I have to admit, after six months working from home, living through a pandemic was not on my bucket list. Yet here we are with no end in sight, at least in the short term. With many companies opting to continue working remotely, one topic continues to stay top of mind – security.
With the valid focus to keep everyone personally safe also comes the obligation to ensure company intellectual property and data remain safe and secure. As businesses have moved to working remotely, IT staff have been busily working behind the scenes to facilitate the transition. The initial and necessary focal point was on logistics: allow x number of employees to go home and connect to company systems so they could work. Then came the need to facilitate and improve remote collaboration using tools such as Zoom and Teams, which resulted in a crash course in installing the software and then learning how to maximize the benefit of the tools.
Equally important, but not always as visible, is ensuring adequate cyber security policies and practices have been put in place to support this overnight change in the way the business works. In the haste to keep employees safe and get them home, many employees were forced to use their personally owned computers. Although providing access to company systems and data using a personally owned computer is not technically difficult, securing that access is. Once mom or dad signs off for the day, who else jumps on the machine to play games or, with school now starting, to work on online coursework?
This may seem innocuous enough, but it introduces three words cyber security professionals abhor – lack of control. Who really knows what happens when junior jumps on the computer and starts clicking away. That one click on the Facebook ad or random website just downloaded a malicious virus, sitting waiting to wreak havoc. The next morning when mom or dad accesses their company systems, bam! the virus has been uploaded to the company system. Not a good day for the employee or the company.
Make no mistake, using a personally owned computer to access company systems is a ‘no no’ striking fear in the minds of every IT security professional. The common counter argument often given is that the employee only accesses web-based systems using the internet so ‘no worries’. Yeah you wish. These software-as-a-service (SaaS) applications are very common and growing in numbers
with greater urgency because of the pandemic. NetSuite, Box, Dropbox, Microsoft 365 (or Office 365) are all good examples of SaaS applications. While true, using web-based applications can reduce the risk associated with using personal computers, most employees and even companies don’t fully understand all the systems in use, where they are, or where the data is stored. If even one system is ‘open’ or not protected, the security risk is present.
Some companies faced with this very real threat have had to purchase company owned laptops to provide employees in order to ‘lock down’ those machines to limit them to secure access to company systems and data. This poses its own financial challenge because these purchases were not budgeted, and large capital expenditures are generally frowned upon in the current financial environment.
Where the work is done
Another important consideration is where the work is done. Not where the employee sits, but where the actually processing of the data occurs. One reason web-based applications can be more secure is because the processing work is done in the datacenter where the software is hosted. Meaning the data and information is worked on and stays in the datacenter.
A common method to access company systems and data remotely is to create a virtual connection from the employee’s computer to the company systems, commonly referred to as a VPN, often referred to as a tunnel. Although VPN access can be, and should be, encrypted and secure (secure VPN), it is still transferring data to and from the employee’s computer through the tunnel. VPN software must be loaded on the employee’s computer and ‘setup’ to enable and gain access to company systems. If the employee switches to a different computer without the VPN software they
will have no access. This can become abundantly more difficult to control and manage with personally owned computers.
To address the proximity of workloads, a viable option is to move from VPN type design and access to what is called remote desktop access. Using a remote desktop access design, the company systems and data stay in the datacenter and the employee user connects to the systems using a secure encrypted login. In effect, it’s as if the employee is using and working on their computer in the datacenter itself because the data never leaves, all the processing is done within the systems in the datacenter.
For this reason, many companies have transitioned to a remote desktop access design to help mitigate the security risks associated with personally owned devices with the added benefit that employees can now use any computer to access company systems because there is no software required on the end-user computer and all the processing is done in the datacenter. A user may move from one computer to another without disruption. This design can also be especially important and helpful when dealing with sensitive information. In healthcare with HIPAA laws, it’s critical for compliance to know where data is at all times, so knowing it stays within the datacenter, not being transferred to and from remote devices, mitigates a huge risk.
In more complex environments we have used our security-as-a-service to deploy security and network hardware to remote locations to ensure standardized security across the organization. Some companies are using the pandemic in a positive way to address long overdue security risks in corporate, branch and now home offices.
Virtually every business has been impacted by the pandemic resulting in some degree of change. With change comes the potential for new or enhanced security risks. Assessing your business for these potential risks can save loss in productivity if not the business itself. Many companies now use Microsoft 365 (or Office 365) for email, Microsoft Office and other applications, as well as Teams for collaboration. There are enhanced security features available within Microsoft
365 with little or no cost. Enabling enhanced security can mitigate the risks associated with using email and remote applications. Assessing your business security should be an ongoing process and certainly more essential during these challenging times.
As with many things in technology, there is not one way to do things and there are multiple pieces to the puzzle. The key is understanding what risks are present in the current ‘way you work’ and creating a plan to deal with them.
Wade Yeaman: Mar 21, 2023 11:55:46 AM
