Indications are that remote working was able to reduce the financial impact for those companies that have enabled it, but very few small and medium businesses have the budget or technical ability to implement and manage secure virtual private networks (VPNs) with sophisticated network access control.
Remote working - how risky is it and what can small businesses do to enable it securely?
Even large organisations struggle to secure remote working - and that is with multi-million pound budgets, 24x7 support and dedicated technical teams. Small businesses are exposed to the same risks, may not have any of these controls, yet would still like the flexibility and convenience that remote working offers them.
All is not lost - many small organisations do not need to provide full network functionality remotely access to e-mail will often suffice. Secure remote working can be achieved on a small business budget and skill set by understanding the risks to your business information and selecting components and controls that best mitigate them.
A good starting point is to identify the applications, networks and devices that will be used to provide remote access. In many cases, this can be simplified to three: the user's device, the target system and the network that connects the two. Based on the risks, controls should be applied to each to ensure that end-to-end protection is in place.
The end-user's device will be the first point of weakness and so should be subjected to a risk assessment. Implement malware protection (such as anti-virus software) and a firewall. Where possible, advanced controls such as hardening the operating system and disabling the browser password cache should be implemented. Theft or loss of the asset (and therefore its data) is another risk - full disk encryption can help there. Whilst these controls can be applied relatively easily to devices owned and managed by the business, they probably cannot be applied where the employee is using their home PC to access business systems. If your business is relying on employees to use their own devices for remote access, then carefully consider which systems and data are to be made available.
To make internal systems available to remote workers you typically need to expose them to the internet. This can be risky because poorly configured software can be identified and attacked using widely available port and vulnerability scanning software. So take care when deciding which systems are made available, as many remote access systems will grant access to the entire network and to PCs within it. This is a good time to investigate the patch and update status of your servers - there is no harm in implementing access and malware protection controls that apply equally for those accessing servers from the office network as well as remotely.
The obvious risk of transmitting confidential business information across the internet is from interception. However, confidentiality can be assured by using a VPN or HTTPS to protect the connection. The prospect of purchasing and configuring a VPN concentrator (the device that external users connect to) may prove intimidating, but simple devices are now available and often include firewall and ADSL modem functionality for about £100. Poor performance and availability may prove to be a bigger issue than confidentiality - many small businesses utilise ADSL or SDSL lines that provide similar (often poor) reliability to consumer offerings. Consider taking a second internet connection from a different provider such as your local cable TV provider.
A final thought to consider cloud computing is all the rage now, and can genuinely offer some security benefits in this area for small businesses. By moving to a hosted solution accessed via the internet, a small business may see an increase in security, a reduction in costs and the added benefit of remote access included as standard. But remember, you will still need to consider the risks of such an approach.
Gary Wood is a research consultant at the Information Security Forum
Read more advice from the Computer Weekly Security Think Tank >>