The Covid-19 pandemic has affected businesses worldwide, leading many to adopt remote mass working almost overnight. While some organizations were well-prepared for this shift, many had only experienced a small percentage of their staff work remotely at any time before. Recent Leesman research of over 700,000 employees worldwide found that 52 percent have little to no experience working from home, and even of those who do, 83 percent typically do so for just one day a week or less. As lockdowns ease and economies slowly begin to kickstart again, businesses are now looking at options for returning staff to the office safely, and the question on many people’s lips is whether remote working is here to stay?

The answer to that question is not a straightforward one. There are several factors that businesses need to take into account to ensure successful future remote working. Unsurprisingly the dramatic shift that companies of all sizes have been confronted with has resulted in a host of challenges for IT teams. A significant issue has been and continues to be around security, with issues arising around data access control, VPN security, and fast changes to infrastructure. The challenge is a two-pronged one that involves managing existing threats, which are now intensified by a far-reaching shift to remote working and protecting employees and systems from an increased cyber threat as cybercriminals look to exploit the magnified uncertainty caused by the pandemic.

It’s vital that businesses tackle these security-related issues now, not only to navigate the current landscape efficiently but also to future-proof their organization for what will undoubtedly become a lasting change to the way we work in the longer-term.

The lack of preparedness that is clear amongst most organizations may leave them unprotected in several areas. First and foremost is from a device management perspective given the newly created end-point network that is significantly dispersed. Businesses that have not heeded security experts’ calls in recent years and have not implemented multi-factor authentication capabilities will be vulnerable to brute force tactics such as password reuse attacks. More critically, an outdated mentality that sees security as ‘behind the firewall, or not’ will result in insufficient controls for managing the unprecedented blend of BYOD and managed devices that make up a remote workforce.

A multi-pronged approach

There are several steps that companies should consider to reduce the potential threat, and a multi-pronged approach is the best strategy. IT teams should ensure that comprehensive monitoring tools are put into place, given that home networks are now essentially an extension of the office. They should also offer staff ongoing training and advice concerning securing their home networks. This new environment has put some cybersecurity in the hands of remote employees, so they need to be prepared to protect themselves and the organization.

Further to this, security needs to be extended to the device level. This means utilizing both hardware-based tools and enabling software updates that can be easily implemented and scaled across all end-points. For example, Ubuntu Desktop allows users to facilitate unattended-upgrades and Livepatch to protect end-points from emerging threats without IT intervention. Using a corporate proxy server or VPN can also help to protect and monitor the newly extended network. Simultaneously, users can also enable low-cost DNS filtering services like OpenDNS to prevent access to harmful sites.

VPNs: increased security not without risk

VPNs have unsurprisingly seen increased popularity in the current climate as they offer secure remote access for employees. According to a recent report, since March, the UK has experienced a 48 percent increase in business VPNs, while globally, this has increased by an astonishing 165%. Beyond standard functionalities such as authenticating users and providing layered access control, VPNs can be configured to use full tunneling for more substantial enterprise protection. Examples of this include the ability to harness corporate network filtering such as Intrusion Detection and Protection Systems (IDS/IPS), in addition to other situational awareness protocols like NetFlow to collect and analyze network traffic. However, with such an increase in VPN deployment and in such a short space of time as we’ve seen in recent months, there is more chance of an error occurring during network segmentation, which could unexpectedly expose company resources to a broader scope than anticipated.

Considerations for the cloud

Ongoing adoption of cloud-based products and services also poses a further area for concern about security., Businesses making this shift to the cloud need to deliberate on how they secure their services and data. Many assume that the cloud provider manages this for them, which is not necessarily the case and depends on the service. With this in mind, the same due diligence is needed when choosing a cloud platform as they would use when deploying their infrastructure. Alternatively, companies can turn to a managed services approach, ensuring the underlying complexities of their cloud infrastructure and applications – in terms of maintenance, security and scalability – are run by a trusted partner, which means their IT teams can focus on other primacies, especially during these unprecedented times.

Ultimately, an after-effect of this pandemic will be that it illustrates a potential new future world of work, a future where remote working is the norm and people and organizations can continue working effectively, regardless of their location. Even for those who were perhaps reluctant to adopt a remote strategy before, these unprecedented times have shown that homeworking can be a successful part of their more comprehensive business strategy. As remote working becomes universal, the explosion of cloud resources and VPN services will continue, and new access control measures will be needed. For IT teams, this poses new associated security risks to overcome to navigate the now and the future of their business longer-term.

Review your policies and procedures

There are numerous HR policies that your business can implement to ensure a smooth and secure home working. While you are not under strict legal requirements to implement these, it is best practice and can help you streamline your processes.

Working from the home policy can set out your staff’s expectations while working from home, including data security and confidentiality. To comply with your data protection obligations it is likely to be appropriate for you to have a separate data protection policy setting out what duties your staff are under when handling personal data, including ensuring that it is processed securely at all times.

An IT security policy can include requirements regarding passwords, the physical security of devices and protocol around installing software. Suppose you already have an IT security policy. In that case, you should review it to make sure it is fit for purpose and strongly recommends using two-factor authentication wherever possible.

If you allow staff to use their devices while working from home, consider a BYOD (bring your device) policy to address the additional security risks that will arise. For instance, this will help you ensure that appropriate security measures are taken when handling sensitive information, including any third-party data, on personal devices.

It will also be beneficial to have a personal data breach policy setting out your business’s response plan if a data breach occurs following a cyberattack.

 

Check your remote working systems

If your business is accustomed to having staff work remotely, check that all of your remote working systems are updated with the most recent security patches and firewalls. If working from home is new for your business, take the time to ensure that the systems you set up are fit for purpose and that you have applied appropriate and up-to-date security functions. For example, ensure that virtual meetings are private and require password entry.

 

Secure your devices

Make sure you take steps to secure devices while they are outside the workplace. For example, ensure encryption is turned on and that you can remotely lock devices and erase or retrieve data stored on them if they are misplaced or stolen.

If staff are using their own devices to work on, make sure they know how to save work remotely and not locally on their device, check that their antivirus software is installed and fully updated and remind staff to ensure the physical security of their work, for example by locking their screens when they are not working.

 

Back-up!

Make sure your employees are backing up their work regularly. Any back-ups should also have strict security measures; for example, access should be restricted to certain people within your organization and should be kept separate from the original copy (e.g., using a cloud service). If your necessary data is backed up, you won’t lose it if devices are lost or stolen, and you can protect your business from ransomware attacks (which make your system or data unavailable until you pay a ransom).

 

Train your staff

Individuals are a crucial target of cyber-crime so remind your staff to be alert and make sure they are aware of the risks to look out for. This may require you to recirculate your policies, refresh their training on relevant security procedures or to circulate specific examples of Covid-19 cyber-crime.

Ensure your staff know what to do and whom to report to if they identify a cyberattack or think there might have been a data breach. Not only might an attack put your business under threat, but it might create legal obligations for you under data protection law.

 

Provide IT support

Your staff may be working from home, but they’re still likely to need IT support access. Check whether your normal support will continue while staff are working remotely, and make sure you update staff if there are any changes. If support is readily available, IT vulnerabilities are more likely to be flagged quickly.

 

Remember GDPR!

Any data that your business handles that contains personal information will trigger data protection law, and you must remember your data protection obligations at all times.

Suppose there has been a personal data breach due to a cyberattack (i.e. a breach leading to the destruction, loss, alteration, unauthorized disclosure of or access to personal data). That breach carries some risk to individuals. In that case, you will have to notify the ICO (Information Commissioner’s Office) within 72 hours of you becoming aware of the breach. You may also need to notify affected individuals. Even if you do not need to report the ICO (because you don’t think there is a risk to individuals), you should still keep a written record.

These legal obligations serve as a reminder of the importance of businesses having effective cybersecurity policies and procedures to ensure that they can protect their business from attack and comply with their legal obligations if and when an attack does occur.

 

Report any breaches

If you think that your business has been the victim of cybercrime, you should report this through the Action Fraud Websites.