New technologies allow the employees to work remotely; from home or on a business trip. Teleworking is a growing habit thanks to an increased use of mobile devices such as tablets, mobile phones and laptops, as well as cloud storage in the professional environment.
One of the most important aspect to consider is the connection itself. The employee should not connect to free WiFi, especially in train stations and airports. These networks are too often used by attackers to disseminate malicious software, targeting the organisation or company through its employees.
No matter where you are outside the company, though, it is important to use a Virtual Private Network, also called VPN. This tool allows the user to create a direct and secure connection between the device and the company’s internal network, essentially imitating the computer being plugged in the company’s network; the data received and sent by the employee is thus protected and access to internal resources can be granted.
The software used to provide the VPN service must be chosen with utmost care and it must be kept up-to-date and configured carefully. The clients should be authenticated by using asymmetric encryption and not only a login and a password, when connecting to the VPN. Prefer the use of a well known, ideally open source, easily auditable solution like for example WireGuard. More information about VPN and how to use it can be found on our YouTube channel.
As always, the endpoints remain a major weak point. The best VPN service is useless if an employee connects to it with an infected computer. Computers of employees must be protected with an up-to-date antivirus. Otherwise, the VPN would be an illusion of security, and would become a secure and trusted channel for ransomware for example…
Before any teleworking by the employee, the IT team, or the person in charge of the security, has to set up the device correctly. The following tasks have to be done:
The interest of teleworking relies in the capacity for employees to accomplish their task while not having to be at their desk. It might be reassuring for the management to set a detailed security policy with high security requirements. However, it is more efficient to focus on basic rules well understood by the employees; they have to also understand the reasons of a security measure and the consequences of cyberattacks. To achieve this, the employees have to be trained often by in-house or external, information security professionals.
Additionally, some rules must be set and respected by everyone. Here some examples:
As the teleworking practice grows it is important to give the necessary guidelines to the employees if one is to follow that trend. Most of the security problems come from employees who have not been trained enough or do not understand the consequences of their behavior. It is also possible to minimize the threat of non-compliance by involving employees during the process of creating the information security rules and guidelines.
“Teleworking begins to gain popularity with connections becoming increasingly better. Most of the companies are mature enough to have a VPN in protecting their data and communication, when working from outside the company network: it can be really dangerous without. However, most only concentrate on the technical matters and forget that the human factor is the weakest link in the security chain. The rules and guidelines should be clearly defined, understood and signed, and, additionally, explanation of consequences should be given and employees should be properly prepared to know how to use the technology.”