By now pretty much everyone has heard the terms “social distancing” (keeping 6-10 feet away from each other in public) and “self quarantining” (locking down in your home when you’re symptomatic) to help stop the spread of the Coronavirus and “flatten the curve” (to reduce the impact on the health care industry). But the reality is, life must still go on despite these very limiting practices that we should all be encouraged to do where appropriate. But we still need to be able to do our jobs. This is where the concept of “Work From Home” comes into play thanks to a lot of great technology all enabled by the internet and various social media and video streaming platforms. But there is still the ever present issue of cyber security.
SR2 Solutions has heard from a number of companies asking about how to move their employees out of the office and into their homes while maintaining the cyber security of the organization against ransomware and other types of cyber attack.
Many companies will jump to the well known default of a Virtual Private Network (VPN) as a way to securely remote into a company’s network to keep the information secure as it travels over the internet between the office and a worker’s laptop. But this does not protect against ransomware. Ransomware can still just as easily transmit from a remote laptop to your office network over a VPN as it can in other networked environment.
What’s worse, by extending your office network into your employee’s homes through a VPN you are potentially increasing your risk for ransomware and other forms of malware. It isn’t just your employee’s laptop that could introduce ransomware into your network. It could be other laptops, desktops, video game systems, and smart devices that could spread malware to your employee’s laptop which could then spread it to your office network by way of the VPN. Every one of those other devices running on the same network in your employee’s homes could be the way malware gets onto your network. Put plainly, a VPN is only one small piece of the puzzle to helping your employees work from home and should NOT be relied upon to keep your company safe.
So what steps should you take?
At the end of the day you have to maintain control of the network for your company and who (or what) has access to that network through the users that you allow onto the network. Think of your network like giant web (bringing back terms from the 1990s here), and the strands of that web is going into your employee’s homes with a VPN. It is your responsibility to protect the end of the strands and only allow in legitimate traffic to your web.
How do you establish that level of control?
There are three ways that we recommend at SR2 Solutions. The least secure method is a Bring Your Own Device (BYOD) policy where employees provide their own laptop, more secure than that is to issue company owned laptops that have been secured by your IT team or your Managed Services Provider (MSP). But the best method, in our opinion, is to use Remote Desktop Protocols where users can take control by remote of a physical or virtual machine on your network.
Bring Your Own Device, Cost Effective, Security Is Low
BYOD policies have been all the rage the last several years. It can be cost effective since you are letting your employees bring their own equipment in that they are responsible for. However, there have been a great many issues with these policies from a security perspective. Because it is generally left up to the employees to maintain their equipment, that has also left the security side of their equipment to them as well. There have been numerous stories over the years where an employee of an organization with a BYOD policy brought a laptop with malware on it into the office network and that malware then spread throughout the network creating a great deal of downtime for the organization and even data loss in some cases. I worked with a great team of fellow Texas A&M Bush School students this past year on developing a cyber policy that was intended in large part to address many of these concerns (you can find our work if you are interested https://cybersecurity.tamu.edu/wp-content/uploads/2019/12/EMPSA-Capstone-Cybersecurity-Policy-for-Public-and-Private-Sector-Entities-Nov-2019.pdf).
The same hazards that BYOD policies bring to an office network exist when using a VPN to connect personal equipment to an office network. However, it does save small companies the cost of having to issue laptops to every employee that is being asked to work from home. This can be mitigated to a degree by having each personal device vetted by your cyber security professional to insure that the appropriate software is installed and that the system is clean of any malware.
Company Owned Laptops, Effective For Security, but Is Costly
It is far easier to control laptops that are issued by your company than it is to control your employee’s personal laptops. Company laptops can be provisioned quickly by technicians to allow or disallow access to your company network by remote. This gives the organization much better control over the laptops being used to connect to your office network. However, it can be costly to buy a new laptop for every employee needing to work from home as well as the manpower needed to program each one by your IT team. Additionally, there is still some malware that can spread from other personal devices on the home WiFi to the company owned laptop.
Remote Desktop Protocol, The Best for Security, Can Be Expensive
We consider this to be the best option from a security perspective. By using Remote Desktop Protocol (RDP) your employees take control over an encrypted connection of a computer that either physically exists in your office or runs virtually on your server. This practically closes the possibility of ransomware and malware from spreading to your office network since there is no VPN. The downside can be the cost. Specifically the cost of the internet connection needed into your office. Since this is basically streaming video from a workstation on your office network to multiple employees over the internet, there is huge need to increase the outbound bandwidth of your office network. This can be costly, especially for small and midsize businesses. While this usually isn’t an issue for one or two people at the same time, if you are asking 20 to 100 employees to work from home this way you will have to increase the office internet bandwidth to support all of those. However, there is an alternative that be much more cost effective.
Cloud based virtual desktops can be spun up in services like Amazon Web Services or Microsoft Azure. This has two massive benefits from a financial perspective. First, you get the savings of not having to issue company laptops to all of your employees that you want to work from home. Second, you are able to use the cloud provider’s bandwidth to support a much larger quantity of employees. The cost is generally done using a “pay for what you use” model where instead of paying for capacity you will only be paying for actual use.
From a cyber security perspective you also gain the control over the entry into your network since these systems can be administered by your IT team or MSP. We consider cloud based virtual desktops the best balance of cyber security practice and financial cost for the organization.
Working from home is definitely new territory for a lot of companies. Whether its the small business of office workers or the large corporation with employees in multiple states or multiple countries. The anxiety of COVID19 is making a lot of people in all areas of life move quickly to implement social distancing practices. There is especially a great deal of anxiety in the business world to mitigate the disruption of companies while protecting employees and customers. But when it comes to business continuity issues it is important to not make a bad situation worse by opening your organization up to ransomware or other forms of cyber attack.