Faced with a pandemic, millions of people all over the world were suddenly forced to work from home. While people adapt to unique circumstances, there are significant technological hurdles for businesses, with entire teams transitioning to remote work. Mitigating risks and complying with security controls is challenging for any business but particularly for those teams that work with sensitive data outside the office.
In this article, we look at the potential risks to businesses from remote work, how ISO standards can improve information security for remote workers, and how GRC tools can help smoothen the process.
Risks of Working From Home for Businesses
Even before the COVID-19 pandemic, working from home was becoming increasingly popular, not to mention a great way to save costs for businesses. Remote work, however, poses additional information security risks for businesses.
Any activity that transfers information outside of a business’ control presents significant risk to information security that must be addressed with the right controls. There are several types of remote working risks:
- Employees not being able to access resources required to do their jobs, including hardware, software, and access to business systems
- Exposing the business’ network to security breaches from an employee’s computer or network (and vice versa)
- Potential loss or transmission of data to unauthorized parties
- Lost productivity due to lack of oversight or distraction
- Employee’s becoming isolated from colleagues and the broader organization
- Damage to company culture or team morale from the lack of face-to-face contact
To address these risks, it is important that businesses develop policies and security measures to ensure employees complete their duties while maintaining a secure environment.
How to Secure Information While Working Remotely
There are several steps for businesses to address information security for remote work: conducting risk assessments, applying the principle of least privilege, creating work from home policies, and applying ISO controls for teleworking and mobile devices.
Risk assessments are used to assess, identify, and modify security. This process allows managers to be proactive by prioritize threats and assign resources to implement appropriate security solutions. Specifically, a teleworking risk assessment should consider:
- Access in the home (e.g. family, friends) to devices that are used to access business systems
- Printed material in the home that could be lost or stolen
- Devices used for teleworking could be lost or stolen and used to access business systems
- Information can be intercepted when transmitted from devices to business systems and vice versa
- Devices, particularly if outdated, can be compromised and used to invade business systems
These risks can be magnified when mobile devices are used. As such, it is important for businesses to establish clear policies for safeguarding mobile devices and the information which they can access.
The ‘principle of least privilege’ is a security concept where users are given the minimum level of access or permissions to perform their job functions. This reduces the risk of unauthorized access to systems or sensitive data if a device is lost or stolen or information is intercepted. ‘Principle of least privilege’ works to contain compromises to their area of origin and prevents them spreading to other parts of the system. This principle should be applied to devices, software and systems used for teleworking.
ISO standard 27001 is a best practice standard for managing information security and can be applied to telework. It includes controls for mobile devices (A.6.2.1) and teleworking (A.6.2.2). These include detailed descriptions of controls to protect information accessed, processed, or stored outside the business such as:
- Who can telework (e.g. IT staff, sales staff, managers etc.)
- Which services are available for teleworkers (e.g., payroll systems, invoicing systems, etc.)
- Which information can be accessed through telework (e.g., KPI dashboards, customer details etc.)
- Which access controls are applied before access to information and resources is granted (e.g., password, two-factor authentication, etc.)
- How devices and remote sites should be configured, protected, and used (e.g., devices with cryptography, no use of shared rooms to work, information backup, etc.)
Securing Your Remote Work Environment With GRC Software
At StandardFusion, we believe in leveraging modern processes and technology to increase productivity and quality, while reducing costs. It is well known that governance, risk, and compliance (GRC) tools can be used for compliance management, risk assessments, audit management, vendor management, and even streamlining the implementation of standards such as ISO27001. But how do they help when everyone is working at home?
Firstly, using a GRC tool to understand your compliance posture will go a long way to easily understanding your security gaps for remote workers. Once these gaps have been identified, it is vital to track the implementations and improvements to existing controls and polices. Finally, policy communication, testing and on-going control monitoring needs to be implemented and automated.
Secondly, GRC tools allow you to understand your risks at an asset and threat level. This makes it easy to perform additional risk assessments as situations arise, such as moving to remote work. As new risks are identified it is important to track corrective actions and create mitigating strategies, as needed. Maintaining an active risk registry enables business to move away from being reactive and become proactive.
Lastly, GRC tools are the number one way for any organization to get a birds eye view of their complete risk and compliance program(s). Generating meaning full reports, reviewing dashboards and collaborating with team members are all key elements to any full featured GRC platform. GRC tools are designed to bring visibility and security to every corner of your business, whether that be at the workplace or the employees and everywhere in between.
The acceptance and popularity of remote work is set to increase even further after the COVID-19 pandemic demonstrated its suitability on a massive scale. It will be increasingly important for businesses to identify, assess and mitigate the risks that working from home poses to organizations. Business can apply industry standard controls, such as ISO 27001, to ensure information security risks of teleworkers are adequately addressed. Leverage a GRC tool to easily identify security gaps and new risks. Track improvements, corrective actions, as well as policy communication across your entire organization. Take a proactive approach towards information security and bring visibility and security to every corner of your business.