How to Keep Work Safe When Telecommuting Replaces Office
Working from home is a logical response to the circumstances that emerged because of the COVID-19 pandemic. But, are we all really ready to work from home and from other places where we have the opportunity to connect to our company systems via the Internet, that is, public networks, and work the same as sitting in our office, at our desk?
What could be wrong with that? Well, for many, just about everything…
Risks of Telecommuting
The company’s internal systems have been built and adjusted over the years, taking care to be stable and secure. Suddenly, overnight, employees are no longer in their offices but at their homes or in some other places where there’s an Internet connection. Of course, they’re expected to be productive and perform their tasks as well as if they were in their usual working places.
Such work outside the company’s offices can seriously jeopardize the security of the organization’s data and information systems. These risks are incomparably greater in times of crisis, such as natural disasters, earthquakes, riots or states of war, and even in times of epidemics such as now.
Some of these risks include:
- Unauthorized physical access to devices that access systems and data.
- Disclosure of information for access to the system (so-called social engineering or electronic “eavesdropping” of communication).
- The use of devices outside the company’s premises significantly increases the possibility that these devices will be “infected” with malware.
- Difficulties in establishing a secure communication channel.
- Poor or insufficient protection of access to key parts of the system and sensitive data.
How to Protect Yourself?
You need to take care of 3 basic things:
- Security of device you access
- Communication security
- Data security itself
Working from home often involves more than just using devices from the company we work for, which should have antivirus detection software installed and data security systems stored on those devices (such as encrypting the data contained on devices and/or partitions and directories accessed with special credentials).
The use of other devices, such as mobile phones, tablets, or home computers used by other household members, especially children, can be very dangerous and their use should be completely excluded or minimized.
VPN as a Solution for All Problems
VPN these days is a magic word that solves all problems when it comes to working outside the company’s premises. Yes, a VPN allows secure data exchange between remote systems and the computers that access them, but it also has its weaknesses. Even well-known manufacturers of equipment and software solutions for establishing VPN connections have faced security vulnerabilities in recent years.
Many small businesses use low-cost networking equipment that also has VPN functionality. Most of these devices are made for home use to provide basic protection for access to networked devices in the house (cameras, heating systems, air conditioning systems, lighting …).
To make things worse, many of the weaknesses of these devices and the ways to abuse them have long been known and are available to everyone, not just experts. If you’ve already enabled VPN access to your organization’s system, install the latest software that resolves known security issues.
If your device allows you to select VPN communication encryption algorithms, choose the one that gives you the highest level of security. This will inevitably slow down the speed of communication, but with modern devices and fast Internet links, the slowdown won’t be an obstacle to get the job done without any problems and your organization’s systems and data will be much more secure. Limited access device resources can be a problem, but only if a large number of users connect to the system at the same time.
Access Control
And last but not least important component of maintaining system and data security is access control. When working from the office, users have different access rights to data and applications and this is mostly addressed by rules at the level of the operating system, DC (domain controller), or some other access control system.
In most cases, this is sufficient protection because all, or the vast majority of users, work within the environment for which access rules are set. Remote work requires the establishment of the same rules but in the new situation, access points are exposed to possible hacker attacks and they will, once inside, know how to bypass those rules and access your confidential data.
If the equipment you use for the VPN connection allows this, turn on multi-factor authentication and filtering of IP addresses from which access is allowed. You can find out your IP address and hide it at https://nordvpn.com/what-is-my-ip/. Segment your internal network and disable access, except with special credentials, to those segments that are most important to the functioning of your organization and that contain the most sensitive data whose endangerment or destruction jeopardizes the survival of the company.
Quality and up-to-date antivirus programs, network segmentation, regular and secure backup, and monitoring of traffic, especially the one coming out of your system, are necessary elements to raise system security to a sufficient level for most companies. System and data integrity and security should always come first.
Photo by Jacky Chiu on Unsplash