So many businesses are now seeing their employees working from home, which has long presented challenges related to IT security. The pandemic has certainly raised awareness of these issues, but businesses were forced to act quick to maintain some kind of business continuity. However, now that working from home is likely to stay, it’s time to make sure your employees and contractors, can not only work from pretty much anywhere, but that your IT systems are secure.
Security Risks in Multi-Location Workforces
Businesses have a duty to protect the shareholder’s assets from risk. This doesn’t just include physical assets like office facilities and equipment, but also includes digital assets like databases, applications, and networks.
Physical and cyber security are increasingly merging. For example, if an ex-employee were to enter a corporate site and remove a laptop with working network access, then they have just compromised both the physical and cyber domains. Another example could be a Wi-Fi password taped to the wall; this could enable an uninvited visitor to log onto the network.
The source of vulnerability is usually a lack of control over physical access, combined with a lack of visibility into network access. It’s not always an unknown person, it might be someone who is authorised to be there such as a contractor who uses a shared password to log into an administrative workstation. Either way, you must maintain control over who has access to what.
Mitigating risks within a multi-location workforce can be an administration nightmare, having to track access to facilities, networks and data. Doing so invariably means working with multiple systems which control physical access, network access and application security. This can easily lead to human error.
The variation in facility status can compound this issue even more. A company may own one site, lease another or even have shared spaces in a business park. This all translates into ambiguity over granting physical access and more worryingly irregular data reporting about access history.
Whilst the following does not represent a complete security solution, it will support you in identifying some of the common IT vulnerabilities that we often see:
- Do you have clear policies, procedures and guidance for staff who are working remotely? These should include topics such as accessing, handling and disposing of personal data.
- Do you have a system in place to grant employees access to certain buildings or offices and is this reviewed and permissions revoked where they’re no longer needed? For example server room access.
- Are you using the most up-to-date version of your remote access software?
- Have you reminded your staff to use unique and complex passwords?
- Are you using multi-factor authentication where possible?
- Have you ensured your cloud storage is not set to public or accessible without a username or password?
- Check that only key staff have been given full access to data, with others only having read, write, edit or delete permissions where appropriate.
- Do you have account lockouts in place for any staff with a higher level of network access? Such as locking the account after a certain number of failed logins.
- Have you reviewed who needs remote access to on-site servers. Those only requiring Microsoft 365 tools for example, won’t need remote access.
- Have you locked down admin tools such as PowerShell or Command Prompt?
- Do you have server rules in place to block the ability to set up forwarding to external email addresses?
- Are staff advised to only use corporate email solutions and not their own email or messaging accounts for work related correspondence?
A workforce spread out across multiple sites can create risks for any organisation. Failure to have complete control over physical and virtual access leads to vulnerability. With the pandemic meaning more and more employees will remain working from home for some time, the risks are more serious.
Despite IT and data being the backbone and lifeblood of almost every business today, UK businesses are simply too exposed to security and data risks.
If you are unsure about any of the above, then contact us today to discuss an IT Health Check where we can review and identify any issues to be addressed.