Remote and mobile working: security procedures for out of office
All large professional services organisations have considered remote working for their teams. You might be a large law firm offering one day a week working from home, or a finance house with a client-facing team that’s on the move. Maybe you’re an HR Director who’s noticed how few people are in the office at any one time. Rather than maintaining a desk each, couldn’t you reduce office costs by downsizing to hot-desking and remote working? There’s even talk that Brexit will increase the likelihood of satellite offices in the UK, where the team accesses information from offices elsewhere in the continent.
So mobile or remote working is desirable and possible. But in the excitement of remote working being technically possible, the security implications of being outside the real and fire walls of the office can get missed. It needs to be on your radar because it exposes new risks that need to be managed. It’s not just online and in the ether, but in real life also. Leaving your laptop in the coffee shop or on the train is more likely to happen when your workers, the data and their hardware are mobile.
Organisations need to adopt sound remote access practices and encourage workers to think about the technical and non-technical security issues that being out of the office presents. Through education and guidelines, corporates can help their workers manage the risk of a breach and mitigate the impact.
Users can be educated on some of the non-technical risks:
Over-hearing and open screens.
Remote workers need to be aware of their surroundings; who is around or behind them? Coffee shops aren’t just full of stay-at-home mothers. These days they’re just a likely to be full of remote workers. Maybe even your competitors. Being overheard or having your screen watched can compromise sensitive information like authentication credentials, so use privacy filters on your screen.
It might be tempting, but never leave your computer without locking it. In fact, don’t leave your computer at all; especially not on the train. An unattended laptop can be vulnerable to tampering, where the security controls are subverted with malicious software or hardware. All the user activity on the device can then be monitored.
The organisation should also establish secure remote access and mobile working practices. This can involve:
- Reviewing the corporate incident management plans to include mobile devices and activity.
- Implementing technical processes to remotely disable a device or deny it access to the corporate network.
- Protecting data in transit with a VPN or HTTPS and protecting the data at rest through laptop encryption. This should be done before the hardware leaves the office.
- Understand data classification and handling procedures. Outline what constitutes sensitive data and the type of information that can leave the office. Ask users to minimise the information they store. Then outline the vulnerabilities of public wi-fi and help users to identify legitimate wi-fi connections.
- Ensure all home peripherals are qualified with the office.
Whether saving on the cost of space, getting the work done when the team is travelling or just offering flexibility as a perk, over 4m UK workers work remotely and that figure has been rising since 1998. Most of those workers will be accessing information from the office and carrying around data on mobile devices. If they’re in your organisation, it’s time to get your remote working security practices in order.