Creating Secure Remote Access Policies for Hybrid Office Workers
By Gary Lo, VP, Product Management
September 14, 2021
In the first few weeks of 2020 it was still highly unusual for office-based workers to routinely work from home. Some managers might have insisted on secure remote access, some IT administrators would always have had remote access, but the majority of office-based workers accessed work systems inside the office.
That all changed with the Covid pandemic.
Suddenly work-from-home (WFH) was essential for survival and every company with office-based employees not only had to work out how best to facilitate secure remote access, but they also had to ensure that only employees could gain access to enterprise systems.
Many security managers had designed security policies focused on the perimeter of the organization. They built strong firewalls and didn’t worry about the area outside the company because nobody would ever need to remotely access private company information that only exists inside the security wall. The rapid move to WFH created a need to tear up the existing rule books.
The US National Institute of Standards and Technology (NIST) is not a technology regulator, but this federal agency does provide advice on best practice and how to define standards in areas such as information security. An example of North American standards is the HIPAA Privacy Rule. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The sudden wave of millions of new WFH workers requiring secure remote access combined with regulations like HIPAA created a major security headache for network security managers across the world.
NIST suggests that remote access opens an organization to the following types of vulnerability:
- Remote devices using weaker security
- Bring Your Own Device (BYOD) means non-approved devices may be connecting to the enterprise
- Remote devices may be used in hostile environments without any protection
- Remote devices are using untrusted networks
This in turn leads to the threat of communications monitoring and manipulation and the exploitation of remote devices – such as phishing or key-loggers to obtain confidential information. Remote devices can also be more easily lost or stolen.
Secure remote access opens an organization up to all these additional risks, however it is likely that a hybrid of WFH and office-based work will now be featured as we exit the pandemic. This builds organizational resilience, but it does require additional planning – the WFH phase is unlikely to end as suddenly as it began.
There are some key steps your organization can take, including:
- Review remote access policies: use zero trust principles to build a network that will deter lateral movement, even if breached.
- Extend endpoint security: limit enterprise access to trusted devices or devices using security systems that offer protection from malware and other attacks.
- Improve visibility: watch for unusual access, behavior or lateral movement through networks – use automated warnings to flag suspicious activity.
- Password security: home-based employees hate creating new passwords, and they will usually reuse their personal passwords on enterprise systems, so you need to force strong and unusual passwords on them.
- Phishing: your employees are potentially the weakest link, rather than any physical network security, so educate them and run drills – show them how it can happen when they least expect it.
The requirement for secure remote access is here to stay. Even those companies that are largely returning to normal will be allowing for greater flexibility and more hybrid work. It is essential to plan how to continue securely in this post-pandemic new normal.
Is your workforce adequately protected from evolving cybersecurity threats?
WatServ is an IT solutions provider that helps organizations digitally transform through cloud technologies and managed services.
Serving clients as a trusted advisor since 2006, WatServ provides experience-tested, strategic solutions across all stages of the digital transformation journey. Clients choose WatServ to migrate infrastructure and applications to the cloud, secure critical data, implement disaster recovery, deploy virtual desktop, enable data-readiness for productivity solutions and manage IT environments.
Our clients span a broad range of industries, and we’re a global supplier of IT services for many Brookfield Portfolio Companies. To help our mid-size clients, we provide scalable offerings that simplify cloud adoption and drive business optimization. For enterprise clients, we co-create cloud solutions that enable stability and efficiency for complex IT tools and processes.
With more than 15 years of experience, WatServ has a track record of delivering quantifiable business results and a superior client experience. Ranked as one of Canada’s Top 100 Solution Providers for the last three years in a row, WatServ is always on.