Building Your Teleworking Response Plan
Melon’s engineers have dealt with business continuity, remote work, security and collaboration solutions for enterprise and SME clients for over 10 years. The most demanding client throughout the period was Melon itself. We’ve tested and enabled all solutions by applying them to our own distributed, capricious and complex IT infrastructure of a software development company which has serviced 1000+ companies worldwide. Hence, even challenging situations as the recent spike in home office arrangements, didn’t render us unprepared. This article is our know-how and experience on teleworking solutions and options stuffed into a blog post written on someone’s kitchen table.
Today’s mixture of desktop PCs, notebooks, tablets, smartphones is an unavoidable fact. Some companies have adopted a portable-devices-only policy and provide notebooks and smartphones to their employees. Others enhance their workplace solution with Virtual Desktop Infrastructures (VDI) and utilize thin clients. There are, however, companies that still intensively use desktop PCs or workstations, often for their greater computing power. Naturally, it’s impractical to ask your employees to bring their desktop PCs home or urgently order dozens of laptops, overwhelming your IT staff and incurring significant expenses. Here are some options to explore:
1. Well-Shaped Bring Your Own Device (BYOD) policy
If you are ISO 27001 certified, you know what we have in mind. Personal devices are a significant risk for your company network as they may be unprotected and could contain malware ultimately leading to data breaches. The BYOD Policy relies on a mixture between processes and technology allowing your IT department control and the monitoring of behavior on personal devices connected to the company network.
2. Cloud VDI
Amazon Workspaces and Azure Virtual Desktops are a great offering allowing you to quickly bring up dozens of Windows Virtual Desktop to your employees. You can bring your own image containing the software you need, use cloud provided licenses or choose the Bring Your Own License (BYOL) model. Creating a Site-2-Site VPN is an option to integrate your cloud teleworkers into your existing company intranet. You can use policies to further control whether file copy or other content copy-paste is possible between one’s Virtual Desktop and client PC, restricting the flow of confidential data.
Why Cloud VDI:
- Short lead time
- No upfront investment for expensive hardware
- Ability to scale quickly
- Pay as you go
VDI and BYOD often work very well together. It gives your employees mobility and freedom to connect from any device available to them, while the IT department takes care of applying company standards and security on the Virtual Desktops. Company data stays on the secure Virtual Desktops, rather than personal devices.
Regardless where your Computing is, security applies everywhere – on-prem and cloud, via Linux, Windows & MacOS, to company and personal devices.
Below are our 5 tips for staying secure when working remotely:
1. Internet Connectivity & VPN
Protecting data at transit is key. It is key for your personal data. It is key for confidential company data, as well. How to ensure your data travels safely:
- Use a proven Internet Service Provider (ISP) with a good reputation.
- When using WiFi, make sure your wireless network is encrypted and pass protected. WPA2 enables decent protection. Use strong password and do not forget to change your default router administrator password!
- Do not use public (open) WiFi Networks.
- Do not share your WiFi Network with unknown neighbors.
- Only visit websites secured by TLS certificates (HTTPS://)
- When accessing company resources, use VPN or alternative connectivity solutions as provided by your company administrator.
- Avoid using company public cloud resources from unmanaged PCs. Use your company notebook, VDI, or a BYOD-compliant device instead.
2. Credentials & MFA
Recent studies show 99.9% of the account hijacks could be prevented when Multi-Factor Authentication (MFA) is used. Setting up MFA helps denying attackers access to company resources, even if your credentials leak. We advise you to:
- Use lengthy, rather than short and complex password. A 30-character passphrase with letters and digits is much better than an 8-character password with special characters.
- Always setup MFA/2FA wherever the feature is available
- Avoid using same passwords. Consider using a password manager like Passbolt or 1 Password to store your passwords and securely share team passwords with co-workers.
- Avoid sending credentials in plain text, when password manager is unavailable. Sharing a username in one email and password in a 2nd is legacy and unsecure. Always consider a 2nd communication channel to send the password, like SMS or https://privnote.com for example
3. Phishing Awareness, Viruses & Malware
Malware floods us on a daily basis. The threat is real, abundant and omnipresent. Threat actors will even further their exploits via human curiosity or fear, trying to lure you to download mobile apps or visit pages pretending to give you what you want, but request you to download a software containing malware or ransomware instead.
With the increase in teleworking, it is expected attackers will try to imitate login pages of Collaboration Public Cloud services like Microsoft Office365, Google GSuite, Cisco WebEx, and others, to steal credentials.
Social engineering should not be underestimated as well.
Some guidance to stay safe:
- Make sure your anti-spam and anti-virus engines are turned on.
- Use latest software security updates. Turn on automatic security updates.
- Do not open emails from suspicious senders. Do not click on suspicious links in emails or on the web.
- When you receive an email that seems to come from your coworker, however the email topic is abnormal for your coworker’s role – it’s a sign for phishing. Call your worker to validate whether they have sent the email.
- Use S/MIME certificates, where possible, for signing emails. Email signature can prove sender identity. However, do not consider every email with “signed” icon as legit! Always validate the signature is from someone you trust.
- When you open links, double-check if the domain name shown in browser matches the one you expect to visit. Often phishing websites try to disguise by prepending a legit domain name to a fake domain. https://login.microsoftonline.com/ is legit, however https://login.microsoftonline.com.remoteapp.com/ is a sign for phishing!
- In case you’ve entered your credentials on a phishing website:
o Immediately change your password. In case you’ve used the same credentials in different systems – directly change the password in those systems as well.
Follow the password guidance above.
o Inform your IT department.
o Enable MFA on your account, in case you haven’t already done so.
- Beware, especially when teleworking, of phone calls from people pretending to be your company IT department asking you to visit pages, enter/provide credentials, requesting Remote Access to your PC via Team Viewer, AnyDesk or similar software, or asking for any company information. In turn ask who is calling and advise to return the call back in a few minutes. Lookup that person in the company directory and call him/her. If s/he is familiar with the context, then you can conclude it has been a legit phone call. If not – you’ve got the chance to report this phishing attempt while speaking with the actual IT department!
4. Home PC sharing
In case you share your home PC with family members, take the necessary precaution for security and isolation. Always verify the PC sharing rules your company BYOD device applies. Some companies deny sharing BYOD-enabled personal computer with others. Some of our general guidance for home PC sharing includes:
- Use isolation - use separate, strong password protected, non-high privileged user accounts for each family member.
- When possible, do not operate from your home PC directly – Connect to a company VDI farm and access company resources from there.
- Avoid saving password in browsers, Virtual Desktop clients, etc.
- Ensure your PC has an up-to-date antivirus software, automatic updates and no pirate software installed on it.
- Avoid connecting more than 1 VPN client at a time.
- When finishing your work – log off your user.
5. Awareness, Compliance and Support
For the security measures to be effective they must be followed by everyone. The company security strength is measured by the strength of its weakest spot.
It is important to raise awareness of your employees about the security measures put in place and provide them the necessary technical support 24x7.
You IT department on other hand should oversee BYOD policy compliance and should put in place the technological solutions to meet the required security standards.
Online collaboration is a proven technology. Multiple companies offer extended free trial or grace periods to their online collaboration platform helping the work force meet online.
Look at the tools we use and recommend others:
- Microsoft teams – chat, document sharing, voice and video conferencing
Very powerful, especially for companies already using Office365 Services
When combined with Calling plans are used it can act as primary or backup telephone system your company can use to dial outside.
This month Microsoft committed on 6 months free Teams.
- Azure DevOps Boards – our favorite task tracking tool, especially useful for software development companies with its git repository and CI/CD pipeline features.
- Melon LMS – our eLearning platform that helps you educate your employees with interactive courses fine-grained for your company needs, while giving you the option to monitor training compliance.
Business Continuity and Disaster Recovery
You need to plan for your IT Infrastructure resilience. Especially when everyone, including the IT department, is expected to work remotely. This brings the challenge of not only maintaining a Business Continuity Plan (BCP), but also creating a self-healing, auto-scalable infrastructure that requires minimum IT staff engagement to operate.
One of the key questions to ask yourself when building your BCP are:
- What are my business-critical applications? Where are they hosted and how are they accessed?
- How much downtime (Recovery Time Objective – RTO) can I tolerate on my business-critical applications? How much data can I lose (Recovery Point Objective – RPO)?
- What technological solution do I need to achieve my RTO & RPO objectives?
Building your concrete solution often spans multiple technological areas, like:
- Data centers
The Cloud can provide you the on-demand capacity you need when you trigger a BCP together with the automation features required to evolve to an auto-scalable redundant infrastructure.
Where to Start?
Companies dealing in the IT infrastructure and devops domains have experience in the area and have been offering consulting and professional services in the are for years. The work can be done by a team from anywhere in the world.
We are at your disposal for a free consultation, just send us an e-mail at firstname.lastname@example.org.