Local authorities across the UK, in response to COVID-19, have had to move quickly to introduce a full-time remote working environment for all colleagues within a few weeks. Little did they expect months on to be still working in such a way.
For most, the swift and unexpectedly protracted shift has meant migrating practically overnight from highly monitored networks to less secure home internet connections. This transformation in the way local government operates has created a host of new security and risk management challenges.
Even before the move to mass remote working, local authorities were facing pressure to manage the ever-increasing operational, reputation or systemic risks posed by cyberattacks. For instance, in the first half of 2019 alone, councils were hit by more than 263 million cyberattacks. Although most local government employees have been given corporate end-user devices the additional risk associated with employees working from home networks has created enormous, and valid, concern.
Additionally, if employees use devices for both personal and professional functions, sensitive work-related documents may sit next to social media, messaging and potentially malicious third-party applications. The perfect storm created by the speed needed to implement a remote workforce quickly, and the rigour required to manage employee security practices across personal and corporate work, has raised the stakes.
To establish clear remote access policies, businesses need to start by defining employee, manager and IT administration responsibilities. IT teams should also begin with an assessment of security tools and technology infrastructure to ensure the most secure and appropriate technologies are used. Selecting technologies that have security built-in versus added-on can help to lower risk while protecting data.
Communication is also key. Keeping employees informed about best practices, updates to operating systems and approved applications, such as web browsers, instant messaging clients and security software, can help keep everyone alert to the increased threat landscape – once only the concern of the IT department.
You might also like
Education must also be part of the solution, and businesses should be vigilant in their approach to employee training on cyber safety. Local authorities will need to educate their employees on ways to keep their devices safe, such as controlling device access by setting a unique PIN and automatically locking a device after an idle period – these should be default settings that homeworkers cannot change. Networking capabilities, such as Bluetooth and near-field communication, should also be disabled except when needed.
Top Tools for Homeworking Success
Despite the best policies, human error is inevitable. Therefore, the right tools are essential to help protect employees and to provide secure remote access within local government:
- VPN: A VPN-protected connection is among the most straightforward and most essential security solution. A good VPN connection is encrypted and cannot be easily intercepted or undermined.
- Remote Desktop Protocol (RDP): RDP involves desktop sharing: users connect directly to another machine rather than simply connecting to a private network. RDP should only be used with validated company IT administrators and also in conjunction with a VPN to minimise security risk.
- Cloud: Organisations can pick from various cloud solutions to establish a remote digital environment. In fact, a multi-cloud approach offers increased security and greater flexibility, transparency and scalability for public sector agencies. However, cloud service providers should provide a ‘Security Service Level Agreement (SSLA); and to minimise cloud computing security risks users should enable two-factor authentication and consider the use of hardware/software tokens.
- Mobile Device Management: Mobile Device Management (MDM) will allow authorities to place controls on end-user devices, segmenting business use and data from personal use and data. It’s also important to establish and enforce ‘tiered levels’ for remote access, based on role, and require multifactor authentication for administrative access.
Making a Homeworking Security Policy work
The foundation for local authorities implementing secure homeworking environments requires an IT security programme that instils zero-trust policies (ie ‘don’t trust anything) and clearly defines what is safe, secure and permissible. This won’t happen overnight, but it’s important to implement a remote work plan as soon as possible to improve security in the medium and long term.
And for a policy to work, IT must deliver the right solutions; from the remote endpoint (‘the edge’), to the datacentre, to the cloud, and back. A comprehensive security policy needs to protect devices, networks and storage while providing a seamless user experience. Above all, it needs to protect the data no matter where it resides. Today’s adage is “data is everywhere, so security needs to be everywhere”.
During this period of extended homeworking, a security and risk management plan for remote employees — and the immediate steps your team can take — are mission-critical. Careful execution of these procedures will bolster the security posture of the workforce to mitigate the risks associated with homeworking, both for local authorities and their employees.