Remote Working: How do I allow my staff to work from home, securely?

shape
shape
shape
shape
shape
shape
shape
shape
Remote Working

For some of us, flexible working or remote working is already common place. But for many, it’s a new concept.

I want to provide some advice about the technological challenges for supporting remote working, particular for businesses with a more “legacy” IT set up.

A lot of organisations these days have already moved a lot of their services to the cloud. This means their systems are probably already available across the Internet, so there’s not really a lot to do to support home working. Anyone using cloud based solutions should ensure that they are using the very best security practices, and a key one here is Multifactor Authentication.

But for companies who still have IT systems “on premise”, such as file servers, email servers, accounting servers, or whatever it may be, it can be difficult to understand the options available to facilitate staff working from home, whilst still having access to these systems.

Below, I will talk about a few of these options.

Give your staff a router

This is not the cheapest option in the world, but it’s probably the easiest for your staff to get on board with. You send your employee home with a router, which they plug in with an ethernet cable to their existing home router. The router will connect to the Internet, through the existing router (no changes needed at home at all, just plug and play), and form a secure VPN back to a device in your office. It can set up a WiFi network and give some ports (typically 4), which are for all intents and purposes on your office network.

The advantage of this is that you don’t need to install or configure anything on the individual machines, and it can support things like printers and phones, and other devices which you could not configure a VPN on.

If you are a company who already use Cisco Meraki, then it’s worth considering the Cisco Meraki Z3 Cloud Managed Teleworker Gateway. This would work with AutoVPN, meaning it’s a piece of cake to set up.

For non-Meraki, you can’t go wrong with a little Cisco 800 series router – it’s not the worlds most widely selling router for nothing. It will take a bit more configuration than a Meraki setup would, but it would still be a fantastic, reliable solution.

Set up an SSL VPN

With an SSL VPN the user either uses a client pre-installed on their machine, or goes to a website (staffvpn.yourcompany.com) to download a piece of software. This software then verifies their identity and establishes a secure tunnel back to a device in your main office, allowing the user to access resources in your office.

With SSL VPN there are two options for configuration:

  • Full tunnel: all of the user traffic goes back to your office and out of the office Internet connection. This is a great option if you want to apply the same security controls to the users Internet connection as they would have in the office.
  • Split tunnel: with this method, they only use the VPN to access company resources, and their other Internet traffic (google, social media, etc) goes out of their home Internet connection. This option is good for conserving bandwidth on the office Internet connection – but it’s highly recommended to ensure adequate protections are in place on the laptop such as DNS content filtering (like Cisco Umbrella).

Set up Remote Desktop Services

You can set up one or multiple servers in your office, and put a web gateway in front of them, to allow users to use a remote desktop located in the office over the Internet. Please – don’t just open RDP to the Internet!

This can be great for reducing latency – working on a remote desktop can take a little bit of getting used to, but as the desktop is in the same building as the servers you are accessing, the speeds are comparable with working in the office.

This is something to seek advice on if you aren’t familiar with it though, as there are a number of security requirements to consider and there’s certainly a level of complication to get it set up right.

Use Teamviewer or similar

In a pinch, you could install Teamviewer or similar on PC’s in the office.

The downside here is that it’s really only one person per PC – with RDS in the previous paragraph, multiple people can have simultaneous sessions to one server, meaning less hardware to be bought, powered on and maintained.

I’d also advise caution with any software that allows remote access in this way – a quick google of “Teamviewer hacked” will tell you why.

Security Considerations

As always, security should be your number one consideration when deploying any remote working solution.

  • Content Filtering – DNS based, stops you even requesting bad stuff, and if bad stuff gets in it stops it calling home – rendering most ransomware ineffective.
  • Email Security – The stats say 9 out of 10 attacks start with an email.
  • Backups – 3-2-1 rule, at least one copy off site. OneDrive or Dropbox is better than nothing, but you really should use a dedicated backup solution too.
  • Multifactor Authentication – protects against 99.9% of password based attacks. Even if someone gets your password they can’t get in your accounts.
  • Endpoint Protection – this is your antivirus, that I’m sure everyone has anyway, right?!

Non-technological considerations

My friend James Scott has written a great article about the culture of working from home, which you can find here: https://www.linkedin.com/pulse/working-from-more-than-laptops-james-scott/

Richard Eaton has written a fantastic insight into the expectations and considerations for employers when moving to a more flexible working methodology, available here: https://medium.com/@richardjeaton/successful-homeworking-during-the-coronavirus-outbreak-an-employers-guide-4b383b93170e

Any budget

I understand that these are worrying times, and there is a lot of uncertainty. I’m confident that an investment in a secure, reliable home working solution will bring long term benefits to your business, even after the current crisis has passed. Here at Always Networks we can very quickly design and implement a solution to meet any budget, just get in touch and let’s have a chat.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.