Extraordinary times call for extraordinary measures. Last month, we focused on how to set up systems for remote work. This month, we will be focusing on how to keep them secure.
The coronavirus pandemic is an extraordinary situation, and for charity leaders who now have substantial numbers of staff working from home – often for the first time - it poses a number of significant cyber security challenges.
That’s because employees may be accessing data in a way that is not secure; normal security processes - such as getting transactions checked by a nearby colleague – are no longer possible, and frustrated staff who are struggling to access the applications and data that they need to get their jobs done may be tempted to use shortcuts and workarounds to problems that are convenient but insecure.
In normal circumstances, the majority of current home working setups might be judged too insecure to be allowed, but in the present situation that simply isn’t an option: for many charities, the stark choice is between allowing relatively insecure home working, or abandoning those the charity aims to help and closing down.
But the good news is that there are a variety of specialised security tools which charities can use to tighten security significantly while a very large proportion of staff work remotely. Here are some of the most valuable ones that can help keep cyber threats at bay:
Perhaps the biggest security risk that remote workers pose stems from the fact that they often access their charity’s confidential data. In normal circumstances, this data travels over the organisation’s private internal network, but when working from home this data travels over the public internet where cyber criminals can potentially intercept and access it.
The way around this problem is to ensure that staff who access confidential data do so using a virtual private network, or VPN. A VPN works by encrypting any data before it leaves the charity’s computer systems and travels out onto the internet, and only decrypts that data once it arrives safely at the remote worker’s computer. It also does the same thing in reverse when the data travels in the other direction.
The use of a VPN is particularly important if staff members are using shared open Wi-Fi access (perhaps because their home broadband connection is not working) in a public place.
Most organisations install VPN software on any laptops that they give out to staff to enable home computing, but where staff are working from home on their own computers cyber security staff should provide instructions on how to install VPN software to connect to charity systems.
Anyone working from home should be running security software to provide a degree of protection from cyber threats including phishing attacks, viruses, and other malware. While any reputable security software will suffice as a stopgap measure, a better solution is for organisations to use an endpoint protection platform.
This can be thought of as a centralised control centre, often running in the cloud, which allows cyber security staff to monitor all home worker’s computers, install security software on them, ensure that the security software is running (and has not been disabled by the user or by a cyber criminal or malicious software), and check that the software is up-to-date.
The more sophisticated endpoint protection platforms include endpoint detection and response features, which can spot when remote users’ computers have been infected by a virus or ransomware and quarantine them remotely to prevent the infection from spreading to other staff members’ computers or the charity’s main computer systems.
A network access control (NAC) system is designed to ensure that remote workers’ computers can only connect to an organisation’s systems if they can do so securely. Using a NAC, cyber security staff can set conditions that have to be met before a computer can connect, such as that the computer must be running a specific security software package, have a fully updated current operating system (and not Windows 7, which is no longer supported by Microsoft), and be connecting via a VPN.
NAC systems have come in for criticism in the past because of the fact that they could prevent staff members from connecting to the network even in an emergency situation, but modern NAC systems get around this by allowing non-compliant computers to connect to a restricted part of the network where they are given the opportunity to install updates or other software to ensure that they can then reconnect safely.
Remote workers who use their smartphones or tablets to work from home are a particular security risk for charities because mobile devices by their nature are easily lost or stolen. This can very damaging if the mobile device is storing confidential information or applications which can be used to access the organisation’s systems and data.
Mobile device management software enables cyber security staff to impose rules on how these devices must be configured to protect their organisation’s security. Typical rules include that the mobile device locks automatically when inactive, and that it requires a PIN, password, fingerprint or other biometric to unlock it. MDM software can also detect when a device has been "jailbroken" by the owner - because jailbreaking reduces the security of the device – and prevent jailbroken devices from accessing the organisation’s network.
MDM software also allows cyber security staff to delete the contents of a lost device remotely to ensure that the thief cannot access confidential data.
One of the most important security tools, and one which is often overlooked, is staff training. Any organisation dealing with the Coronavirus pandemic by allowing staff to work from home for the first time should ensure that these home workers are made aware of what precautions they need to take to ensure that they do not jeopardise the security of their charity.
Just as importantly, it is vital to provide clear instructions about who they should contact and what they should do if they believe that any form of security breach has occurred.