Teleworking and cybersecurity: allying mobility with IT security

An increasing number of companies are adopting teleworking, a fast-growing practice that is popular with employees. Companies adopting this trend should nevertheless take a few precautions, in order to avoid unpleasant surprises in terms of data protection.

The reform of the French Labour Code in September 2017 further expanded the legal framework for teleworking in France. Employees can now exercise their professional activity outside company premises on a more or less regular basis.

According to a survey conducted in 2017 by RH Kronos more than two French people in three are favourable to the development of teleworking, even though barely 17% practice it more than one day per week. This is a long way from the European average of 30%.

Teleworking: a popular practice but with attendant IT risks

In a recent survey by a cybersecurity player, 86% of employees interviewed said that they used their personal computer for business purposes. At the same time, 42% said that they did not update their security regularly, compared to 70% of their German counterparts. So the development of teleworking, where employees have regular access to sensitive business information, could well be the stuff of nightmares for IT managers.

Three types of risk in particular must be planned for:

• employees being unable to access the resources they need in order to work,
• contamination of the business network by a security breach on the employee’s computer (and vice versa),
• leaked or lost data.

Raising employee awareness concerning the IT risks of teleworking

To prevent this type of problem, it is clearly essential to raise user awareness of IT security issueslinked to teleworking. Teleworkers need regular reminders concerning good practices: regular antivirus updates, separate personal and professional emails, external peripherals (USB sticks, hard disks, etc.) used only when necessary to transfer data from one computer to another, and so on.

“It is essential to raise awareness but not sufficient in itself“, warns Jocelyn Krystlik, Manager of the Data Security Business Unit at Stormshield. “It is simply not realistic today to place an overwhelming burden on users. Businesses cannot rely solely on this type of preventive measure for their IT security.”

Protection solutions based on identification systems and cloud technology

Businesses need to implement practical measures and technical solutions to limit the IT risks arising from teleworking.

1. Profiling teleworkers. For the company, it is essential to plan ahead and to establish the profiles of teleworkers, based on their attributions and the sensitive information to which they may or may not have access. . The security mechanisms will not be the same for full- or part-time teleworkers, and those who require only occasional weekend access.
2. Authenticating remote access. The main way to prevent hacking of the business network is to put in place a system to identify teleworkers when they log in (ID, password, single-use code, etc.).
3. Dissociating and protecting computer systems. Looking beyond basic anti-virus software, the easiest way to prevent cross contamination between the employee’s computer and the business network is to minimise administration rights. This means providing teleworkers with a PC that is strictly for professional use and updated regularly – from a security standpoint – by the IT department.
4. Ensuring secure data access. To secure the data flow between the employee’s workstation and the business network, you can also use a VPN (Virtual Private Network), even if “this model is becoming less relevant with the development of cloud technology“, notes Jocelyn Krystlik. With a virtual office platform, you can access sensitive business data anytime, anywhere, without a direct physical connection. “Cloud technology lets you decorrelate authentication for using the computer, which is always difficult to protect, from authentication for accessing sensitive information. Ultimately, what counts is the security of the stored data scheduled for transfer“, concludes Jocelyn Krystlik

Stormshield

A European leader in digital infrastructure security and a wholly-owned subsidiary of Airbus CyberSecurity, we offer smart, connected solutions in order to anticipate attacks and protect digital infrastructures. Our mission: to ensure the cybersecurity and data protection of organizations, their employees, and their customers. Our expertise is available in three complementary product ranges for seamless security: Protection for industrial and IT networks (Stormshield Network Security), protection for servers and workstations (Stormshield Endpoint Security) protection for data (Stormshield Data Security). As per our Multi-Layer Collaborative Security approach, our product ranges interact with one another to raise the security level of IT, OT, and Cloud environments, regardless of the attack point.

These trusted, cutting-edge solutions are certified at the highest level in Europe (EU RESTRICTED, NATO, ANSSI EAL3+/EAL4+). Present in over 40 countries via our network of distributor partners, we ensure the protection of strategic information for companies of all sizes, public administrations, and defense agencies throughout the world.

For further information please visit: www.stormshield.com/