How to balance secure remote working with on-site employees

Returning to the office

Organizations should be prepared to securely reintegrate work-from-home devices into the office environment. For example, establish a remediation network segment that is isolated from the rest of the organization. As each device returns to the office, connect the device to that segment, and scan it to verify its security health. This should include verifying the following:

• all OS and application patches are installed;
• no malware is present and no signs of compromise are evident; and
• all security and privacy configuration settings comply with enterprise policies and compliance requirements.

Remediate any problems, and follow your typical incident response procedures for compromised devices. Once a device is fully remediated, it is then allowed to connect to its usual networks and systems.

Another potential concern with employees returning to the office is passwords. This is especially important if the organization has allowed employees to utilize BYOD technologies for work from home. These technologies could use enterprise passwords to access applications such as email. Passwords used in this way are at higher risk of compromise than those only used on organization-issued devices, so it's generally advisable to force those passwords to be reset.

A final area to consider is how employees might have circumvented organizational policies to get their jobs done from home and, as a result, put information at increased risk of compromise. For example, employees might have set up their own file shares on a service such as Google Drive for collaboration purposes. It's important to identify these unauthorized resources not to punish users, but to ensure the data is not left outside the organization's control.

Remote working security best practices

Whether work-from-home measures are ongoing or if you just want to be prepared for the next pandemic, there are some actions that can significantly improve remote cybersecurity for relatively little effort.

Strengthen authentication. If feasible, require multifactor authentication for all remote access to organizational resources. This used to mean issuing physical cryptographic tokens, but many organizations now use soft tokens, such as adding an app to organization-issued smartphones that issues a new PIN every 60 seconds. Users enter their password and the current PIN in order to authenticate access to your VPN or other services. This prevents an attacker from stealing and reusing a password.

Reduce dependency on enterprise security services. Requiring client devices to access enterprise resources for some security services may have a big performance impact without substantially improving security. For example, when all client devices were in the office, it might have been best to require them to download all their patches from the organization's own patching servers. But having gigabytes of OS updates downloaded through the VPN to each client device might overwhelm the VPN. Instead, the client devices could download updates directly from vendors.

Consider allowing split tunneling for VPNs. Twenty years ago, the best practice for VPNs was to prohibit split tunneling. Split tunneling is when some of a computer's network traffic is routed through the enterprise network and other traffic is routed directly to its destination. Prohibiting split tunneling was a sound practice at the time because the enterprise could monitor all the traffic for signs of compromise. Most network traffic today is encrypted. So, allowing split tunneling doesn't usually have a major negative effect on security, and it can greatly improve VPN availability.