How to organise safe and effective remote work. Real company experience
In our company, many employees have been working from home offices for seven years. I know from my own experience that remote work imposes a great deal of discipline. If it is properly organised, it is more intense and productive than office work.
Employees with remote work generally reply to emails faster, assign conference calls for tomorrow rather than in a week’s time, and edit documents more quickly. It seems to me that this is because these employees are doing their best to prove to others that they are not idling their time away.
The couple of hours that an employee does not spend on commuting and other logistical matters, and the opportunity to work when others have not started or ended their working day give a serious competitive edge.
Yet despite all the obvious advantages, remote working increases the IT security risks and the employee monitoring problems. We will now focus not on the organisation of remote work, but on useful programs that resolve these problems. We do not claim that the choice presented here is perfect, but we have accumulated a certain amount of experience (experience usually being a set of mistakes!), and we will be happy to share it at this rough time.
For those, who are not keen on longreads, here is a link to a table of programs.
Clouds mean everything to us
We switched to cloud-based mail, ERP, CRM, telephony and video conferencing immediately after the 2008 crisis because of the diffuse business structure, the high cost of server support, and administration in different countries.
The choice of sales automation in clouds was then limited to NetSuite and Salesforce. The number of cloud CRM and ERP systems now runs into hundreds. At that time, we even partially localised Salesforce for ourselves, but in the end, we chose NetSuite only because it had ERP, CRM and an affiliate portal. A couple of years ago, Oracle bought NetSuite, and although the system is not at all cheap and the support and implementation are not easy, everyone is already accustomed to looking at it not as a program (which someone will always find inconvenient), but as a technology.
We had no doubts about the mail, and the corporate Gmail partly solved the problems of document storage and basic security such as two-factor authentication, anti-spam and archive.
We had previously used MS Exchange for 10 years and, to my surprise, even the most ardent fans of Outlook-Exchange switched to the Gmail web interface. I think the speed of the search facility and the convenience of the labels helped a lot.
It’s now fashionable to use the Swiss protonmail for privacy. But it’s an acquired taste, as the saying goes.
Colleagues immediately appreciated the capabilities of GoogleDrive for document storage and file sharing, plus Hangout for communications.
Another important point about Google services is that we have created a wiki on Google Sites to keep staff informed and to post internal documents. As for the workflow and archiving documents, there are now many different options, but our choice is a very simple one. Docflow. We decided that since there was already GoogleDrive, why not use it? — and we opted for the AODocs plugin.
Docusign was purchased for the digital signing of documents. But for now, everyone has the free signature system in Adobe Acrobat for internal approval, and that is sufficient.
According to various reports, China is supposed to have almost restored the supply of hardware, but I think that AWS, GCP and Azure will now be real bestsellers, since no one will want to let people into server rooms in the near future.
We chose AWS as the main standard and moved all the servers into it, including at that time legacy 1C Accounting and Asterisk telephony, but we also left some things on Azure. We do not have Google Analytics, otherwise the Google Cloud Platform would also have appeared. AWS is an expensive choice, but it’s all worth the money — we don’t have any headaches with load balancing, the prompt allocation of resources on demand, DDoS and so on.
To optimise the price of the clouds, we use AWS standard tools, but if you have many cloud providers, we recommend CloudHealth from Vmware. We set it up “for growth” for our own use.
Remote access for the remote employee
We are keenly applying the BYOD policy: company staff use their own PCs and smartphones for work. To deliver desktops and applications to employees’ final (including mobile) devices (implementing VDI technology), all bets are on Citrix and AWS Desktop as Service. We are also testing IGEL thin clients and VDI from Vmware. TeamViewer is employed to solve users’ problems remotely.
Nearly all communication now takes place in e-mail form, but there is an understanding that this is primarily a means of communicating with external partners and recording agreements, since correspondence has legal force. We are encountering some difficulty in moving internal discussions from mail to slack, and all standard documents, workflow and business processes to ERP.
Although NetSuite has project management modules, the presale and services department uses Trello for project management. Before that, in a different project, we had to choose between Asana, Wrike, Basecamp and, of course, Jira, but for some reason the choice fell on the current option.
Our company is still not using the HRM system (we believe that LinkedIn is enough ☺), although NetSuite has such a module.
The customer portal in Oracle NetSuite is in our basic version. The advanced module is said to be used even by global software vendors for the sale of electronic licences.
In the absence of face-to-face meetings and business trips, video conferencing is the main tool when working with partners.
For a long time, our company relied on Adobe Connect and GoToMeeting, but two years ago we commissioned an independent comparison of video conferencing applications. After studying the results, and since we worked with all the manufacturers, including the most popular at that time, Cisco/Webex, we concluded that Zoom was the best for us, and so we made it the corporate standard. Since then, I have had no regrets, except that careful monitoring is needed to make sure that the video calls of different employees do not coincide. Incidentally, this further confirms the assumption that remote working fosters greater discipline. We also frequently record videos and upload them to YouTube.
Employees even use Google Hangout, Amazon Chime and Skype, if necessary, when communicating with customers and partners.
Today, it is no longer possible to arrange talks in a meeting room, and businesses do not trust mobile communications when conducting secret negotiations. I don’t presume to evaluate which of the messengers is “listened to” and which is not, but for some reason, Swiss products such as Threema and Wire are the most trusted in the business environment. This, however, does not solve the problems when communicating with all countries. In some places, for example, Skype, WhatsApp, Viber and Telegram do not work, but IMO or WeChat does ☺. We are now pinning our hopes on the Swiss manufacturer Adeya, which offers military-grade cryptography (or you can install your own cryptographic library) and allows you to deploy the system in your own company or in their cloud, which is hosted and protected by Swiss privacy laws.
Monitoring employees’ work
However conscientious your employees may be, it sometimes has to be determined what an employee was doing at a particular moment. If someone needs to keep an eye on the hourly work of employees, not for surveillance purposes, but, for example, in order to bill your customers, there is a vast range of products, e.g. Time Doctor, Hubstaff, Harvest, Toggl, TSheets, etc.
It is illegal to monitor your employees in a number of countries, but it is possible — and necessary — to investigate security incidents. Session-recording products are offered by CyberArk, ObservIt, Ekran Systems, Netwrix, Balabit (One Identity), etc. We use CyberArk because their system also solves several other IT security problems.
VPN and two-factor authentication form the basis of digital hygiene
When users are outside the secure perimeter and are usually connected via home-based WiFi, the minimum security requirements must be followed. Apart from regularly changing complex passwords, everyone must use a VPN. We use solutions from Barracuda Network and Forcepoint/Stonesoft, as well as free OpenVPN and ProtonVPN.
We also use these solutions for smartphones and require our employees to turn off automatic connections to well-known WiFi networks in order to protect against wardriving.
We’ve switched all cloud services to two-factor authentication, since people have tried periodically to hack into our mail system.
I make no mention of antivirus protection on every PC or of installing firewalls — these are mandatory features for a remote employee and listing them would take whole paragraphs.
Home-based employees are more vulnerable to scammers
In 2018, the cybersecurity market was estimated at $248 billion, and it will grow over the next three years by 10–13% annually. Although the anti-fraud sector of the market has been valued at $20 billion, it is growing at 25–30% a year. Another sector of the market — Security Awareness and Training — is growing at an annual rate of 40–50%. This is because the human being is the weakest link in security. Employees need to be constantly trained, and it is best to base the training on their own mistakes. We use CybeReady to teach colleagues how to avoid falling victim to phishing scams. Such solutions are also offered by Cofense (Phishme), Dcoya and Barracuda Network among others.
Lots of security — always
We have a diverse assortment of computers and OS, and we ensure that everyone updates their browsers and OS, and installs patches. Ivanti is used as the Patch Management platform. Rapid7 products are used to manage vulnerabilities, and there are commendable solutions from Tenable and Qualys. We use CyberArk to manage access for privileged users.
In some countries, our websites are blocked by the government. There is an elegant solution without using Tor Browser and the like. It is called an isolated remote browser and relieves the web security headache; it also solves the censorship problem. Similar solutions are offered by Ericom, Symantec, McAfee and Menlo.
If your company is a small one, you probably won’t need SIEM. Depending on your business specifics, you may need DLP, SWG, encryption, OTP, etc. A thoroughgoing switch to a cloud will require a CASB. If you have your own SOC or use Security as Service outsourcing, our advice is probably superfluous.
What if we have a factory and checkers rather than an office and computers?
In the EU, our company is more focused on the safety of industrial networks and critical infrastructure. One of the must-have options for SCADA security is Data Diode — a device that does not physically allow signals to be transmitted to an industrial network, but only makes it possible to read them “so that they can’t throw a spanner in the works”. We don’t have any production facilities in the company, but WaterFall, the market leader, offers a “free” remote production management option during a crisis, when people are not allowed in, using Remote Screen View.
This week’s immediate plans include asking all vendors for temporary free or preferential access and promotions to support our customers ☹. Everyone is very understanding.
As for our long-term plans, we have wanted to introduce Coursera training for remote users long time ago; it looks like the quarantines in the different countries will simply speed it up.
Undoubtedly, we will implement DocuSign for external contractors, since we shall not be seeing them in the flesh for a long time now.
We can see that employees often make use of confidential information on their smartphones, and there is a clear need to install the MDM/EMM solution, probably from MobileIron, which specialises in that (an alternative to Vmware AirWatch and Citrix MDM).
The last crisis sent us into the clouds; this time the situation will probably force us to use the fashionable AI. We are thinking about retail aids and Omni-channel, but at the moment that looks rather futuristic.
Author: Pavlo Zhdanovych.
The material was prepared with support from an ROI4CIO project.