Keeping staff safe when working from home
Mobile and home working – as in working on other sites remote from the main place of business – is a growing trend, enabling businesses to become more agile and provide more flexible working patterns. Because mobile and home working normally requires access to office systems and business processes from remote locations, it is necessary to protect this access from unwanted attention by ensuring it is secure at all times.
There are many ways to connect a remote computer, such as a laptop, home-based computer or mobile device to the company network. Each has its own security challenges.
- Virtual private network (VPN).
- Remote email access.
- Windows Remote Desktop.
- Third party remote desktop tools such as Citrix, PCAnywhere or GotoMyPC.
- Somebody eavesdropping on your information – as information travels over the public internet.
- Unauthorised access.
Safe mobile and home working
The size of your organisation, the nature of its business and the complexity of tasks and access involved whilst working away from the business premises, will determine how to set up and use remote and mobile working. If you are a small company whose employees need only occasional access to files, it can be quite simple to set up effective and safe remote working. For larger organisations with multiple remote workers requiring access to customer relationship management (CRM) systems, for example, it is probably better to engage a professional IT partner or employ an in-house specialist to specify and implement a safe, effective and reliable solution.
- A VPN is a secure communications link between office and remote workers. It is essentially an extension of the secure office network, using a secure channel within the public internet to connect. You can link to the business network and email using public Wi-Fi as long as it is via your VPN.
- For other remote connection methods including browser-based applications, make sure that the link is securely encrypted as follows:
- There should be a padlock symbol in the browser window frame that appears when you attempt to log in or register. Be sure that the padlock is not on the page itself.
- The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’.
- Remember that in security terms it is preferable to use a slower 3G or 4G connection than a faster non-secure Wi-Fi network.
- Ensure that home routers used for any business purposes are protected using WPA2, unless all data is sent and received by VPN.
- Ensure that you have a secure network, including an effective firewall to keep out unwanted connections.
- Restrict unauthorised physical and electronic access to your firewall, VPN router, administrator accounts and servers.
- Ensure that all users have strong passwords, do not share them with anyone else or store them where they can be accessed.
- Consider using biometric security such as fingerprint scanners and/or token-based authentication.
- Make sure that employees who have remote access do not store their login details on their computer or other devices.
- Instruct employees not to store sensitive company information on remote computers or mobile devices.
- Instruct employees to log out when they have completed their session. Merely closing the window or powering down the device may not be sufficient.
- Do not enable ‘remember me on this computer’ features.
- Delete remote access privileges once they are not needed. For example, do not let employees or contractors who have left the organisation retain access to your network.
- Maintain an audit trail of who has logged in, and when.
Protect your network
- Review firewall and other server logs to monitor remote access. Watch for unusual activity.
- Ensure that the system is regularly tested for vulnerabilities (known as ‘penetration testing’) and any loopholes closed.
- Ensure that you keep your firewall and VPN software up to date to protect against evolving threats.
- Many remote desktop programs rely on installing a client program on an office computer. This creates a tunnel through the firewall. Do not allow employees to do this on their own initiative. Control which programs are used and how they are installed.
- Control access to critical information.