Teleworking: How to secure your employees wherever they are

New technologies allow the employees to work remotely; from home or on a business trip. Teleworking is a growing habit thanks to an increased use of mobile devices such as tablets, mobile phones and laptops, as well as cloud storage in the professional environment.

One of the most important aspect to consider is the connection itself. The employee should not connect to free WiFi, especially in train stations and airports. These networks are too often used by attackers to disseminate malicious software, targeting the organisation or company through its employees.

No matter where you are outside the company, though, it is important to use a Virtual Private Network, also called VPN. This tool allows the user to create a direct and secure connection between the device and the company’s internal network, essentially imitating the computer being plugged in the company’s network; the data received and sent by the employee is thus protected and access to internal resources can be granted.

The software used to provide the VPN service must be chosen with utmost care and it must be kept up-to-date and configured carefully. The clients should be authenticated by using asymmetric encryption and not only a login and a password, when connecting to the VPN. Prefer the use of a well known, ideally open source, easily auditable solution like for example WireGuard. More information about VPN and how to use it can be found on our YouTube channel.

Devices must be prepared in advance

As always, the endpoints remain a major weak point. The best VPN service is useless if an employee connects to it with an infected computer. Computers of employees must be protected with an up-to-date antivirus. Otherwise, the VPN would be an illusion of security, and would become a secure and trusted channel for ransomware for example…

Before any teleworking by the employee, the IT team, or the person in charge of the security, has to set up the device correctly. The following tasks have to be done:

  • Every hard drive which contains confidential data should be encrypted whenever it goes outside the company; ideally, it would be permanently encrypted if there is a possibility it will leave the company premises at some point in time.
  • Provide a specific “travel laptop” for business trips with minimal configuration, files, access and maximal protection posible.

Communication and training are the keys

The interest of teleworking relies in the capacity for employees to accomplish their task while not having to be at their desk. It might be reassuring for the management to set a detailed security policy with high security requirements. However, it is more efficient to focus on basic rules well understood by the employees; they have to also understand the reasons of a security measure and the consequences of cyberattacks. To achieve this, the employees have to be trained often by in-house or external, information security professionals.

Additionally, some rules must be set and respected by everyone. Here some examples:

  • Adapt security level to each employee’s requirement. Discussions about confidential data should be limited to conversation partners that also have access to that same data, and no one else.
  • Warn employees to be very cautious about who could see their device’s screen, not to display confidential data in public (like database information, contracts or sensitive emails).
  • If the laptop is unused, the session must be locked.
  • Do not connect to any public, unknown or unchecked network. Creating a fake WiFi and thus deceiving someone is relatively easy. You should mostly use the roaming from your phone in order to have a more secure network and use a VPN.
  • Define the responsibilities and the rules that if some material is stolen or forgotten, we can make sure that the employee will notify their security contact quickly.
  • Everyone has to know that devices must never be left unattended. Anti-theft cable can also be used to decrease that risk.
  • Remote access software (like Teamviewer) should be used very carefully and only by authorized employees. It always has to be updated, and only used in case of absolute necessity. -> precisely: by letting it run constantly to access the computer anytime brings similar risks than opening a backdoor

As the teleworking practice grows it is important to give the necessary guidelines to the employees if one is to follow that trend. Most of the security problems come from employees who have not been trained enough or do not understand the consequences of their behavior. It is also possible to minimize the threat of non-compliance by involving employees during the process of creating the information security rules and guidelines.

CASES Expert Voice

“Teleworking begins to gain popularity with connections becoming increasingly better. Most of the companies are mature enough to have a VPN in protecting their data and communication, when working from outside the company network: it can be really dangerous without. However, most only concentrate on the technical matters and forget that the human factor is the weakest link in the security chain. The rules and guidelines should be clearly defined, understood and signed, and, additionally, explanation of consequences should be given and employees should be properly prepared to know how to use the technology.”

Table of Content