In this short article, I am trying to point out, what needs to be considered in order to stay secure, before trying to keep the company operable.
Today is Saturday, 14
of March, 2020. While within China, the number of new Corona infections has already decreased, for most countries in the world, the worst is yet to come. Governments are taking strong measures to isolate the virus and businesses are following. Companies are facing a huge challenge right now: they are trying not to shut down their business. Doing so, many are considering to set up remote workplaces.
So while you might have left the office on Friday still feeling comfortable, on Monday, you might be suddenly confronted with the task to enable most if not all of your employees to work from home. Problem is: the time for this is short, you might not have more than a week. But in order to allow people to work remotely, several things need to be prepared and different aspects need to be taken into account:
- Are all relevant systems accessible from the internet?
- Do we have enough bandwidth for the increased number of remote users?
- Will we allow users to use their own devices to connect with in case not everyone has a laptop?
- Is IT able to support remote users just as if they were in the office?
The list could go on. IT forums see a rising number of questions concerning this challenge. As usual, whenever things are planned in a hurry, security ends up suffering.
What I will share here are two hints that I consider to be essential:
1. Please don’t trust non-company devices at all
2. Write down who is liable if things go south
Setting up a VPN alone does not make things secure. If you use the VPN on an untrusted device, be it a smartphone or a personal home computer, you are still entering credentials - on an untrusted device. You are using a keyboard to create documents - on an untrusted device. You are possibly working in a room that won’t have windows with privacy glass or you might be printing confidential documents on your home WiFi printer, which has no security at all.
The home office setup, that is quickly switched to in this crisis, is often contradicting the company security policy - if you even care to have one. If security incidents happen because of that, who will be held accountable?
- Will it be your boss that told you “by next Friday, I need everyone to be able to work from home!”?
- Will it be the IT security officer, who reviewed the concept together with you and nodded in the end (but didn’t give you any written consent)?
- Will it be the employee that didn’t use the new system according to the new guidelines (he printed them out but left them on his desk in the office)?
- Or will it be you, the IT administrator who didn’t dare to tell his boss that he is not capable of setting this up securely within just one week?
Make sure you respect not only your own security policy but also that of all the other companies you are working with and whose data might be stored on servers that will now become accessible from improperly secured remote workplaces.
Agree on things and
write down and sign this agreement
, so anyone knows and agrees on being accountable.