Chris Barr, CT’s technical director, takes a look at what business owners need to be considering next to improve the security of their home workers
Over the past few weeks many organisations have been forced to react to the rapidly evolving situation and adopt remote working practices. In many cases the need to continue day to day operations has been the priority, but now that the dust has settled and staff are working in new ways, it is time to ensure that the ways they are working are efficient and, most importantly, secure.
It is important to understand that when we grant any form of remote access into our networks for staff, we also create an opportunity for hackers to access our networks. It is therefore vital to ensure that this remote access is created in the correct way.
CT recommend that all organisations implement fundamental security measures to ensure they are adequately protected. Remember the resolution of any security breach may be made even more difficult at the moment by IT teams having limited physical access to premises and end users.
Below we have highlighted some fundamental questions you should be asking in order to help identify any gaps in your remote working security.
Do you have Multi Factor Authentication (MFA)?
Using two (or more) factors of authentication is the single most effective security measure that can be implemented to prevent un-authorised remote access to your data. If multi factor authentication is not enforced on remote entry points to your organisation’s infrastructure, you are vulnerable to attack.
There are a number of cost-effective solutions in the market and Microsoft is now including the premium version of their MFA service with bundles such as Microsoft 365 Business allowing it to be deployed with minimal costs.
Are you utilising Remote Desktop?
Many businesses use Remote Desktop to facilitate network access for remote employees but is it open to the world?
When setting up Remote Desktop for your staff, CT strongly recommends deploying the Remote Desktop Gateway role which allows connections to be established securely over HTTPs. Gateways provide a basic level of protection where a user connects to the internet. If there is not one in place, they are open to attack.
Depending on the number of users this is typically not a big task and just requires a low cost security certificate to be installed to verify the identity of your server.
Are your staff working remotely using VPN connections?
VPN connections can be inefficient as entire files are downloaded over internet connections and stored on the remote device. This creates two key security risks – first, a direct connection between the remote device and your internal network is created and second a copy of your company data is downloaded onto the remote device.
Alternative solutions such as Remote Desktop allow data to remain safely on your server infrastructure rather than transferring to the remote device. The programs and data are displayed via a remote screen removing the need to transfer large amounts of data and creating a ‘barrier’ between the remote device and your organisation’s network. CT do not recommend the use of VPN connections for these reasons.
If you are using a VPN connection, is it encrypted?
The need for encryption and tough security measures is at an all-time high.
If your home workers are connecting to your network using a legacy VPN protocol (PPTP for example), it is likely the connection is not encrypted. As a result, such connections do not encrypt data sent over the public internet increasing the risk of a data breach.
Many vendors (such as Apple) have removed PPTP from their devices as it is not a secure way to connect to a server. If you do have to use VPN connections, CT recommends reconfiguring your server or firewall to use an encrypted VPN.
Do your staff have Secure Internet Access?
If you have internet access controls in place whilst working in the office, are these transferred to remote working situations?
Many portable laptop devices do not have secure internet access enforced – it’s important that your internet acceptable use policy is enforced on all your remote devices and that connections to websites identified as hosting malware are blocked irrespective of the location in which the devices are used.
If you did not have secure internet access controls in place before moving to home working then now is the time to add it to your security toolkit.
Do you have controls in place for the use of Remote Devices?
If you have no controls in place for the use of laptops, tablets and remote workstations, staff can use any device to connect to your network and store / process your data. This may be a work device or the employee’s own personal device.
If they use a personal device, how do you know its secure? Are all security patches up to date and does it have up to date antivirus? Does the device have encryption such as Bitlocker enabled so data is secure if the device is lost? If not, the employee could unknowingly be creating an opportunity for unauthorised access to your data.
It’s important to ensure that control is kept over your data and that all devices used to process your data are secured to prevent data leakage or damage through malware.
CT recommends limiting device use to company owned devices or, where personal devices are used, ensuring the same security controls for company owned devices are forced out to the personal devices before they are allowed to connect. There are a number of ways to achieve this such as the Office 365 Mobile Device Management product ‘Intune’ which allows devices joined to your network to be managed centrally.
Intune then integrates with Office 365 Conditional Based Access to selectively allow access to your organisation’s data based on the policies defined. Microsoft has recently bundled Intune and Conditional Based Access into the Microsoft 365 Business package to provide a cost effective and comprehensive solution.
If you have any questions or concerns about the security of your home workers, please do get in touch with CT.