Data and security considerations for remote working
An interesting article by Steven Bishop Fabrication Systems
As more people across the world turn to home working in an effort to combat the spread of the coronavirus, Steven Bishop offers his thoughts on the potential data concerns and cyber security consequences of providing employees remote access to IT systems.
Note: This article is presented as an introductory educational guide that aims to highlight some of the main issues that someone new to the subject needs to consider. It is not intended to be a comprehensive briefing and is not a substitute for an in-depth investigation into the wider issues.
We have a rush on at the moment in the world of IT services. Right now, there is an urgent need for many companies to set up remote working for their staff so that they can continue their day-to-day business operations in the face of calls for medical isolation and advice to restrict the movement of people around the country.
Some big changes have to be made to the company’s operating procedures to accommodate remote working. New rules have to be quickly drafted and approved by the organisation’s management team. And in this rush, many safeguards are likely to be missed, overlooked or downplayed. If the organisation is inexperienced with IT systems then the management team needs to be aware of the significant and new risks that remote working opens up.
A big part of business-related IT management is putting in place appropriate controls and barrier-fences to reduce or eliminate IT operations that could permit data leakage of confidential data and cause a breach of data protection legislation such as GDPR.
As IT engineers, it is our job to facilitate the wishes of our customers, but it is also to inform and advise them that changes to their IT systems to add Remote-Working is going to open up some new and significant risks.
And, as knowledgeable technicians, we have to impress upon the customer that they need to carefully assess and consider these risks before they make their decision about who and how many employees are given the option to work remotely.
1: Remote working and data leakage
The first of the major headline risks of Remote-Working is an increased risk of data leakage.
The ‘off-the-shelf’ remote working tools that most customers will adopt will (by default) side-step most of the internal IT controls that normally prevent data loss. Out-of-the-box, they will permit Remote printer-sharing, remote desktop file-sharing, and remote USB connections, and each of these can be used to sidestep the normal IT controls in place for data protection.
When employees work remotely, they are stepping outside of the normal day-to-day office environment, which itself prevents a lot of risky IT behaviour. In the office, employees are going to be observed doing something unwise, such as bringing in an external USB drive and connecting it to an office computer, or adding another printer to the office network and printing off a lot of company documents.
It doesn’t matter whether the motivation is a benign desire to simply achieve a task more quickly or whether it is malicious with a wish to steal company data. The end result is the same, with a big chance of data leakage and significant danger of breaching GDPR legislation.
2: Remote working and data connectivity
The second major headline is data connectivity.
Remote working stretches internet connectivity in new and strange ways. The standard business ‘broadband package’ that provides a customer’s office internet connectivity is unlikely to have enough capacity for anything more than a few remote working sessions to operate at the same time. It will typically have a far larger capacity for incoming data than for outgoing data, usually by a factor of five-to-one.
In normal circumstances, this is fine, because on a normal working day most of the data traffic is entering the office rather than leaving it. Adding remote working access to an office IT system turns this on its head and stresses the weaker outgoing data capacity.
As a result, there needs to be a discussion with the customer to identify how many employees can comfortably use the remote working facility and to work out who are the priority users if the IT system becomes over-stretched.
If we don’t do this, then everyone will suffer a poor experience or find it so frustrating that they fail to make use of the system at all.
3: Remote working and cyber security
Remote working makes wide and open connections through the normal firewall defences of the office network.
At short notice, there may be a desire to let employees remotely connect to the office from their own personal computers at home. This is not an ideal situation as an employee’s personal computer is not under the management of the company, and may have malware or other malicious content hiding on it.
If the decision is made to use personal computers, then extra care needs to be taken, because there is a real chance of delivering ransomware into the office network and allowing company data to leak out.
Inevitably, any openings that we make to let authorised employees to gain access can sometimes be exploited by bad operators. If these remote working access routes are unmonitored or not well protected then the risk of a cyber-security break-in is significant.
4: Managing customer expectations
The simple phrase ‘remote working’ covers a huge umbrella of technical issues and business operational risks.
The IT technician often ends up being the ‘killjoy’ that has to explain this is more complicated than it first appears, and that it is not possible without extra expenditure and extra procedures to keep the company’s IT operations safe and secure.
There are a number of different ways to achieve remote work. Each company needs to assess their own level of risk, decide what is appropriate expenditure and what safeguards to put in place.
Doing something quick without the proper amount of consideration is risky and not advisable.
Top 5 tips for IT security professionals to ensure employees can work remotely as securely as possible:
- Real-time active monitoring of data-traffic – ensure you are able to pull-the-plug the moment something untrustworthy is detected. Be paranoid, safety first.
- Have a proper disaster-recovery plan – you must, must, must have a reliable data backup of all valuable company data, and do a “fire-drill” to test that you can restore from it. Only this can save you in the event of a ransomware or other malware attack.
- Time-limit it – the longer that something is left up the more chance there is of a break-in. Don’t install it and then forget about it. Just look at the news headlines about Virgin-Media, British-Airways, Experian, etc, etc. Most of these were made far worse for being open and vulnerable for such a long time.
- Minimum number of people – only trusted people inside your organisation, those who can be trusted to keep a separate and clean PC to connect to the office network. You don’t, for example, want your kid installing a boot-leg game on your home PC and then infecting the office network from there.
- Proper IT partitioning – isolate as much as possible within the office network. Put up the IT equivalent of fire-breaks within the office network.