Building resilience and security for long-term remote working
- Published: Friday, 16 July 2021 07:54
For many organizations, remote working is moving from being a reactive response to the business continuity requirements generated by the COVID-19 pandemic to being a long-term business policy. As organizations take this step, resilience and security issues need to be addressed with a sustainable strategy, as Steve Dance and Andrew Lawton explain…
Working from home is now a regular and accepted arrangement for many organizations. The COVID-19 pandemic forced many organizations to quickly adapt to remote homeworking to keep their business running. And the experience has forced the subject of resilience on to many boardroom agendas. In the UK financial sector, operational resilience is becoming a regulatory requirement as the Bank of England, Prudential Regulation Authority, and the Financial Conduct Authority press on with their initiatives on financial sector resilience. Given the number of financial institutions that are announcing their intention for remote working to be ‘business as usual’, security and resilience for remote working arrangements will fall under the auspices of these new regulations. At a national level rumours are circulating that the UK government is considering a ‘right to work from home’ initiative. In all likelihood, we may never return to working in the office five days a week. We are more likely to move to a hybrid arrangement with the corporate office used as a meeting and collaboration space, while the home office is used for day-to-day work.
However, for many organizations, relying on average domestic provision for security and resilience can significantly dilute (and even compromise) the overall security position of the organization. Even though remote working may be focused on routine work, the work performed may still be time critical or involve handing sensitive or confidential data.
Remote workers will often deal with sensitive data that may be confidential to themselves, their customers or their companies and so need protection from hackers penetrating their home networks. The security and resilience of the ‘home office’ can jeopardise both the domestic and the corporate environment. In adopting a regular work from home arrangement, several threats to both security and resilience present themselves:
- Physical compromise of the workplace. Utilities failure and property damage due to extreme weather can limit an individual’s ability to access IT services. Power failures can last for hours and possibly days – impacting operational deadlines.
- Remote workers are exposed to single points of failure in their home broadband, Internet and home power supplies. Around 4.7 million people in the UK suffered a broadband outage lasting more than 3 hours during the past year with an estimated cost to the economy of some £1.5bn. Events such as the August 2019 power cut, which cut power to 1.1 million households, create headlines but every single day 1000s of homes are left without power.
- Absence of enterprise grade firewalls and blacklisted IP management. Most remote access solutions are outside of perimeter defences / defenses and may rely solely on security features of domestic devices (i.e., broadband routers).
- Unprotected and vulnerable devices attached to local network. This is almost guaranteed – home networks support several different devices, many of which will be unknown and unproven to the organization’s information security specialists.
- Lack of control over devices added to the local network. There is very little that can be done in terms of preventing additional, unsecured devices being attached to the home network.
The average home network, then, is full of potential security trip-wires. There are, of course, solutions to all the threats outlined above, but they too have deployment issues that can be difficult to manage:
- Solution ‘silos’. Mitigating the threats may require several ‘point’ solutions for each threat. Is it practical or desirable to secure remote workers in this way? And can the level of security be maintained consistently?
- End user ability to apply and maintain security solutions. If several solutions are required to mitigate threats is it reasonable to expect end-users to deploy and manage things like micro-UPS systems and security software? Under a scenario where domestic broadband is lost, relying on an end-user (who may be under pressure to meet a deadline) to perform recovery of connectivity via mobile services is asking for trouble. Security needs to be both pervasive, persistent and ‘baked-in’.
- Management and support of remote workers. Service and help desks need to have tools to effectively deploy, monitor, and support security solutions – in essence they need a management console to ensure that home workers are working in a secure environment.
To overcome the security concerns and ongoing management challenges remote working requires a more holistic approach to reliably implement security and resilience for the home worker. Many organizations are now looking to solutions to overcome the drawbacks of security silos and management challenges. Best of breed integrated solutions will incorporate:
- Integral UPS to ensure critical work is not interrupted by power outages or surges.
- Security features to force security of sensitive traffic.
- Automated failover to secure mobile data services to preserve connectivity, in the event of domestic broadband failure
- Enterprise grade management capability providing visibility and control to simply support remote workers via a single console.
Steve Dance is an independent consultant specialising in business continuity and operational resilience at RiskCentric
Andrew Lawton is CEO of ResKube