Practical considerations for effective remote working
Date: 24 June 2020
Author: Chris Culbert, BDO
The Covid-19 outbreak has fast-tracked many organisations’ remote working and digital ambitions. It has demonstrated how the modern workforce can work effectively while not on site, so long as individuals have access to the organisation’s infrastructure through an internet connection. This raised awareness, as well as committed capital funding for improved modern technology, brings additional future opportunities for remote working, staff productivity and the improved use of available tools.
As organisations assess these opportunities, it’s important not to focus exclusively on infrastructure. The human element is vital too. For example, in the current environment staff may be under increased pressure, with normal ways of working potentially being bypassed. This could raise questions as to whether data is being transferred over secure channels and platforms, or whether confidential items can be destroyed effectively within a home environment. It’s therefore essential to communicate regularly with all staff to ensure they are complying with expected practices and that any concerns or instances of non-compliance are identified, reported and acted upon.
As well as seeing the potential of remote working, many organisations have also become aware of vulnerabilities in areas such as email security, video conferencing tools and network controls. It’s important that sports organisations ensure they take all necessary steps to minimise the risks associated with digital technology and the remote working it enables.
Enhanced and secure use of email
Email is now a means of formal communication and can be used to document key business decisions. Organisations should ensure all staff have a sound understanding of basic email functionality, as well as awareness of potential vulnerabilities. More and more malicious emails are getting through filtering servers and restrictive email server rules. Phishing emails that purport to come from credible sources are an increasing concern. When recipients open them they may initiate the execution of malware or be encouraged to disclose information. Some phishing emails have attachments naming legitimate video conference providers, aiming to trick users into downloading malicious files. It’s therefore important that organisations take steps to protect themselves and their staff.
Key actions for increasing email security include:
- Providing clear and regular user awareness training to prevent malicious mail being opened and information given
- Encouraging users to hover their cursor over a sender's address in order to see the actual source domain
- Making sure that network and infrastructure teams have enabled best practice spam, filtering and blocking rules in the Microsoft ‘Exchange Admin Center’
- Backing up business data regularly, using servers not accessible to your network for storage.
Effective application of video conferencing tools
Video conferencing tools have allowed organisations to continue holding business meetings while staff work remotely. However, malicious actors have recently targeted their attacks to exploit the increased use of video conferencing software. Staff training on the use of alternative communication channels such as video conferencing and virtual meeting software will help to maximise the benefits they offer, while minimising the risk of malicious hacking.
Key actions for safe and effective video conferencing include:
- When configuring applications, make sure to use the existing identity provider (i.e. active directory) to preserve the existing control framework
- Assess and select appropriate configuration rules by setting defaults for joining meetings, passcodes for unauthenticated users, and blocking calls or invites during meetings from unauthenticated users
- Only use trusted sources (ideally an enterprise management tool) for installing any video conferencing apps and encourage the use of web browser versions where external parties invite you to meetings using applications not installed on your systems.
Secure remote connections into your organisation’s infrastructure
Nearly all organisations have had to rapidly increase the proportion of staff who work from home. They have had to set up remote connections for employees so they can access network resources. However, organisations need to be aware of the risks related to the access granted and how connections are configured.
Key steps for risk mitigation include:
- Apply security updates, also known as patching. Patching should be timely to limit the time a vulnerability exists in the application. Vulnerabilities could allow privilege escalation and unauthorised access to critical resources.
- Configure a VPN (Virtual Private Network), which will ensure traffic is encrypted and can only be decrypted by permitted parties. VPN connections must ensure that pre-shared keys are communicated between parties in a secure method to prevent unauthorised access.
- Establish strong new user account creation protocols to ensure verification of identity and validation of required access.
- Require two-factor authentication for privileged users (i.e. domain and enterprise administrators), and preferably for all users.
- Take regular backups. Cloud services are now often used as part of backup processes. It is important to ensure the backups are held in a network segregated from the main corporate network to prevent backups being corrupted or compromised.
Better use of devices available to staff
Staff will often be using their personal devices in their day-to-day roles. However, working remotely and from home increases the risk of lost and/or stolen devices. There are several points to bear in mind with wider use of personal devices:
- It is essential to ensure adequate hard drive encryption on any devices being used remotely by staff members
- Procurement of mobile device management tools may be necessary to provide you and your Boards with the assurance that devices can be remotely wiped, locked or backed up, if need be
- There should be an established Bring Your Own Device (BYOD) policy in place which is agreed by staff
- Business data should not be stored locally on unprotected personal devices and conditional access should be set before accessing business applications and/or data.
Building on experience gained
Experience gained in recent months as organisations have embraced more remote working and digital technology can be put to use in future – helping to ensure ongoing IT resilience and the maintenance of critical services. During the Covid-19 outbreak, response teams will likely have been used to develop, and regularly monitor and update, a plan tailored to your key services. Since the outbreak, you may have identified changes to the criticality of your systems and/or services and these should be reflected in your regular assessments and used to inform your plans.
The pandemic has stress tested your ability to maintain critical services through a period of significant disruption. The findings should be highlighted and featured in capacity planning. Investment decisions need to be considered carefully, however. The cost of purchasing additional bandwidth may outweigh the benefits if your organisation normally has a limited number of remote users.
Chris Culbert is an IT Audit Manager at BDO. If you would like to speak to a member of the BDO team about the help available or review other COVID-19 guidance please visit our dedicated microsite here.