access the internal network, then at least consider another enterprise solution which is secure and where the license agreement means you still have control and ownership of the organizational data. OneDrive/SharePoint, G-Suite and even Dropbox Business are a whole lot better than whatever random file sharing site that popped up at the top of someone’s Google search.
3 Make sure your IT Security Policy and compliance rules are clear and understood
It is more important that people read and understand the security policy especially if their location and behaviour is about to change. It could be even harder for users to remember to lock their screen when they leave their desk. Some might give in to family members’ pleas to use the device for non-work activities. Before employees are allowed to work remotely, they should ensure they have been trained and understand the security rules.
And compliance doesn’t go away. Like spilling a cup of coffee on your desk, data can spill everywhere very quickly. Consider downloaded emails, printed spreadsheets and the backups that the thoughtful and diligent home user has now set up on their external hard disk.
4 Use BYOD as a last resort
If you absolutely have to consider BYOD, then at the very least you will need proof (a screenshot will do) of the following:
- A clean non-admin user account set up for work use only;
- An up-to-date operating system and security patches, and updates set to automatically apply;
- Good anti-malware software – it might be easier just to get a license for the enterprise software;
- Hard disk encryption, such as BitLocker or FileVault
- A clean malware scan and the setup of automatic daily scans.
Giving BYOD users access to the internal network via a VPN is not a great idea. It’s better to think that even the most careful of home users’ computers are like an open sewer that you wouldn’t want to connect to the clean water supply that is your office network.
Do consider that if you have to comply with PCI-DSS, HIPAA or any other regulatory body, even these measures will not be enough.
5 Talk to the experts
We are in strange times, and the situation at your company could change very rapidly for one or even all employees. An agile company will try to anticipate the demands of any employee who has the potential to be able to work from home, and by creating effective policy and an action plan right now, the opportunity for disruption can be kept to a minimum.
But here is the truth: time spent trying to figure all this stuff out is time not spent putting practical preparations in place.
IT security cannot be forgotten at this time. Get it wrong and you will have people working insecurely with all the risk that that entails. Get it right and those hundreds, thousands even, of available work hours won’t be wasted.
Want more detailed information on how you can set up your organization. We are here to help. Get in touch and speak to the experts at TBG Security.
And finally, Comparitech have a great article on how to make your home network more secure. You might think that turning your house into a Faraday cage using metallic wallpaper might be going a bit far, but people might suddenly have a lot of time on their hands and nowhere to go. The perfect time for a bit of DIY!