If you ask a business person where their office is, the likely answer is “everywhere.” They work from home, stay informed while traveling, and check email between sales calls. To increase productivity, many companies provide employees (and perhaps customers or service providers) with remote access to their networks. Are you taking steps to ensure that external access to your system is reasonably protected?
If your business wants to start with security, it’s important to ensure the security of remote network access. Below are some examples based on FTC investigations, enforcement actions, and questions companies have asked us.
Securing endpoints.
Your network is only as secure as the most insecure device connected to it, and there’s no guarantee that an employee’s home computer, a customer’s laptop, or a service provider’s smartphone will meet your security standards. Before allowing them remote access to your network, set security ground rules, communicate them clearly, and verify that employees, customers, or service providers are complying. In addition, smart companies take steps to ensure that devices used for remote access have updated software, patches and other security features designed to protect against evolving threats.
example: Before an enterprise allows employees to remotely access the company network, it will establish standard configurations of firewalls, anti-virus protection and other protective measures for the equipment used for remote access, and conduct regular internal training. It also provides tokens with dynamic security codes that employees must enter to gain access to corporate networks, and maintains procedures to ensure employees’ devices have enforced firewalls, antivirus protection and other protections. In addition, the company regularly re-evaluates its requirements based on emerging threats and blocks remote access for devices with outdated security. By treating endpoint security as an ongoing process, the company has taken steps to reduce the risks associated with remote access.
example: A headhunting firm had files on its network containing confidential information about job candidates. When a potential employer retains a headhunting firm, the firm allows the employer remote access to its network to view these documents, but does not check whether the employer’s computer uses a firewall, updated antivirus software or other security measures. A better approach would be for headhunting firms to contractually require employers who want remote access to the company’s network to meet minimum security standards, and use automated tools to ensure employers meet the requirements.
Set reasonable access restrictions.
In this blog series, we have discussed the need to control data access wisely. Just as security-conscious companies limit internal access to sensitive files to employees with a business need for the data, they also set reasonable limits on remote access.
example: A retailer hired a contractor to revamp its online payroll system. The retailer allows the contractor remote access to the parts of the network needed to complete the task, but restricts the contractor’s access to other parts of the system. Additionally, the retailer terminates the contractor’s authorization once the task is completed. By limiting the scope and duration of remote access by contractors, retailers have taken steps to protect confidential information on their networks.
example: A company decided to update its information infrastructure and contracted with multiple vendors to remotely install and maintain software on numerous systems on the company’s network – a project the company estimated would take a year from start to finish. Because vendors will be working on different parts of the network at different times, the company creates user accounts that give each vendor full administrative access to the entire company network throughout the year. While this may be the fastest way for a company to manage vendor accounts, it’s an unsafe option. A smarter option is to customize a supplier’s access to their scope of work. For example, companies should determine whether certain vendors can perform their duties without administrative access to the entire company network. Other providers may require administrative access, but only for a limited period of time. Additionally, if a specific vendor will have multiple employees sharing administrative access, the company should implement a method so that account usage can be audited and attributed to specific vendor employees.
Not many thieves use bulldozers to knock down walls. Instead, they exploit weaknesses in doors, windows, and other exterior entrances. The message to companies is that if you allow remote access to your network, be vigilant about protecting those portals.
Next article in the series: Apply good security practices when developing new products
1 Comment
Pingback: Stay secure: securely access your network remotely – Tech Empire Solutions