17/03/2020
CYBER SECURITY AND REMOTE WORKING,
Data and security considerations for remote working
An interesting article by Steven Bishop Fabrication Systems
As more people across the world turn to home
working in an effort to combat the spread of the coronavirus, Steven Bishop
offers his thoughts on the potential data concerns and cyber security
consequences of providing employees remote access to IT systems.
Note: This article is presented as an introductory
educational guide that aims to highlight some of the main issues that someone
new to the subject needs to consider. It is not intended to be a comprehensive
briefing and is not a substitute for an in-depth investigation into the wider
issues.
We have a rush on at
the moment in the world of IT services. Right now, there is an urgent need for
many companies to setup remote working for their staff so that they can
continue their day-to-day business operations in the face of calls for medical
isolation and advice to restrict movement of people around the country.
Some big
changes have to be made to the company’s operating procedures to accommodate
remote working. New rules have to be quickly drafted and approved by the
organisation’s management team. And in this rush, many safeguards are likely to
be missed, overlooked or downplayed. If the organisation is inexperienced with
IT systems then the management team needs to be aware of the significant and
new risks that remote working opens up.
A big
part of business-related IT management is putting in place appropriate controls
and barrier-fences to reduce or eliminate IT operations that could permit
data-leakage of confidential data and cause a breach of data-protection legislation
such as GDPR.
As IT
engineers, it is our job to facilitate the wishes of our customers, but it is
also to inform and advise them that changes to their IT systems to add
Remote-Working is going to open up some new and significant risks.
And, as knowledgeable technicians, we have to
impress upon the customer that they need to carefully assess and consider these
risks before they make their decision about who and how many employees are
given the option to work remotely.
1: Remote working and data leakage
The first of the major headline risks of
Remote-Working is an increased risk of data leakage.
The ‘off-the-shelf’ remote working tools that most
customers will adopt will (by default) side-step most of the internal IT
controls that normally prevent data loss. Out-of-the-box, they will permit
Remote printer-sharing, remote desktop file-sharing, and remote USB
connections, and each of these can be used to side-step the normal IT controls
in place for data-protection.
When employees work remotely, they are stepping
outside of the normal day-to-day office environment, which itself prevents a
lot of risky IT behaviour. In the office, employees are going to be observed
doing something unwise, such as bringing in an external USB drive and
connecting it to an office computer, or adding another printer to the office
network and printing off a lot of company documents.
It doesn’t matter whether the motivation is a
benign desire to simply achieve a task more quickly or whether it is malicious
with a wish to steal company data. The end result is the same, with a big
chance of data-leakage and a significant danger of breaching GDPR legislation.
2: Remote working and data connectivity
The second major headline is data connectivity.
Remote working stretches internet connectivity in
new and strange ways. The standard business ‘broadband package’ that provides a
customer’s office internet connectivity is unlikely to have enough capacity for
anything more than a few remote working sessions to operate at the same time.
It will typically have a far larger capacity for incoming data than for
outgoing data, usually by a factor of five-to-one.
In normal circumstances this is fine, because on a
normal working day most of the data traffic is entering the office rather than
leaving it. Adding remote working access to an office IT system turns this on
its head and stresses the weaker outgoing data capacity.
As a result, there needs to be a discussion with
the customer to identify how many employees can comfortably use the remote
working facility and to work out who are the priority users if the IT system
becomes over-stretched.
If we don’t do this, then everyone will suffer a
poor experience or find it so frustrating that they fail to make use of the
system at all.
3: Remote working and cyber security
Remote working makes wide and open connections
through the normal firewall defences of the office network.
At short notice, there may be a desire to let
employees remotely connect to the office from their own personal computers at
home. This is not an ideal situation as an employee’s personal computer is not
under the management of the company, and may have malware or other malicious
content hiding on it.
If the decision is made to use personal computers,
then extra care needs to be taken, because there is a real chance of delivering
ransomware into the office network and allowing company data to leak out.
Inevitably, any openings that we make to let
authorised employees to gain access can sometimes be exploited by bad
operators. If these remote working access routes are unmonitored or not well
protected then the risk of a cyber-security break-in is significant.
4: Managing customer expectations
The simple phrase of ‘remote working’ covers a huge
umbrella of technical issues and business operational risks.
The IT technician often ends up being the
‘kill-joy’ that has to explain this is more complicated than it first appears,
and that it is not possible without extra expenditure and extra procedures to
keep the company’s IT operations safe and secure.
There are a number of different ways to achieve
remote working. Each company needs to assess their own level of risk, decide
what is appropriate expenditure and what safeguards to put in place.
Doing something quick without the proper amount of
consideration is risky and not advisable.
Top 5 tips for IT security professionals to ensure employees can work remotely as securely as possible:
Real-time active monitoring of data-traffic – ensure you are able to pull-the-plug the moment something untrustworthy is detected. Be paranoid, safety first.Have a proper disaster-recovery plan – you must, must, must have a reliable data backup of all valuable company data, and do a “fire-drill” to test that you can restore from it. Only this can save you in the event of a ransomware or other malware attack.Time-limit it – the longer that something is left up the more chance there is of a break-in. Don’t install it and then forget about it. Just look at the news headlines about Virgin-Media, British-Airways, Experian, etc, etc. Most of these were made far worse for being open and vulnerable for such a long time.Minimum number of people – only trusted people inside your organisation, those who can be trusted to keep a separate and clean PC to connect to the office network. You don’t, for example, want your kid installing a boot-leg game on your home PC and then infecting the office network from there.Proper IT partitioning – isolate as much as possible within the office network. Put up the IT equivalent of fire-breaks within the office network.
,
https://www.standfast-security.co.uk/cyber-security-and-remote-working/,
Data and security considerations for remote working An interesting article by Steven Bishop Fabrication Systems As more people across the world turn to home working in an effort to combat the spread of the coronavirus, Steven Bishop offers his thoughts on the potential data concerns and cyber securi...
