Indications are that remote working was able to reduce
the financial impact for those companies that have enabled it, but
very few small and medium businesses have the budget or technical
ability to implement and manage secure virtual private networks
(VPNs) with sophisticated network access control.
Remote working - how risky is it and what can small
businesses do to enable it securely?
Even large organisations struggle to secure
remote working - and that is with multi-million pound budgets,
24x7 support and dedicated technical teams. Small businesses are
exposed to the same risks, may not have any of these controls, yet
would still like the flexibility and convenience that remote
working offers them.
All is not lost - many small organisations do not need to
provide full network functionality remotely access to e-mail will
often suffice. Secure remote working can be achieved on a small
business budget and skill set by understanding the risks to your
business information and selecting components and controls that
best mitigate them.
A good starting point is to identify the applications, networks
and devices that will be used to provide remote access. In many
cases, this can be simplified to three: the user's device, the
target system and the network that connects the two. Based on the
risks, controls should be applied to each to ensure that end-to-end
protection is in place.
The end-user's device will be the first point of weakness and so
should be subjected to a risk assessment. Implement malware
protection (such as anti-virus software) and a firewall. Where
possible, advanced controls such as hardening the operating system
and disabling the browser password cache should be implemented.
Theft or loss of the asset (and therefore its data) is another risk
- full disk encryption can help there. Whilst these controls can be
applied relatively easily to devices owned and managed by the
business, they probably cannot be applied where the employee is
using their home PC to access business systems. If your business is
relying on employees to use their own devices for remote access,
then carefully consider which systems and data are to be made
available.
To make internal systems available to remote workers you
typically need to expose them to the internet. This can be risky
because poorly configured software can be identified and attacked
using widely available port and vulnerability scanning software. So
take care when deciding which systems are made available, as many
remote access systems will grant access to the entire network and
to PCs within it. This is a good time to investigate the patch and
update status of your servers - there is no harm in implementing
access and malware protection controls that apply equally for those
accessing servers from the office network as well as remotely.
The obvious risk of transmitting confidential business
information across the internet is from interception. However,
confidentiality can be assured by using a VPN or HTTPS to protect
the connection. The prospect of purchasing and configuring a VPN
concentrator (the device that external users connect to) may prove
intimidating, but simple devices are now available and often
include firewall and ADSL modem functionality for about £100. Poor
performance and availability may prove to be a bigger issue than
confidentiality - many small businesses utilise ADSL or SDSL lines
that provide similar (often poor) reliability to consumer
offerings. Consider taking a second internet connection from a
different provider such as your local cable TV provider.
A final thought to consider cloud computing is all the rage now,
and can genuinely offer some security benefits in this area for
small businesses. By moving to a hosted solution accessed via the
internet, a small business may see an increase in security, a
reduction in costs and the added benefit of remote access included
as standard. But remember, you will still need to consider the
risks of such an approach.
Gary Wood is a research consultant at the Information
Security Forum
Read more advice from the
Computer Weekly Security Think Tank >>