Skip to main content

Blog

You are here:

Teleworking: Information Security Essentials for Organizational Leadership

Teleworking: Information Security Essentials for Organizational Leadership The COVID-19 pandemic forced organizations to rapidly develop and implement policies and procedures that enable their employees to work remotely. As time has passed, many companies have begun to recognize the monetary benefits associated with teleworking, including reduced utility costs as well as a decline in the need for office space, furniture, and conference rooms. Corporate management teams are now considering making telework a permanent part of their businesses. One primary concern is maintaining the security of information systems and networks and the sensitive data residing thereon.

USING VIRTUAL DESKTOP INFRASTRUCTURE (VDI) FOR SECURE REMOTE CAPABILITIES

If your organization already utilizes VDI and you have enough licenses to accommodate your teleworking staff, you are ahead of the game. VDI users can be provided role-based access, giving them access to only the resources they need to perform their jobs. All of those resources remain secured inside your organization’s environment or in the cloud; thus, physical security and unauthorized access concerns are reduced. VDI also uses less bandwidth and is easier for your IT staff to manage than Virtual Private Network (VPN) connections.

VDI users access an online gateway application that resides on the organization’s network perimeter and enter their credentials using their personal devices. Based on established access controls, the users, once authenticated, will see a virtual desktop environment that will provide them with all the resources they need.

If you are not already using VDI, be aware that it is considerably more expensive to implement and utilize than a VPN. You may wish to consult with your IT infrastructure team or service provider for more VDI implementation information. Some companies use a combination of both VDI and VPN for remote connectivity because the cost per VPN user is less. Those who handle more sensitive data, like medical records, would use VDI because all the data is maintained within the organization’s internal network, not on systems at the users’ homes.

USING A VIRTUAL PRIVATE NETWORK (VPN) FOR SECURE CONNECTIONS TO INTERNAL RESOURCES

Most teleworkers are using VPNs to securely connect to their employers’ internal networks. Implementation is simple, and licenses are relatively inexpensive. A firewall running a VPN access application or a VPN gateway device on the organization’s network perimeter provides access to internal resources to authenticated remote workers connecting via their local VPN clients. User access to internal resources is defined and controlled by access levels assigned to their user accounts.

There are some negatives and risks associated with VPN usage. Your company’s network bandwidth may have issues due to the number of VPN connections being utilized at once when so many of your employees are working remotely. An upgrade may be necessary. Additionally, troubleshooting VPN issues can be difficult. And finally, malware has been known to propagate via VPN connections. Your organization’s management may wish to consider prohibiting remote employees from using their personal devices to connect via VPN. Issuing company laptops with only authorized applications installed and limiting users’ administrative privileges is one option. A county government in Texas had recently procured new laptops for the staff. Instead of sending the old Windows 7 laptops to auction as would have ordinarily been done, they reloaded them with Windows 10 and the appropriate VPN client, then issued them to those working remotely. These were the only computers remote workers were allowed to use for VPN connections.

DEVELOP CYBERSECURITY POLICIES, PROCEDURES, AND REQUIREMENTS

The home networks of each of your remote employees essentially become part of your organization’s network. Because they are home networks used by everyone in the household, not just your employees, and because their equipment is not physically secured within the company’s walls, they are naturally more vulnerable to external threats.

The policies, procedures, and requirements you will need to develop depend, to a degree, on how your remote users are connecting to organizational resources. For example, fewer security policies and procedures would be required for an organization using VDI to provide remote connectivity than would be necessary for a company allowing its remote workers to use personal devices to connect via VPN.

Depending on the sensitivity of your organization’s data and how your employees access your systems from their home networks, your new policies and requirements may need to address issues including, but not limited to, the following:

  • Perimeter security of the home networks (type of encryption used by home access point routers, router password requirements, firewall requirements, etc.) 
  • Application and system update installation on personal and/or company equipment 
  • Virtual private network (VPN) acceptable usage 
  • Personal device usage (what devices are allowed to connect, maintaining anti-malware protection, locking screens when away from the computer while connected to the company network, complex password requirements, etc.) 
  • Company data storage on home use systems (including encryption requirements for data at rest) 
  • Virtual Desktop Infrastructure (VDI) acceptable usage 

Your organization may also be subject to statutory or regulatory requirements for securing your systems and data. For example, governmental entities with systems that access criminal justice information must comply with federal Criminal Justice Information Systems (CJIS) requirements for controlling physical access as well as access to CJIS data. Requirements such as these would need to be incorporated into your remote work policies and procedures.

Reporting procedures also need to be developed. These may include information about how to report possible security issues, how to contact IT support when technical problems arise, and what types of issues employees must report immediately.

Once your remote work guidelines and requirements have been developed, you will need to clearly communicate them to your teleworkers. If you have a considerable number of employees, online meetings may not be an option unless you divide them into groups and have multiple sessions. One solution would be to provide the policies and procedures in writing and then give your employees a deadline to acknowledge that they have read and understood them. You may wish to include some penalty for failure to do so. Including information about how employees can ask questions about the policies might also be helpful.

CYBERSECURITY TRAINING

The massive shift to telework created a target-rich environment for hackers and scammers. Requiring employees to take cybersecurity training has always been a good policy. Still, emerging threats specifically targeting remote workers have increased the need to educate remote staff and IT professionals charged with configuring and securing the environment. There are online providers developing courses specifically related to securing the remote work environment. Requiring your employees to take cybersecurity courses applicable to their positions is highly recommended.

CONCLUSION

Employers and employees are realizing the benefits of teleworking. Companies are saving on office space, furniture, and equipment while their employees are pocketing money they would have spent commuting, paying child care expenses, and buying fast food lunches. Suppose teleworking is to become the new normal and these benefits are to be enjoyed over the long term. In that case, effective security policies and procedures developed specifically for this environment are necessary. Hardening security both within the organization’s walls and in the distributed network of employee homes is also critically important, as is training to recognize emerging threats.