Reducing Risk, Now & for the Next Wave: IT Considerations for Working from Home
This is an IT perspective on how to reduce your company’s risk when you have to send employees to work form home.
The last few weeks have been tough for many. We are all in the same boat with concerns of employee health, public health, company viability and a scramble to accommodate employees that have to work from home. All the while, we are glued to the T.V., phone, tablet or computer screen trying to understand what may come next for us all. It was like we were all unknowingly crouched on a starting line, and a buzzer went off telling us to sprint, swim or another sport analogy (perhaps poor timing with the Olympics having been just postponed) for this sudden change of life.
Not surprisingly, many IT systems weren’t prepared for this rush of remote work; even for those that were, new issues have come up. A recent article from the Imperial College suggests that there will be waves of COVID – 19 for the next 18 months; this could mean that we might see a corresponding wave for the need to work from home.
This article’s intent is to help you identify the IT risks associated with remote work, and how to minimize and/or eliminate them.
The Risks of Working from Home
In the rush to send employees home, some by choice and some not, many corporate IT networks will find themselves interacting with home based connections, equipment and products. Not all of these employees had the use of portable corporate laptops and other hardware, meaning home computers are potentially being used for work. The risk is unsecured access to your corporate networks, which creates the opportunity for malware/ransomware to be installed.
Here’s how that can happen. If personal computers are being used at home, they may be used by more then just your employee. With unrestricted access to websites and software, the risk of malware being installed on the connected computer is high – when this infected computer connects to your corporate network, malware could be installed.
Passwords are another vulnerability, as the corporate password policy doesn’t apply to personal computers. If the password is easy to guess or not strong, access can be gained – again, malware or ransomware could be installed to the corporate network on the next connection.
There is a difference between corporate-grade spam filters and corporate-grade anti-virus programs versus consumer-grade. Hackers understand that more people are working from home and will attack the low hanging fruit of consumer-grade products to gain access to your corporate data.
Other ways that cyber-criminals can access your network are through an unsecured Wi-Fi connection, which may be over loaded with multiple devices, and outdated operating systems (which poses another major risk, as security updates won’t work or be sent).
Once access is given to your network, a hacker can deploy malware to all the machines connected to it. The risk could be hundreds of thousands of dollars in lost data, loss due to down time of operations, and the cost of rebuilding IT infrastructure and networks. There is serious risk in working from home.
What Can Be Done
This may seem overwhelming, but the intent is not to be doom and gloom here. We know many companies (arguably, most companies) did not anticipate this immediate need to work from home. There is risk, BUT there is a way to manage it. Our goal here is to provide you with what you need to minimize your risk, both now and the next time there is a rush for remote work capabilities.
You need VPN (a Virtual Private Network); this encrypts your network traffic by creating a secure connection, protecting your exposure on public networks. You also need to utilize built-in encryption on all devices. Many products from Apple, Microsoft and others, have tools built-in to their operating systems to allow for encryption of data – you need to activate this feature. Additionally, you need to utilize built-in firewalls. Just like built-in encryption, many brands offer built-in firewalls to prevent malicious inbound and outbound requests – activate those features too. Please install cloud-based corporate-grade spam and anti-virus programs, as they offer the best protection. Your consumer-grade versions are extremely vulnerable.
Multifactor authentication can greatly increase the security of your network. It does this by requiring a minimum of two types of authentication – often in the form of a password and then, commonly, a code/notification sent to the user after that they must enter - without both of these items, no network access is granted.
Not everyone is in a position to do so, but using current equipment with current operating systems is highly recommended. They allow new security updates and patches to be installed on an ongoing basis. If the operating system you’re using is EOL (end of life), these patches won’t be sent, thus leaving your system vulnerable. In terms of the larger IT infrastructure pieces, such as servers and routers, look at renewing or ensuring that they have current warranties. This will allow for expedient fixes if something goes wrong.
There is a lot here, but if you break it into chunks and start slow, you can be better prepared now and for the next wave of work from home.
Anything Else?
Yes, polices. Here are some quick policy pieces you can look at implementing:
• Detail what each user should do to secure their home or work equipment and work space.
• Mandate the use of a VPN.
• Outline incident reporting.
• Put in a strong password policy.
• Look at putting in timeout sessions and screen locks for remote computers.
• Provide company-owned devices for your staff to use at home that can be maintained and secured by IT.
We are here to Help
It doesn’t matter if you are a current client of AbleIT, a new one, or just need some questions answered. We are here to help. If you have any concerns, questions or need some of the products or services mentioned above, please contact us able@ableit.ca.