This week Steve Dance and Andrew Lawton discuss the risks we need to address as working remotely becomes a more popular option for organisations across the UK.
Working from home is now a regular and accepted arrangement for many organisations. The COVID-19 pandemic forced many organisations to quickly adapt to remote home-working to keep their business running. And the experience has forced the subject of resilience onto many boardroom agendas. In the UK financial sector, operational resilience is becoming a regulatory requirement as the Bank of England, Prudential Regulation Authority, and the Financial Conduct Authority press on with their initiatives on financial sector resilience. Given the number of financial institutions that are announcing their intention for remote working to be ‘business as usual’, security and resilience for remote working arrangements will fall under the auspices of these new regulations. At a national level rumours are circulating that the UK government is considering a ‘right to work from home’ initiative. In all likelihood, we may never return to working in the office five days a week. We are more likely to move to a hybrid arrangement with the corporate office used as a meeting and collaboration space, while the home office is used for day-to-day work.
However, for many organisations, relying on average domestic provision for security and resilience can significantly dilute (and even compromise) the overall security position of the organisation. Even though remote working may be focused on routine work, the work performed may still be time critical or involve handling sensitive or confidential data.
Remote workers will often deal with sensitive data that may be confidential to themselves, their customers or their companies and so need protection from hackers penetrating their home networks. The security and resilience of the ‘home office’ can jeopardise both the domestic and the corporate environment. In adopting a regular work from home arrangement, several threats to both security and resilience present themselves:
- Physical compromise of the workplace. Utility failure and property damage due to extreme weather can limit an individual’s ability to access IT services. Power failures can last for hours and possibly days – impacting operational deadlines.
- Remote workers are exposed to single points of failure in their home broadband, Internet and home power supplies. Around 4.7 million people in the UK suffered a broadband outage lasting more than 3 hours during the past year with an estimated cost to the economy of some £1.5bn. Events such as the August 2019 power cut, which cut power to 1.1 million households, create headlines but every single day 1000s of homes are left without power.
- Absence of enterprise grade firewalls and blacklisted IP management. Most remote access solutions are outside of perimeter defences and may rely solely on security features of domestic devices (i.e., broadband routers).
- Unprotected and vulnerable devices that are attached to the local network. This is almost guaranteed – home networks support several different devices, many of which will be unknown and unproven to the organisation’s information security specialists.
- Lack of control over devices added to the local network. There is very little that can be done in terms of preventing additional, unsecured devices from being attached to the home network.
The average home network, then, is full of potential security trip-wires. There are, of course, solutions to all the threats outlined above, but they too have deployment issues that can be difficult to manage:
- Solution ‘silos’. Mitigating the threats may require several ‘point’ solutions for each threat. Is it practical or desirable to secure remote workers in this way? And can the level of security be maintained consistently?
- End user ability to apply and maintain security solutions. If several solutions are required to mitigate threats is it reasonable to expect end-users to deploy and manage things like micro-UPS systems and security software? Under a scenario where domestic broadband is lost, relying on an end-user (who may be under pressure to meet a deadline) to perform recovery of connectivity via mobile services is asking for trouble. Security needs to be both pervasive, persistent and ‘baked-in’.
- Management and support of remote workers. Service and help desks need to have tools to effectively deploy, monitor, and support security solutions – in essence, they need a management console to ensure that home workers are working in a secure environment.
To overcome the security concerns and ongoing management challenges remote working requires a more holistic approach to reliably implement security and resilience for the home worker. Many organisations are now looking for solutions to overcome the drawbacks of security silos and management challenges. Best of breed integrated solutions will incorporate:
- Integral UPS to ensure critical work is not interrupted by power outages or surges.
- Security features to force security of sensitive traffic.
- Automated failover to secure mobile data services to preserve connectivity, in the event of domestic broadband failure
- Enterprise grade management capability providing visibility and control to simply support remote workers via a single console.
This article was first published on Continuity Central and has been written by Steve Dance who is an independent consultant specialising in business continuity and operational resilience at RiskCentric, and Andrew Lawton who is CEO of ResKube.