Creating Secure Remote Access Policies for Hybrid Office Workers
By Gary Lo, VP, Product Management
September 14, 2021
In the first few weeks of 2020 it was still highly unusual for office-based workers to routinely work from home. Some managers might have insisted on secure remote access, some IT administrators would always have had remote access, but the majority of office-based workers accessed work systems inside the office.
That all changed with the Covid pandemic.
Suddenly work-from-home (WFH) was essential for survival and every company with office-based employees not only had to work out how best to facilitate secure remote access, but they also had to ensure that only employees could gain access to enterprise systems.
Many security managers had designed security policies focused on the perimeter of the organization. They built strong firewalls and didn’t worry about the area outside the company because nobody would ever need to remotely access private company information that only exists inside the security wall. The rapid move to WFH created a need to tear up the existing rule books.
The US National Institute of Standards and Technology (NIST) is not a technology regulator, but this federal agency does provide advice on best practice and how to define standards in areas such as information security. An example of North American standards is the HIPAA Privacy Rule. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The sudden wave of millions of new WFH workers requiring secure remote access combined with regulations like HIPAA created a major security headache for network security managers across the world.
NIST suggests that remote access opens an organization to the following types of vulnerability:
- Remote devices using weaker security
- Bring Your Own Device (BYOD) means non-approved devices may be connecting to the enterprise
- Remote devices may be used in hostile environments without any protection
- Remote devices are using untrusted networks
This in turn leads to the threat of communications monitoring and manipulation and the exploitation of remote devices – such as phishing or key-loggers to obtain confidential information. Remote devices can also be more easily lost or stolen.
Secure remote access opens an organization up to all these additional risks, however it is likely that a hybrid of WFH and office-based work will now be featured as we exit the pandemic. This builds organizational resilience, but it does require additional planning – the WFH phase is unlikely to end as suddenly as it began.
There are some key steps your organization can take, including:
- Review remote access policies: use zero trust principles to build a network that will deter lateral movement, even if breached.
- Extend endpoint security: limit enterprise access to trusted devices or devices using security systems that offer protection from malware and other attacks.
- Improve visibility: watch for unusual access, behavior or lateral movement through networks – use automated warnings to flag suspicious activity.
- Password security: home-based employees hate creating new passwords, and they will usually reuse their personal passwords on enterprise systems, so you need to force strong and unusual passwords on them.
- Phishing: your employees are potentially the weakest link, rather than any physical network security, so educate them and run drills – show them how it can happen when they least expect it.
The requirement for secure remote access is here to stay. Even those companies that are largely returning to normal will be allowing for greater flexibility and more hybrid work. It is essential to plan how to continue securely in this post-pandemic new normal.
Is your workforce adequately protected from evolving cybersecurity threats?
WatServ is an IT solutions provider that helps clients digitally transform their business through cloud technologies and services. Founded in 2006, WatServ specializes in providing hybrid and multi-cloud solutions and hosting complex, high-availability environments for enterprise-level applications. WatServ’s unique approach to planning, migrating and managing multi-cloud environments, plus premium 24x7x365 support, enables its global customers to focus on their core business. Relying on Microsoft and Google’s public clouds, in addition to its own private cloud, the company offers an ideal managed cloud environment engineered for security, reliability and performance. With offices in Canada and the United States, and with 1000’s of users connecting from around the world, WatServ is always on. For more information, please visit www.watserv.com.
WatServ is an affiliate of Brookfield Business Partners (BBU), a public company with majority ownership by Brookfield Asset Management Inc. and listed on the New York and Toronto Stock Exchange. More information about BBU is available at www.brookfield.com.