Remote access for employees has always been a necessary option for most businesses. This can be beneficial for productivity, employee retention, and mobility, but it does not come without risks. Now, more than ever, it is important to define what the corporate policies are surrounding remote access, what risks are associated with this access, and what technologies or processes can be put in place to mitigate these risks.
Define Corporate Policies
The first step in establishing a secure remote workforce is to define what is deemed to be acceptable practices. It’s best to define these practices in a formal corporate policy. This can be done in an AUP (Acceptable Use Policy or separate remote access policy). The following items should be defined:
- The method and tools used to connect to secure corporate resources
- The devices allowed to be used for remote access
- What is accessible on the corporate network
- The process to approve who is allowed to gain remote access.
Along with corporate policies, business processes need to be defined. This includes how to exchange information with customers, what applications are used and where information is allowed to be stored.
Salespeople should be prohibited from requesting that personal information be sent via text to their cell phone or sent by email. Texts and emails from salespeople should include a link to the dealership’s secure upload application. For example, the salesperson’s text or email could provide: “Please do not send personal information via text or email”.
Remote Connectivity to Corporate Resources
There are a variety of applications and methods for employees to use to access corporate resources. Some resources and systems are only accessible when connected to the corporate network, while others are accessible from anywhere with an Internet connection. The key systems to consider are DMS, CRM, file sharing, HR systems, credit or banking systems, and any application or system that would contain sensitive customer information or any data that would be detrimental to the organization if accessed by unauthorized parties. All of these systems need to be considered and a plan should be established for how to protect the data and how each system can be accessed remotely by employees.
VPN – A virtual private network is a technology used to securely connect remote workers to corporate networks allowing for a “local experience” for the remote resource. A VPN encrypts the traffic between the remote endpoint and the corporate network so that data will travel privately and will be protected from unauthorized access.
A VPN is needed for remote workers to access systems that are not available outside of the corporate network. This might include DMS systems, file repositories, or other applications installed on internal corporate resources. Internal resources can be excluded from remote VPN access if necessary. It is best practice to limit the number of users that are allowed to connect through a VPN. Only essential employees that need access to systems that cannot be natively accessed outside the corporate network should be granted VPN access. For employees that do this for long periods of time it is best to supply corporate-controlled endpoints with the proper protections in place for remote use.
Externally Accessible Applications – Many resources are moving to cloud hosted systems and no longer live inside the corporate network boundary. These applications include CRM systems, email systems, file sharing, HR systems, DMS systems, etc. Many applications are currently set up in this manner or will be moving to the “cloud’ in the near future. These applications may not be controlled by access to the corporate network but there are still risks to consider and access controls to put in place.
General Security Risks
With either of the two above scenarios there are general risks with providing remote access that must be considered. There’s also a number of ways to mitigate these risks and protect your corporate data.
User-credential- related risks – This may be the largest risk that an organization faces with remote access to corporate resources. Many systems are accessible through the traditional username and password authentication. This can become a problem for many reasons. Credentials can be falsely obtained through social engineering scams like phishing, malicious software such as keystroke logging, brute force attacks, or just general carelessness with credentials. Many employees struggle with keeping passwords secure due to the amount of disparate systems and the number of credentials that have to be maintained. This is a risk for all systems, CRM, DMS, Email, Service Apps, etc.
How to Mitigate Risk:
- Strong user authentication – this includes both strong passwords and the use of multi-factor authentication. Most systems are capable of MFA and can be set up to enable this feature. MFA is one of the best ways to protect access and reduce risk with a remote workforce. This can be applied to both VPN connectivity and external cloud-based application.
- Employee Security Awareness Training – there will always be new emerging threats and technologies can only protect up to a point. Continually educating your workforce to be aware of current threats and techniques is a must to maintaining a sound security posture.
- Setup SSO and federated access between applications for security and simplicity (this requires vendor cooperation and software but can be accomplished with many web applications).
Spread of malicious software – This threat is mainly for remote VPN access. Remote access is a major threat vector to network security. Every remote computer that does not meet corporate security requirements may potentially forward an “infection” from its local network environment to an organization’s internal network. Once a remote computer is allowed access to the VPN, it becomes an extension of your organization’s network.
How to Mitigate Risk:
- Key employees that work from home and need VPN should be provided corporate-controlled devices with the proper software and protections. This should be defined in the corporate policy.
- Internal network protections established. Endpoints inside the network are protected with endpoint device hardening (properly configured security policies), host-based firewalls to protect any traffic from untrusted public networks, and proper anti-malware software across all corporate endpoints.
File sharing, email and client communication – Other security considerations for remote workers is how to protect corporate assets shared between remote workers and how to communicate and transfer customer files securely and have a ‘paper trail’. Many Cloud applications such as Microsoft’s Office 365 offer tremendous advantages for productivity and collaboration but they can also be used to improve the security of internal assets. These are systems that can be used to design secure processes around. Questions such as, what are the proper methods to retrieve or send documents to customers?
Office 365 applications protect data with encryption and the data is protected at rest and can be securely uploaded by external users. There are numerous scenarios for utilizing these applications, but they must also be protected similarly to other web applications. MFA should be enabled for all users in Office 365. This can be enabled on almost any Office 365 plan.
How to protect data in Office 365 applications:
- Lockdown OneDrive sync clients to not allow local copying of user files to non-domain endpoints
- Email encryption for select users that send sensitive files over email
- Office Multi-Factor Authentication (MFA) for all users
- Data Loss Prevention to prevent sensitive data exfiltration
- Data classification labels on documents
For more information or help, contact your IT team or give us a call.