Remote Working

Remote working has always exposed new risks to an organisations cyber security and the majority will already have experience with creating processes to mitigate against them. The recent pandemic has increased the digital transformation to a remote workforce and has changed the threat landscape they need to try to protect themselves against. Previously cyber security was cocooned in an office space, with layers of protection such as firewalls, endpoint protection and centrally updated systems. Remote working disperses users, creates new vulnerabilities and requires an evolution of all policies and technical controls.

What is the risk?

The increase in remote working for all organisations has expanded their boundaries from a static location to multiple locations. Whilst there was risk previously this major shift means that organisations struggle to support remote working at such a scale. It’s these types of uncertain environments where potential cyber security incidents are rife.

Organisations that don’t establish appropriate remote working practices may become vulnerable to the following risks:

  • Unauthorised access – whether that’s from using default credentials on devices, falling victim to a phishing email or failing to update their applications to the latest supported versions cyber criminals gaining unauthorised access to any aspect of your organisation can have major implications.

  • Lack of user visibility – with the workforce remote working organisations may not be able to monitor user activity. Not only can this impact productivity, but it could also mean that employees could become insider threats to your cyber security strategy.

  • Poorly protected home networks – the average UK home is not going to have the same security controls in place as an organisation which will make it easier for an attacker to target.

  • A disconnected workforce – a major risk that comes with remote working is that your users awareness of cyber security threats may reduce. In a comforting environment, without a “corporate hat” on are they less likely to adhere to all processes in the same manner?

How can the risk be managed?

Assess the risks and create a mobile working policy

Assess the risks associated with all types of mobile working and remote access. The resulting mobile security policy should determine aspects such as the processes for authorising users to work off-site, device provisioning and support, the type of information or services that can be accessed or stored on devices and the minimum procedural security controls. The risks to the corporate network or systems from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the systems being accessed.

Educate users and maintain awareness

All users should be trained on the use of their mobile device for the locations they will be working in. Users should be supported to look after their mobile device and operate securely by following clear procedures. This should include direction on:

- secure storage and management of user credentials

- incident reporting

- environmental awareness (the risks from being overlooked, etc.)

Apply the secure baseline build

Develop and apply a secure baseline build and configuration for all types of mobile device used by the organisation. Consider integrating the security controls provided in the End User Device guidance into the baseline build for mobile devices.

Protect data at rest

Minimise the amount of information stored on a mobile device to only that which is needed to fulfil the business activity that is being delivered outside the normal office environment. If the device supports it, encrypt the data at rest.

Protect data in transit

If the user is working remotely the connection back to the corporate network will probably use the Internet. All information exchanged should be appropriately encrypted. See Using IPsec to Protect Data and Using TLS to protect data.

Review the corporate incident management plans

Mobile working attracts significant risks and security incidents will occur even when users follow the security procedures. The incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device. Ideally, technical processes should be in place to remotely disable a device that has been lost or at least deny it access to the corporate network.