There’s a lot of talk at the moment about enabling staff to work from home due to coronavirus / covid19. There are probably a lot of organisations that would like to make this happen, but who don’t know how to do this securely. These organisations may also have staff who will be working from home for the first time, so they probably need to provide some guidance and support to those staff too.
The intention of this article is to provide some high level suggestions of things to look at, which will have the most impact in terms of reducing the risk of security breaches and helping employees stay productive.
What can the organisation do?
The following points may help those with little knowledge in information security, or with little access to anyone with knowledge, to know where to start in order to keep themselves secure. It’s not an exhaustive list, and you may need to talk to your IT provider / security team for assistance with some of these.
- Make sure that you have implemented two factor authentication (2FA) for all users, and that they all know how to use it. This helps mitigate the risk of having unauthorised users accessing systems remotely.
- Make sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access Control to carry out a health check on devices, only permitting access when they meet specific control requirements. Devices are held in quarantine while remedial action is carried out.
- Make sure that your remote access solution has been penetration tested recently, and that any urgent, high or medium issues have been resolved. This helps mitigate the risk that the remote solution is vulnerable to attack by malicious third parties, and helps ensure remote access for legitimate users is maintained.
- Consider stress testing the remote access solution, so that your organisation has a good idea of how many concurrent devices can be connected remotely without adversely affecting performance. It may be necessary to improve the capacity of the remote access solution for the duration of this period where higher numbers than usual of remote users are going to be experienced.
- Make sure that users know whether they can print when at home / out of the office and, if they are permitted to do so, they need to know how to securely dispose of any sensitive documentation they print off. For example, using a cross cut shredder may be acceptable while putting confidential documents in a recycle bin at home is probably not the sort of behaviour you want to encourage.
- Review your business continuity and disaster recovery plans. Are there key personnel who have to have corporate devices, and others who could be given extra leave instead? It may be that you decide to focus on providing key services to clients and choosing not to deliver all services all the time.
- If users are allowed to use personal devices, consider enforcing Network Access Control in the same manner as in point 2 above. Also, make a risk based decision whether non-corporate devices can be used if they do not have full disk encryption installed. It may be that a temporary waiver can be granted for these extraordinary times, or it may be desirable to issue users with corporate devices if they don’t usually have one at home instead, even though the device may not have the full specification the user is used to.
- Consider issuing staff with privacy filters, so that if there are other people in the house / room, confidential data is not visible on screen to all. These are relatively cheap, and are a good idea for staff who often work away from the office anyway.
- Check contracts with clients to conform whether remote working is permitted, and under what conditions. If it is specifically excluded, talk to clients to develop appropriate acceptable working practices while we deal with the initial outbreak.
As mentioned at the beginning, this is not an exhaustive list, but may help focus on the important things from a business perspective.
What about the individuals?
Now, what about the employees who are now potentially going to work from home for the first time? They will also need support and guidance. As someone who has worked from home for many years, I’d suggest that the following are all points which staff may benefit from knowing.
- If at all possible, create a separate dedicated workspace, ideally in a room where you can close the door at the end of the working day. This will help keep work and personal life separate. Not everyone will be able to do this, so an alternative of setting up somewhere which is out of the normal areas of high use / footfall within the house is perhaps the next best option. For example, it is a good idea not to set up in the kitchen if possible, because other people in the house will regularly come in for food and drink. This will disturb you and could possibly lead to a breach of security if unauthorised people (i.e. family and friends) can see what you are working on.
- Make sure you take regular breaks. In the office you probably don’t think about going to grab a coffee, and working at home is no different. The regular break encourages you to get up and move around, to stretch and perhaps speak to others in the house: this is healthy for you. Take care not to spend all day chatting, obviously, but it’s very easy to fall into the trap of sitting still for hours at an end. I have a smartwatch which prompts me to get up and move every hour, and I find that very helpful.
- Try to stick to regular mealtimes, as you would do in the office. Many people go out at lunch to sandwich bars, cafes etc, and it may be that you can’t do that when at home. It’s a good idea to know what your normal lunch break would be and try to repeat it at home, bearing in mind you may have to prepare your food in that time too.
- Make technology work for you. Have video calls / voice calls as necessary. Some people find that switching on video and connecting to several colleagues, then leaving the video running, helps feel like you’re still in the same office. You don’t necessarily have to talk to your colleagues, but some find it helpful just to see and hear other people in the background.
- There’s always a question of whether to have the TV, radio or music on in the same room, or as background noise. That’s a personal choice: some people work well with that additional sound, others don’t. I find that I can’t work when there are those distractions, and I’ve been in offices where the radio is on all day and people seem to be able to work fine with it. Whatever works best for the individual is the right answer.
- Make sure you finish when you normally would, or at least when you would normally get home. It’s really important to have a break between work and personal time, so try to stick to your normal routine in terms of start and finish times.
These are some of my thoughts. I hope they’ve been useful. What works for you?