As the CORONApocalypse continues to fade and we all get back to whatever normal is, it’s a good opportunity to look back at the changes we have made in the workplace over the last 12-16 months to keep our businesses going and ask ourselves, “is this good?”.
There are two obvious focus points to this: productivity and security. Both of which I could ramble on about at length, but instead I’ll try to rein myself in and focus on the key questions one needs to answer in order to answer the big question of, “is this good?”
Now, I reject the notion that Security is the enemy of Productivity and vice versa. Both aspects are equally important and need to be considered hand in hand when implementing change. For both of these elements I’d ask the same questions:
1. Where is our data?
2. Where are our staff?
These two questions naturally stem into other questions and ultimately help us to see where change is required and what good should or could look like. So, let’s explore them…
Where is our data?
Even before the pandemic, a large (and growing) number of businesses were using cloud resource of some kind, email being the most prevalent, so there is our first tick in the box, we know our email is in the cloud.
What about our apps and files? Some organisations would have been cloud native already, keeping all their apps and services in one or many cloud service. Others would have had what we consider to be traditional infrastructure – servers sitting in that dusty, noisy part of that thing we used to call an office in the before times.
Cloud or Onsite Server?
One might argue that when the pandemic hit, the cloud natives had a much easier time of it, shifting their bottoms from the office to home and carrying on as normal. At the other end, classic infrastructure posed a massive headache to businesses and IT teams as this thing that was guarded like a bank vault now suddenly needs to be accessed from anywhere.
But that’s not strictly true; cloud technology by virtue is designed to be easy to use out of the box, this means that a number of security controls are not on by default, this can (and frequently does) leave a number of businesses exposed. Similarly, the mass exodus of the office can leave a lot of businesses wondering where their IT kit is? Is it up to date or is it even being used? Now our staff are working from home do they prefer their own devices and technology? Is that kit shared with anyone else? Is it kept up to date? There are many questions and checks that a business may want to make with its employees.
By contrast, the classical infrastructure needs controlled holes punched through or links (VPN’s for example) setup. In some cases, the user’s desktops stay where they are, and they simply get a remote view of it from whatever technology they are using at home. This can be easier to track and control, but of course has limitations and an impact on end-user experience.
Where are our staff?
This may sound like a really stupid question, especially early on in the pandemic. The answer was of course, “our staff are at home (for the most part), they have to be by legal decree”. But what does that home look like? Is it a shared space with other adults from different businesses or is it shared with family? Do your staff have adequate physical space to work, or do they need to build a pillow fort each morning? Is their connectivity adequate and what else is on that network?
“Your data is wherever your staff are, and your staff are wherever your data is”
Consideration needs to be given to all of these things, but what I find helps as a general answer is, “your data is wherever your staff are, and your staff are wherever your data is”. Therefore, we need to ensure that we can control how our data and systems are accessed and have visibility and control of our staff’s devices. With these two things we can better ensure the integrity of our information and our customers’ information and optimise our working practices. I can absolutely guarantee you that your staff will take the path of least resistance, not because they’re lazy or negligent but because that is the most efficient path, as such the way you enable them and the way you protect your systems needs to support that.
As an example, let’s say I work for an organisation with an on-premise file server, the VPN link is slow so I copy files to my machine to work on. Pretty inefficient from end to end but also, what happens to the files I am working on? Are other staff members doing the same with the same files I have got? Do I clean up my local copies after I have transferred them back? Is my device shared with my children or partner?
You can see where this is going and ironically, we see the same thing with cloud setups; users who sync all the company files ‘just in case’, ‘It’ll be quicker’. Do you really want all those copies of your files floating around without visibility or control? To me it sounds like a data breach or GDPR nightmare waiting to happen.
So, as I’m such a know it all, what are my top tips?
1. Cover your assets
Wherever possible provide your staff with company-owned equipment and ensure this is enrolled in some sort of device management platform. This will give you:
- Visibility over the health of the device – is it up to date, is the anti-virus current and working?
- Ability to implement device security policies like:
- local disk encryption, should the device be lost or stolen
- Enforcing strong passwords
- Remove the ability for employees to install any random app they find
2. Strengthen your authentication
Whatever systems you have in place, you need to provide access to them and that means a username and a password – yes I’m sorry to tell you that despite the media hype this is still a thing and it will be for the foreseeable future. MFA is the best option here and we have a whole other blog about that here which you should read. Just make sure that you apply MFA anywhere and everywhere and that you combine it with good password hygiene (again more info on that here).
3. Permissions and files should be on a need to know basis
For non techies this basically means do not give your staff more than the bare minimum of access than they need for their day-to-day tasks. This includes:
- File permissions: Directors do not need access to HR files, engineers do not need access to payroll, etc
- Administrative rights: it is very rare that your typical user will need to install things on their device, so do not give them this permission. Instead create them a separate account they can use when this is required. This greatly reduces the chances of their account being exploited by an attacker or malware. Similarly, if you have a member of staff who dials into a backend system once a week/month for a report, don’t give them full admin rights, either give them the roles for that specific task or setup a separate account
4. Close up your VPNs
VPNs are a great way to connect your staff to services like good old-fashioned servers and applications (on-premise or cloud) but too often they’re wide open. Out of the box, your typical VPN will simply allow staff to browse anything and everything on the network and there are plenty of scenarios where this isn’t required. We should look to limit the scope of our VPNs to only what is necessary for our staff to work. Reason being is this VPN is ultimately a back door and it’s one you’re typically not watching because the perimeter security is being relied upon to stop the bad guys.
5. Conditional controls
This is more specific to cloud services but look to configure policies that check where your staff are connecting from, from what device and what the condition of that device is. You can very easily limit the access staff have based on this or deny access altogether.
6. Create a separate home network
My last tip is for those more technically minded: if you’re permanently working from home look to segment your network; what this means is you create a separate network just for your work stuff, tucked away from your kids’ tablets, PC’s and consoles, IOT devices that were an e-Bay bargain. Our home networks typically lack any form of security because they need to be easy to use and the grade of the equipment supplied by our ISP’s is far from great (that is why it is free!) so keeping our work devices away from this reduces our risks significantly.
So, ask yourself, do you think your business’ security “is good”?
Hopefully, this has helped you to see what questions need to be (re)asked to pick up those snags when we were hurriedly rolling this stuff out. You may also find this article about general home working useful.
Most of what I’ve talked about has little to no cost, a huge amount of this (with the exception of the rubbish routers your ISP will give you (no bitterness here)) is free; it’s baked into the tools and services you use, it just needs turning on.
And so, at the end of all that, take a step back and look at what you have and ask – “is this good?”