HOW ORGANISATIONS CAN ENSURE CYBER SECURITY DURING REMOTE WORKING
Global pandemic has entirely changed the work culture of the organisation, while over 75 percentage of the private sector employees are working from home and rest of the employees are working remotely at least once a week percent of global employees work remotely at least once per week and willing to work from home more often if their job permits.
Presently, most of the organisations including start-ups ever are offering the option to work from home because of the serious health threats to the employees and to ensure the business continuity.Top managements and business leaders from all sorts of companies including the start-ups are recognising the benefits of permitting remote work for their companies
Previously, most of the organisation’s weren’t set up to work remotely, and most of the time prefers working on office premises only,but, the COVID-19 pandemic and resulting lockdown of many countries mean that many companies and their employees are now mostly full-time working from home (WFH).
Keeping business continuity in focus organisations allowed remote working, however the cyber security and information security has become a serious concern. One side work from home option has reduced commuting time for employees, more liberty for workers and even increased productivity, on the other side there are cyber security risks and challenges that come with allowing their employees to work from home or from any remote location.
What are the Risks of Work from Home/Remote Work?
Data security and cyber security is paramount, while work from home. Organisations need to have secure communication channels to access their Information systems hosted on premises, some organisations mainly start-ups may face operational risks such as not being able to support a huge number of simultaneous remote connections to their infrastructure and IT services. This could be troublesome for employees that need access to internal resources for business support and may even place additional burden on IT teams if they’re not properly prepared.
While this is a business disruption risk, and can cause unnecessary stress for an IT department that’s already overworked and overburdened trying to fix the issue on-the-go. Which could lead to the risk k of not properly implementing access, authorization and authentication policies which may result in employees accessing resources that they shouldn’t.
In order to reduce the risk of unapproved remote access to organisation’s Information Technology infrastructure, IT teams and information/ cyber security teams shall make it explicit which applications, services and VPN clients are supported by the organization IT infrastructure. Any unauthorised attempt to access internal Information Technology infrastructure with illegitimate and unknown tools should be treated as a cyber risk and blocked immediately.
Since many companies have a well-defined and strict IT and Information security policy for centrally managing and deploying software. Security patch updates to endpoints, gradual rollout procedures should be designed for deploying those updates. Delivering them all at once to remote devices connected with secured VPN technology, could create bandwidth traffic jam and affect inbound and outbound traffic. Data backups of individual laptops could be a tough task if backup servers are hosted inside the premises. Last but not least, enabling disk encryption for all endpoints should be a priority as it minimizes the risk of having sensitive data accessed or compromised due to unauthorised access or device theft.
Cyber Security Guidelines for Work from Home?
Having a Teleworking/Work from Home Policy
First and foremost, thing -Define “Remote,” “Work from Home” or “Teleworking” policy is a must if your organisation or start-up is allowing employees to work from home or locations outside of the office premise. This policy shall establish a set of procedures and guidelines that employees must follow in order to work from home. will reduce the inherent risks of working remotely since the organisation and employees are explicitly aware of the WFH responsibilities and its consequences.
Teleworking/ remote working policy shall include:
- Employee responsibilities
- Procedure of reporting of information security incident.
- Approval process from remote connections
- Workspace security mandates.
- System configuration/ hardening steps
- Use of encryption for data stored and in transit and Ensure encryption is used for all data that is stored and in transit
- Mandate use of a secured channel such as VPN for remote workers
Information security training’s to Top management and employees.
Conduct periodic monthly or quarterly training sessions to keep your employees and top management aware and educated on cyber security and information security risks and their responsibilities when it comes to organisation’s information security program and working from home.
Basic cyber security drills shall be conducted on regular basis and organisation’s information security awareness program shall be updated accordingly. Employees shall be aware of phishing attacks, spam mails as well as securing home Wi-Fi network.
Each and every employee shall be aware about the risk of using public Wi-Fi for organisation’s system. Employees should be aware whom to contact in case of any cyber security incidents.
Top management is more prone to cyber security attacks. They shall be adequately trained.
Organisation shall assess the Information Security awareness status of the employees and top management on timely basis.
Use of advance technology and tools for Data Protection
A well-defined policy in place will help employees know what they need to do and how to do it, but providing them with the right technology tools will also reduce the risks of working remotely. Depending on the organisations and the role of their employees, the technology could vary. Below are the few examples of some tools helpful in data protection during remote working:
- Enable built-in Firewalls: Firewalls are the defence for information security risks. Now a days every Operating Systems has inbuilt firewall which can prevent malicious inbound or outbound requests
- Enable built-in Encryption: Systems data will be encrypted by using built in encryption techniques, this is helpful in case the drive is lost or stolen. However, the passkeys shall be remembered by the IT administrator.
- Use Virtual Private Network (VPN): VPN provides a secured tunnel to the data travelling to the servers and make it difficult to crack for malicious users or hackers. Organisation shall only accept traffic coming through VPNs and employees shall always use VPN for connection to office network specially when they are in a shared network at home or outside
- Use of Password Managers:This will help employees to store their passwords and generate secure password.This reduces the risk of using the same password for all services and applications by employees.
Enablement of two-factor authentication
Use of two factor authentications to critical information assets is a must, since it provides a surety that the data request is coming from a genuine source. This method reduces the risk of phishing and malware attacks.
Monitor your third-party vendors and service providers
Many a times organisations outsource few services for them. In this case the vendors shall be regularly monitored as the Suppliers information security policy. Assess your vendors cyber security program on regular basis because a vendor can also be sometimes acting a risk for organisations information security
Use of access control
Organisation shall implement an access control policy in order to reduce the data breach or data leaks. Least privileged shall be given while granting permission to any user. Access should be based on the role of employees in the organisation, and these accesses shall be monitored on timely basis
Enforcement of strong passwords on Applications, servers and employee devices
Organisation shall ensure that strong password policy is enforced on employee devices applications and servers,
Use of web security protection
Last but not the least organizations should deploy security solution like antivirus, anti-phishing, anti-malware security solutions employee endpoints and technologies capable of preventing network vulnerabilities from exploitation. There are many solutions available in the market nowadays.
Only deploying these solutions is not sufficient, it shall be updated and monitored regularly and necessary actions shall be taken on it. Organisation shall deploy the solutions which can accurately detect the phishing attempts and any known malware attacks.
Work from home or remote working has given a golden opportunity to hackers and cyber criminals as well as it is a challenge for organisations IT Team and information security team. Managing Cyber Security during remote working is really tedious job for the organisations, however use of proper technology and monitoring can certainly mange this work. Organisations shall take cyber security as a risk and shall appropriately invest in safeguarding their Information assets. A vigilant and aware team can save organisation from cyber attacks and hence from financial, reputation and business operational loss.
# Keyword: Information security, cyber security, data protection, VPN, training and awareness VPN, strong password, business continuity, access control, remote working, work from home, cyber security risk.