August 24, 2023
Device security and remote working
Remote working has now become a convenient, efficient and even necessary practice for many companies. But there are cybersecurity rules that must be implemented to avoid putting your own or your customers' sensitive information at risk.
It is not just a matter of establishing a security strategy and infrastructure. It is also about following best practices in cybersecurity to ensure not only information protection, but also regulatory compliance.
The following are the most important aspects to be taken into account, both from an organisational and user perspective.
On the organisational side
Devices and their connections must be maintained under an overall strategy aimed at protecting data on the servers, as it travels through the network, and at endpoints. On the organisational side, the main elements of such a strategy would be:
- To define and implements a corporate cybersecurity policy. The organisation should require all employees to accept and sign the cybersecurity policy, regardless of whether they work remotely or not. This policy should cover all security protocols that employees are expected to comply with, and how the company will assist them in complying with them.
- Assignment of devices. From the outset, infrastructure must be able to integrate new devices and assign them to the appropriate user quickly and effectively. They are normally based on a request and allocation procedure for mobile devices.
- Registration. The allocation system should be complemented by an active registration and inventory system that not only allows for recording of allocated mobile devices (what device is allocated and to whom it is allocated), but which also better responds to the needs of staff. These systems also allow the use of the device to be recorded.
- Maintenance. Maintenance of the devices should only be undertaken by the responsible department. Individual users should be prohibited from making changes to the hardware, installing software, or modifying the configuration of the equipment without authorisation from the technical department.
- Data storage. A corporate cybersecurity policy should include control and prevention mechanisms for data storage on terminals. Corporate information that is not strictly necessary for the performance of the individual user's tasks should not be stored on the device. If information is to be accessed from multiple devices, it needs to be synchronised to avoid duplication and versioning errors.
- Handling of confidential information. In recent times, this would have been a mere recommendation. But today, it is an obligation on the part of all companies to act in accordance with legislation such as the GDPR. All confidential information must be stored in an encrypted form. It is also good practice to use a standardised termination system, so that information is securely disposed of at the end of its life cycle.
- Employee training. This is not just about unintentional errors. In the current context of remote working, social engineering is put to work to make attacks by deception, Phishing, vishing, and CEO fraud. In light of this, an effective employee training programme is key to keeping devices secure. It is advisable to implement effective training programmes which ensure that employees apply best practices, and to complement this training with ongoing awareness-raising.
Smart workplace
We help companies to foster a work culture based on collaboration, flexibility and security, empowering professionals and improving their productivity in a digital context.
On the user side
Remote working does not have to compromise data security. All it requires is that remote workers are educated and that cybersecurity procedures are implemented to avoid privacy and security risks.
- Responsibilities. The user is responsible for the portable or mobile equipment provided, and must therefore guarantee the security of both the equipment and the information it contains. The user shall apply the rules set out in the Workstation Use Policy.
- Transport and custody. Equipment must not be exposed to high temperatures that could damage its components, and users must prevent access to the information stored in the equipment. In case of theft or loss of the equipment, the responsible technical personnel must be notified immediately.
- Secure connections. The use of unsecured Wi-Fi networks is the most common way to expose a company to a data security breach. The easiest solution is to enable a virtual private network (VPN). Using VPN before logging on to public Wi-Fi networks will encrypt the remote worker's Internet traffic and monitor for any signs of infection.
- Passwords. Educating remote workers about password protection is essential to protect company data. Another way to mitigate this risk is to use a password manager that generates passwords and stores all passwords securely.
- Security applications. Firewalls, antivirus, IDS/IPS, organisations should require remote workers to have protection applications such as firewalls, antivirus and anti-malware software, always up to date on all their devices, including mobiles, tablets and laptops.
- Notification in the event of infection. We can see from all of the above that user collaboration is a key element in securing remote working. If a virus or other malware infection is suspected, the responsible technical personnel should be notified as soon as possible.
Technologies
In recent years, and especially in the wake of the COVID-19 pandemic, various technologies have been developed to protect the information of people working remotely. Device manufacturers, cybersecurity companies, and the creators of operating systems have all contributed to this. These include the following.
- BIOS protection. Corporate laptops should have password-protected access to the BIOS to prevent user modifications to the configuration.
- Encryption. Chat programs, email, applications - everything should use end-to-end encryption. The best thing is to use multi-factor authentication (MFA), which verifies a user's identity by first requesting a username and password, as well as other information such as "answer to a secret question" or a code sent to a mobile phone.
- Virtualised applications. With the application virtualisation option, users can run an application on a device that is not installed on the computer. The application is run by a package containing the necessary configurations.
- Data backup in the cloud. Measures must also be taken to ensure that the information stored in the cloud remains secure. A verification system can be activated so that every time the user wants to access the cloud, a text message is sent with a code that must be entered in order to log in.
- Location software. In the event that it is deemed necessary to install or activate any location software, the user of the device will be informed prior to delivery of the device. The user to be geolocated must sign a document accepting this condition.
- Deletion of data. Remote wiping of devices in case of loss or theft can also be considered. Mobile Device Management (MDM) platforms can perform these services.
Collaboration and productivity
Get a smart workplace that is ready for today's needs and tomorrow's challenges.
Ethical and legal considerations
Mobility in business has brought with it the need for new management models. MDM (Mobile Device Management) tools enable the installation and updating of operating systems and applications, even encapsulating their use in isolated networks. They also allow you to track devices by GPS, or detect and notify when a device is at risk, or remotely lock or wipe its content. They also allow the incorporation of identity and access management (IAM) mechanisms by forcing the application of specific password management policies. Even antivirus, NAC access control or cloud security services can be activated.
But here's the dilemma: Having mechanisms in place to access corporate mobile devices is of paramount importance, but... Is it lawful to access the device's content? Is it legal to monitor geolocation? Can user activities be monitored? Yes, in principle, if employees have been notified in advance about the use and control that the company may exercise when it transfers equipment owned by them and about the type of data processing that will be carried out. And of course, full compliance with current data privacy regulations must be provided.
But this is not a simple issue. Even less so now that it is also possible to implement Out of Band systems, which allow devices to be controlled even when they are switched off. This is an aspect to consider because it affects the manufacturer and implies practically absolute control over the equipment. For example, Intel provides its Intel vPro solution; Apple, meanwhile, offers LOM (Lights Out Management) services to turn on and off its equipment using digital certificates.
In any case, there is no doubt that remote working is an essential option for any organisation, and that security is a key aspect not only to avoid loss of information and reputation, but also to ensure regulatory compliance.
Share