how to make remote work safe without sacrificing comfort
Remote work is not just a trend, but also an eternal headache for security professionals and HR specialists. Many Bastion employees work remotely, and we have seen from our own experience that protecting information in such conditions is a complex task that covers technology, corporate culture and employee psychology.
Today we’ll tell you how Bastion approaches creating a safe and productive work environment for remote workers. Let's find out why too much control can be ineffective, why security teams need to maintain team spirit, and why it's important to protect corporate data without compromising the user experience. In general, let's look at the problem of remote work both from the HR and information security perspectives.
Remote work through the eyes of a recruiter
Albina Semushkina
Head of Recruiting Department at Bastion
Remember the photos with views of pools and beaches that used to be used to advertise remote vacancies? Usually these featured a happy employee in a sun lounger, looking at a laptop with a cocktail in hand. Of course, there are people who say that everything is like this for them, but they are a minority.
For most, remote work means a table in the kitchen in a rented apartment, a workspace in the corner of the living room, a table in a noisy coffee shop, and, if you’re lucky, a place in a coworking or coliving space. However, according to our internal statistics, 90% of candidates are looking for full remote work, 7% prefer a hybrid, and only 3% of applicants want to visit the office daily in order to be able to quickly approach a colleague and resolve the issue without waiting for a “meeting”.
Remote work provides many advantages: for the employer – access to talent from different regions and countries, for the employee – work-life balance, stress reduction, flexibility. But in general, it seems that with the spread of remote work, people began to change jobs more often. Loyalty to the company and work in general has decreased. Just during the pandemic, a “boom” of frequent job changes began. You no longer need to go to your manager, look him in the eye and ask him to sign a letter of resignation; Called on a virtual Zoom call, signed an application via EDI – and after 14 days you are already in a new place.
Yes, remote work allows you to save money and time on travel, spend more time with your family, combine work on several projects or take care of everyday life, but all the advantages have their own price, both for employees and for the company. And sometimes these costs of remote work outweigh any advantages.
The price of security
Nikolay Klendar
Director of Information Security at Bastion
In my opinion, ensuring information security is one of the main technical challenges of remote work.
Everyone approaches remote access differently. Some companies allow employees to work from personal devices, while others allow remote access only from corporate laptops.
When using personal devices, a company cannot be sure of their security: there is always a risk that one of the employees will install an application with a critical vulnerability, or, for example, refuse an important operating system update designed to close such a vulnerability. It is also unlikely that it will be possible to centrally collect telemetry from personal devices – because of this, information about incidents may not reach the information security department at all.
In enterprise-level companies, remote employees should properly work exclusively on corporate equipment equipped with reliable security measures. For some categories of employees, working from personal devices is acceptable, provided they use technologies such as VDI or other terminal access solutions. In such systems, the user sends only keyboard and mouse commands and receives a desktop image.
As a result, secure remote work on corporate technology is not always as comfortable as working on a personal device. With insufficient budget or attention from the IT department, employees may end up with outdated or underperforming devices. If the Internet connection is poor, VDI and terminal access technologies can be unstable and annoying. Taken together, these inconveniences can simply demotivate remote workers.
Easy target
Albina Semushkina
Head of Recruiting Department at Bastion
But it seems to me that the main problem of modern remote work lies in self-organization and balance between work and personal life.
A home environment and the proximity of a refrigerator are not conducive to a working mood. Not having to leave the house and constantly living online negatively affects health and psychological well-being. The blurring of boundaries between work and personal time is aggravated by the fact that remote workers often do not have a clear end to the working day, which in the office coincides with going home.
The result is a feeling of alienation from the team, burnout and loss of interest in work and life. A burned out, disoriented employee is especially vulnerable to, for example, social engineering methods. People fall for scammers’ tricks not because they are stupid, but because they are tired and stressed, preventing them from assessing the situation sensibly. In this state, employees not only cannot work normally, but also quickly forget about the “boring” information security rules. Isolation from the team, unresolved conflicts and shortcomings in the work of the HR department in conditions of remote work can aggravate the situation. All this creates favorable conditions for the emergence of insider threats.
How to help a remote worker adapt to a new place
The experience of organizing remote work shows that not everyone is comfortable working in this format. Therefore, even at the stage of meeting a future employee, you need to find out whether remote work is right for him. Has he had experience working remotely in the past? Is the home environment conducive? How does the candidate distribute his time throughout the day? How effective is he in written communication, how does he handle feedback, and how does he provide it to colleagues?
To help new remote employees adapt and unite the team, you can introduce a system of activities that will help boost morale. In this sense, corporate events have limited value: simpler, but regular activities are much more effective.
Chats work well for informal communication. Knowing the interests of employees, you can organize small online events in such channels. For example, our seasoned pentesters are happy to share photos of pets. It seems like a small thing, but it helps to see real people behind the posts and avatars. You can organize joint movie screenings, interest clubs and other events – it's fast and free.
There are many more complex online activities, from business games to quizzes and online quests. These events do not take much time, do not disrupt the work process, but help to establish personal connections between employees and simply lift their spirits. Finally, it is important to bring remote employees to corporate events and organize team building activities for them.
But it is not at all necessary to supervise employees unnecessarily. It is worth focusing on mentoring, attracting qualified managers, competent distribution of tasks and the introduction of convenient services for project management. Employees experiencing difficulties with remote work will reveal themselves – through missed deadlines or reduced quality of work.
Managers working with remote employees should consider several important aspects:
Provide constant feedback. Discussion of work results and simple human gratitude are important for motivation.
Pay attention to overtime that is not the fault of employees. Compensating them, recognizing their contributions, and praising them for extra effort encourages productivity.
Be flexible with your employees' personal matters. If they can take time off without a negative reaction, it will support their positive attitude towards work.
Although at first glance this may seem far from information security, this approach to management motivates employees to comply with the rules and actively participate in information security training. Employer loyalty promotes employee loyalty.
How to build security without sacrificing productivity
Nikolay Klendar
Director of Information Security at Bastion
Moving on to the technical part, I would like to state a basic principle: the device of an employee working remotely should always be treated as a potential entry point for attackers into the company’s network. Therefore, it is very important to assess the risks and ensure the protection of such devices, taking into account the available resources:
Configure the ability to remotely access the corporate network only from corporate devices equipped with the necessary security measures. Make sure that the VPN connection is using a corporate device – VPN concentrator manufacturers have special solutions for this purpose, but you can also use a separate one.
To collect information about incidents and manage security policies, it is advisable to implement permanent VPN technology, which is installed immediately when the device connects to the network.
Secure the VPN connection itself with two-factor authentication.
Create a role model for network access.
Organize the collection of telemetry from workstations. Engage an internal or external SOC team to analyze it to quickly identify traces of compromise.
Ensure uninterrupted operation of the antivirus, use its additional mechanisms: local firewall, limiting the ability to launch programs, especially from the user profile and temporary directories (create a list of exceptions based on file categories and properties);
If you work with sensitive information, implement a DLP system with agents running on laptops. This will allow you to control the data transmitted over the Internet. You will also need to organize access control to mobile storage devices: flash drives, recording devices, including mobile phones;
Ensure hard drive encryption;
Try to take into account that in the event of a DDoS attack on an organization’s network infrastructure, employees may lose remote access, and develop an action plan for this case;
Work through the issue with a white list of Internet resources available bypassing the VPN – for example, video conferencing system servers. There should be no simultaneous work with internal corporate systems and direct Internet access, bypassing the corporate NGFW/SWG with configured access policies.
However, all security measures will be ineffective if they significantly complicate the work of employees. It is important to provide staff with modern and properly configured devices, use a convenient two-factor authentication format, and provide qualified and prompt technical support.
Otherwise it will be like at some sensitive facilities. Imagine: officially you can’t even bring a flash drive into the office. There are sealed computers with ports on the motherboard filled with epoxy resin, but in fact, every second system unit can be easily opened, and an expansion card is connected to the motherboard inside.
Therefore, it is critical that security measures have minimal impact on the employee experience. Otherwise, staff will systematically look for workarounds, violating established rules for the sake of banal convenience.
