Connection options
There are many ways to connect a remote computer, such as a laptop, home-based computer or mobile device to the company network. Each has its own security challenges.
- Virtual private network (VPN).
- Remote email access.
- Windows Remote Desktop.
- Third party remote desktop tools such as Citrix, PCAnywhere or GotoMyPC.
The risks
- Eavesdropping on your information – as information travels over the public internet.
- Unauthorised access.
- Unsecure or fake Wi-Fi hotspots.
Safe mobile and home working
The size of your organisation, the nature of its business and the complexity of tasks and access involved whilst working away from the business premises, will determine how to set up and use remote and mobile working. If you are a small company whose employees need only occasional access to files, it can be quite simple to set up effective and safe remote working. For larger organisations with multiple remote workers requiring access to customer relationship management (CRM) systems, for example, it is probably better to engage a professional IT partner or employ an in-house specialist to specify and implement a safe, effective and reliable solution.
Prevent eavesdropping
- A VPN is a secure communications link between office and remote workers. It is essentially an extension of the secure office network, using a secure channel within the public internet to connect. You can link to the business network and email using public Wi-Fi as long as it is via your VPN.
- For other remote connection methods including browser-based applications, make sure that the link is securely encrypted as follows:
- There should be a padlock symbol in the browser window frame that appears when you attempt to log in or register. Be sure that the padlock is not on the page itself.
- The web address should begin with ‘https://’. The ‘s’ stands for ‘secure’.
- Remember that in security terms it is preferable to use a 3G or 4G connection than a non-secure Wi-Fi network. Do not carry out any confidential transactions, communications or network access via public Wi-Fi hotspots as they may not be secure.
- Ensure that home routers used for any business purposes are protected using WPA2, unless all data is sent and received by VPN.
Control access
- Ensure that you have a secure network, including an effective firewall to keep out unwanted connections.
- Restrict unauthorised physical and electronic access to your firewall, VPN router, administrator accounts and servers.
- Ensure that all users have strong passwords, do not share them with anyone else or store them where they can be accessed.
- Consider using biometric security such as fingerprint scanners and/or token-based authentication.
- Make sure that employees who have remote access do not store their login details on their computer or other devices.
- Instruct employees not to store sensitive company information on remote computers or mobile devices.
- Instruct employees to log out when they have completed their session. Merely closing the window or powering down the device may not be sufficient.
- Instruct employees to not use public Wi-Fi hotspots (for example, in cafes, pubs and hotel rooms) for confidential work.
- Do not enable ‘remember me on this computer’ features.
- Delete remote access privileges once they are not needed. For example, do not let employees or contractors who have left the organisation retain access to your network.
- Maintain an audit trail of who has logged in, and when.
Protect your network
- Review firewall and other server logs to monitor remote access. Watch for unusual activity.
- Ensure that the system is regularly tested for vulnerabilities (known as ‘penetration testing’) and any loopholes closed.
- Ensure that you keep your firewall and VPN software up to date to protect against evolving threats.
- Many remote desktop programs rely on installing a client program on an office computer. This creates a tunnel through the firewall. Do not allow employees to do this on their own initiative. Control which programs are used and how they are installed.
- Control access to critical information.