No Image Available
LinkedIn
Email
Pocket
Facebook
WhatsApp

Remote working: Spreading the IT security blanket. By Matt Henkes

pp_default1

Laptop

Remote working can lead to happier and more productive staff, as well as improve your chances of retaining key talent. However, if you fail to take a number of simple precautions, unchaining your employees from their desks could leave your IT manager with a serious security headache. Matt Henkes reports.


Not only has remote working freed employees from the confines of the office, there is evidence to suggest it can lead to a happier, more productive workforce and play a key part in retaining top talent.

However, allowing staff to run riot out in the big wide world with their company laptop can mean an extra headache for IT departments already trying to keep in-house company information secure.

The good news is that there are a number of simple precautions you can take to limit the threats. It’s a case of getting the message across to staff who often underestimate the risks of conducting company business in parks, pubs or even the comfort of their own living room.

“Just think about how important your IT really is,” says Ram Dahliwal, UK licensing programmes manager at the Business Services Association (BSA). “If your IT infrastructure went down and you lost email, what would be the impact of that? What would happen if all of your documents became corrupted because of a virus, or if you were unable to communicate with other people in your company?”

Robust policies

Following a good deal of swearing, it’s likely that most people would find themselves severely inconvenienced, which is why Dahliwal advocates putting more robust policies and procedures in place, and working with management and HR teams to make sure these are properly communicated to employees.

For example, staff need to be aware that downloading unchecked material, then connecting their laptop to the company mainframe, can amount to opening the doors to your database.

“Most workers will probably have signed a policy document when they joined their company, though quite often it’s just stuck in the drawer and never really looked at,” he points out.

Ian McGurk, head of security consulting at IT firm Plan-Net, agrees that staff awareness is the first step. “There’s a level of education where if people understand what the threats are and what’s good and bad practice, they can be more vigilant in terms of how they use their equipment. Awareness starts with common sense. It’s easy to do, doesn’t cost much, and can be a very effective way of controlling things.

“User awareness training would basically show them the different ways in which they can be exploited,” he adds.

“There’s a level of education where if people understand what the threats are and what’s good and bad practice, they can be more vigilant in terms of how they use their equipment.”

Ian McGurk, head of security consulting, Plan-Net

One of the biggest problems, McGurk highlights, is email, especially when it comes to combating the myriad ways cyber criminals are coming up with to manipulate information out of unsuspecting users. Even though most people are now aware of phishing attacks, he still emphasises the need to reinforce staff vigilance – for example, making sure employees delete any unsolicited emails if they don’t recognise the source.

The even more simple act of never leaving laptops unattended and unlocked, even at home, needs to be drummed in – something tantamount to writing your pin number on the back of your bank card and sticking it up in a telephone box.

“It needs constant reminders from IT and HR teams that this is an important thing,” adds Dahliwal. “Securing your infrastructure and your network is vital.”

Losing control?

However, as their sphere of responsibility becomes wider to accommodate increasing numbers of remote workers, some IT managers have complained that they feel as if they’re losing control of their estate.

McGurk puts this largely down to equipment not issued by the company that is not so easy to lock down. For instance, company-issued laptops can be set up in a way that makes it impossible for employees to download new software onto them. This means that viruses such as trojans or other kinds of malware are unable to install themselves and run on the system.

“Instead of focusing on the infrastructure within the business, IT managers need to think about the wider infrastructure involved in remote working. That’s a step-change in thinking,” Dahliwal concurs.

“Instead of focusing on the infrastructure within the business, IT managers need to think about the wider infrastructure involved in remote working. That’s a step-change in thinking.”

Ram Dahliwal, UK licensing programmes manager, Business Services Association

Once you’ve ensured that your employees can’t torpedo your network by inadvertently downloading some kind of nasty digital gremlin, the next thing to worry about is remote hackers causing mischief to your data stream. There are a whole host of different products you can use to secure the online connection. The most popular two are both types of Virtual Private Networks (VPN): IPsec VPN and SSL VPN.

“IPsec VPN in essence means that the computer will encrypt all information through to the firewall at the company site,” explains McGurk. “It will establish a connection and all the information passed when accessing services on that site will be encrypted. The alternative to that is SSL VPN, which is a similar principal but slightly more flexible because it means that you don’t have to have any particular software installed on your PC. Most companies will have something like this in place.”

For added security, he also advises installing different levels of authentication on top of user names and passwords, for example, a one time password or biometric reader.

New threats, same old problems

New types of online communication tools like instant messaging and VoIP (Voice over Internet Protocol) are now posing fresh security issues as they manipulate the way that network ports operate and misuse the way that firewalls behave.

“Things like instant messaging can often be used as a file transfer system,” McGurk warns. “They bypass the security of the firewall but are often allowed because of the assumption that they’re not performing file transfers. However, people can choose to accept files which, when they come through, could create problems if they’ve got any sort of malware associated with them.”

As an organisation, you can block those types of services at firewall level, although it would be advisable to communicate why you’re doing this with your staff as messaging is a popular tool. There are also a range of products that you can get which limit its use or give a much tighter control over what people can do with it.

In fact, the market place is absolutely littered with all kinds of products that can do just about anything related to remote security. The only problem is that they come at a cost – and not only monetary.

“You can end up with lots of different products, all doing different things, all with a level of management associated with them, all eating away at the IT budget,” says McGurk. “There’s a wealth of different products out there. The trick is knowing what to buy and what’s going to give you the greatest value. For many IT managers, that’s probably one of the biggest headaches.”


To read more about home working and how it impacts on both the employee and the employer, click here.

Want more insight like this? 

Get the best of people-focused HR content delivered to your inbox.
No Image Available