Three Recommendations to a Secure Remote Working Environment
Remote work is a working option which allows individuals to work outside the designated office of an organization. There are different options of remote work that are applied by organizations. Depending on the size and operations, organizations may allow remote work to an individual or an entire team.
Remote work is a working option which allows individuals to work outside the designated office of an organization. There are different options of remote work that are applied by organizations. Depending on the size and operations, organizations may allow remote work to an individual or an entire team. Usually the accommodation of an individual to remote working is less complex than of an entire team. The models below represent the most common types of remote work:
- Partially Remote Working – This model is convenient for organizations that have the core team working in an office, and a team of remote workers supporting their activities from any location.
- Co-Located Remote Working –This model is usually applied by organizations that have branches or regional offices. These organizations may allow an entire office to be located in the same city or region.
- Fully Remote Working – This model is applied by organizations that operate entirely remotely, usually they provide online services and products. These organizations allow employees to work online on the same or different time zones.
Many organizations today can accommodate their employees to remote working due to technology advancements. The growth in popularity of remote work has also impacted these advancements, in terms of fulfilling the technology needs of this workforce. Remote workers have the opportunity to leverage mobile devices, file sharing platforms, communication and collaboration platforms, project management tools and other new technology solutions.
In the past twenty years, the concept of “remote working” has shifted tremendously from only being an option for artists or writers, to also being a work option in the corporate landscape. This type of work comes also with its downsides, which are mainly related to lack of proper management and security. Remote work that is not properly managed may not only lead to breaches of remote workers’ privacy and personal information, but also critical information and overall security of the organization.
Amidst the COVID-19 crisis, organizations have had to react quickly to adjust their strategy so as to minimize the impact of the situation. Even though, for many organizations the current state has been a challenge, they have managed to utilize the technology and tools to support employees working from home. In order to be productive and secure, organizations need to determine the remote work requirements for adequate management and information security.
In this article, we have included three (3) recommendations to manage remote work in your organization on a continuous basis, whether it is a permanent practice, or, only a method in response to natural disasters or unexpected events.
As many organizations are allowing employees to work from home due to the outbreak of the coronavirus, cybercriminals are using this opportunity to obtain unauthorized access to personal and business accounts. Therefore, maintaining a strong IT hygiene is becoming a focal point of every organization willing to operate safely and securely during this period. The security measures that an organization can take depend on its size, operations and IT infrastructure. Organizations can enforce the implementation of the following measures:
- Quality Password Management. Password management is the initial step in preventing unauthorized access to organizational information and information systems. Organizations may create a guideline and procedure on password creation and management. A quality password should have more than eight (8) characters, with diverse letters, symbols and numbers, and not be a dictionary word.
- Multi-factor Authentication. Multi-factor authentication is a security system that identifies the user’s identity by requiring multiple credentials (e.g. username, password, SMS code, biometric verification). Organizations may use set up multi-factor authentication on all accounts of employees working remotely.
- Virtual Private Network (VPN). A Virtual Private Network (VPN) is used to establish a secured network from a public internet connection. Organizations may set up a VPN service for employees, which hides the identity and location of the user. Organizations should train remote workers regarding the usage of a VPN and its benefits.
The coronavirus outbreak has changed the way organizations and their employees work, communicate and collaborate with each other. Due to the crisis, the number of phishing scams has been increased, as remote workers started to receive suspicious emails from fake health authorities or governmental agencies. To avoid that employees, get snared by these scams or other cyberattacks, it is important to invest in information security trainings as part of the overall business continuity plan. Through these trainings, organizations can be assured that their remote workers understand the IT infrastructure, possess the necessary knowledge and technologies, and have shifted their mindset to being completely aware of cyberattacks. The essential components of an effective information security training should include the following topics:
- Remote Working and Business Continuity. The training should provide sufficient insights for employees in order to work effectively in a remote working environment, whether it is sudden, temporary or permanent. Employees should be able to see remote working as a part of the overall business resilience plan of the organization.
- Organizational IT Infrastructure. It is important to train employees on the IT infrastructure, that they use every working day. Understanding the IT infrastructure and their basic technical components, helps remote workers to apply the organizational practices and rules on information security in an efficient manner, and prevents any information security incident.
- Information Security Practices. The training should provide the minimum requirements and rules to safeguard the IT infrastructure and any information contained in its components. Information security practices may include requirements and rules on awareness and training, access control, user management, network segregation, and other relevant topics. The ISO/IEC 27001 Annex A provides an extensive list of information security controls that can be established and implemented as organizational practices.
Organizations may designate an IT professional to accommodate and support remote workers for any technical matter or issue. An IT professional is responsible to check the status of all mobile devices and tools used by remote workers to communicate, collaborate or share files. This individual can also assist the organization on the following tasks:
- Monitor the Implementation of Practices. Many organizations have clear processes, policies and procedures on information security management. These practices are enforced by management, and can be monitored by an IT professional.
- Organize Awareness and Training. An IT professional can organize awareness and trainings on different information security topics, relevant to the organization and its IT infrastructure. This can be beneficial for employees, as they can employ such knowledge and tools for any issue that may arise from working remotely.
- Be Available. Organizations should ensure that the contact details of the designated IT Professional are available to all the employees working remotely at all times. The contact details should include the name, email address and telephone number.
Whether remote working is part of an organization’s incident response plan to unexpected events, or it’s a permanent practice, it is essential that business activities and work are performed securely. This is achieved by collectively being more aware in regards to cybersecurity aspects, as well as, through employing the right mindset, tools and knowledge to minimize vulnerabilities and cyber threats to safeguard personal and business data.
Urim Shuku is a Training Developer at TRECCERT, who develops content for training and blog posts mainly in management systems auditing and implementation. Passionate about technology advancements, he combines his knowledge of current trends with the TreccerT vision to create engaging and realistic content for customers and overall audience.
Marigona Krasniqi is the Operations Supervisor of TRECCERT. In this role, she is responsible for managing the accreditation process, optimizing the operating capabilities and employing strategies to ensure customer satisfaction. Highly adept at startups transformation and business growth, Marigona enjoys the challenge of a complex work environment, by deploying strategic plans to support business objectives, enhance operational processes and ensure compliance with the accreditation standards.