Technical Measures to Consider During Remote Working
Due to the Covid-19 Coronavirus epidemic, which is on the agenda of the whole world, many companies switched to remote working. However, some companies could not start working remotely, from homes due to lack of technical infrastructure, while some companies switched to remote working in means of working from home without being aware of the systems that they had to set up in their technical systems and without taking the necessary precautions.
Among the guideline of frequently asked questions published by Turkish Personal Data Protection Authority (KVKK) and ICO on the subject, the question "What kind of security measures should be taken to work from home?" has been answered stating that data protection is not a barrier to working from home and that usual security measures should be applied during working remotely, as well.
In the Guidelines for Safe ‘Remote Work’ published by the National Cyber Incidents Response Center within the scope of corona virus outbreak measures, the importance of the measures are described as follows: Defining a time-out for maximum connection time on systems, temporary establishment of the rules defined during remote work, "source IP" restrictions for remote connections where possible, multi-factor authentication and time-based authorization measures for access, ensure that remote access is not permitted for access to any critical systems that should not be defined according to the risk assessment.
So, what aspects should companies take into consideration when working remotely?
1. Equipment Security
One of the biggest issue experienced during the pandemic was that companies did not have equipment appropriate for handling operations remotely from homes. It has been much easier to switch work from home for companies whose computers are portable and communication devices can also be used remotely. In this context, there were those who tried to carry the monitors, and those who could not carry their computers and also expected to use their personal computers at home for business purposes. The lesson learned by companies was that screened devices should be provided to people according to the nature of the job. Because the first rule of working remotely is that the quality of work shall be appropriate for working from home.
Besides, requesting the use of personal computers in their homes for business purposes due to lack of equipment would constitute a huge deficit in ensuring cyber security, since personal computers do not have the same systems as office computers. For example, it will not be possible on personal computers to monitor the systems of people who connect to Office365 accounts. Or, since personal computers' USB ports will not be closed, it will be much easier for employees to export company data.
In summary, it is necessary to make sure that the necessary security software is installed on the equipment used for remote working, up-to-date software is used, and no malware is available. Insufficient equipment will make the company vulnerable to both internal and external attacks.
During work remotely, employees must have as much system access as they need in accordance with the principle of "least privileged access" only by task. Unnecessary access authorizations on critical data should be restricted, in particular. Since the network connections in the home may not have the same security measures as in the company, it is very important to ensure that the established communication is encrypted with VPN and that the use of VPN is mandatory. Unauthorized access to the network can be prevented by using two factor authentication (2FA) for all employees' authentication processes.
3. Network Security
The use of common Wi-Fi networks is not safe, and in addition to this, it is possible to monitor online activities on such networks, as well. It must be ensured that encryption is provided when connecting to the internet on browsers and e-mail applications. Turning off the Wi-Fi connection will secure the device, when network access is not required. Devices such as unknown smartphones and USB drives should never be connected to devices, since it cannot be known whether they are properly protected or not or contain viruses. In order to ensure security, it should be ensured that anti-virus systems installed on devices cannot be disabled.
The default username and passwords determined by the Internet Service Providers must be changed, in order to secure the wireless networks used at home. Thus, configuration changes will only be made by the person itself. The default name (SSID) of the wireless network should be changed afterwards. This SSID should be chosen in a way that it will not be associated with the address or person.
Wireless networks should be configured to use the strongest encryption, and old and weak encryption methods such as WEP should not be used, as they are not secure. Strong passwords should be used for wireless networks, and this password should only be shared with people who are not at risk of logging in this network. All devices connected to the network must be detected and protected with strong passwords. The features of the devices used should be turned off such as Bluetooth etc.
By contacting Internet Service Providers, tools and facilities to help protect the home network can be used.
Employees should be aware of not giving access to devices, including family members, and in order to protect the function of all these measures, as in any case, all personnel working remotely should be given cyber security awareness training and measures should be taken against a possible human error.
It should not be forgotten that the best defense is to be aware of the risks and take the necessary measures.