Remote working and security
Some companies were very slow in adopting remote working policies before the corona crisis. They were worried that working from home would make the performance of their employees drop. The other big concern was keeping proprietary and business-critical data private and secure. The latter is becoming important now as with the corona virus pandemic, remote working has seen a huge increase. Surveys show that ca. 85% of businesses now have 50% of their workforce operating remotely. With this, cyberthreats are on the rise, trying to take advantage of the companies that do not have a comprehensive security strategy.
Why does remote working pose a security risk?
Your data is your asset that you want to protect and keep private. If your data is not secure, you cannot keep it private. It is easy for the IT team to secure employees’ devices on a corporate network. But when employees are working from home, accessing and sharing data from outside the network, their devices are more susceptible to ransomware and cyber attacks that steal login credentials. In case your organization loses control of its customers’ or users’ data, it is threatened not only by data breach fines but can also result in a reputation damage and thus a loss of customers and sales.
Security risk assessment
Before you send everyone to work remotely, assess your security risks. You need to get an overview of what connected devices, software and networks are being used. How information is processed and stored. Also make sure to check what processes you have in place to react to an attack or system failure. Establish and regularly test key controls like e.g. antivirus software, firewalls or regular security training.
Data privacy
As you are trying to keep your data secure in order to comply with data privacy laws, you want your data used and processed in any software to be kept safe and according to the data privacy regulations. Remote work increases the sharing of data in collaboration software and with the software operator. OpenProject, based in Berlin, Germany, complies with GDPR and we handle our customer’s data with care. As part of OpenProject GDPR compliance, we offer a Data Processing Addendum (DPA) to our clients, that state OpenProject’s GDPR requirements and that reflect our data privacy and security commitments to our clients. The OpenProject cloud environment is hosted on a logically isolated virtual cloud at Amazon Web Services with all services being located in Europe. AWS is a GDPR compliant cloud infrastructure provider with extensive security and compliance programs as well as unparalleled access control mechanisms to ensure data privacy. On top, all OpenProject employees undergo a training and are signing a data processing agreement to make sure that they know about and acknowledge the data privacy regulations. Access to customer data is performed only when requested by the customer (i.e., as part of a support or data import/export request).
Encryption
By encrypting your data, you will make it useless in case of a data breach. Encrypt all sensitive data, including customer, employee and business data. Specifically now when working remotely, you also need to check that data in all collaboration software is encrypted. If you are working with OpenProject, we have taken care of this. OpenProject cloud environment’s data is being fully encrypted with AES-256. Each individual instance is logically separated and data is persisted in a unique database schema, reducing the risk of intersection or data leaks between instances. For the OpenProject Enterprise on-premises edition hosted on your premises we strongly recommend and advise you to set up SSL encryption (HTTPS). All sensitive user data on laptops and workstations of OpenProject employees are encrypted and machines are maintained to receive system updates.
Backup and redundancy
Another important pillar in your security strategy should be regular backups. This can keep you a step ahead of ransomware hackers. However, make sure your backup is stored offsite and know where it is stored to know about the location’s data privacy regulations. Additionally, if you cater for redundancy (may it be network, hardware, server, infrastructure), it increases your ability to recover. You would also need to check backup and redundancy infrastructure of your collaboration software as it handles a lot of your business data. The OpenProject Enterprise cloud ensures high security. Its hosting data center is located in the European Union. Data center and network architecture are built to meet the requirements of the most security-sensitive organizations with a redundant infrastructure. Encrypted data backups are executed continuously in separate locations. For the OpenProject Enterprise edition hosted on-premises, we provide recommendations and instructions regarding the backup.
VPN connections
Only allow VPN connections to secure access to sensitive data, and prepare to expand bandwidth and session capacity on your VPN to accommodate increased usage caused by remote work. At OpenProject for example, the production infrastructure is accessible only for a strict set of authorized system operations personnel from a secure internal maintenance VPN.
2FA
Put an emphasis on authentication. Especially two-factor authentication for remote logins is an easy and very effective step to curb unauthorized logins. Apply the same across all software to increase security. OpenProject offers two-factor-authentication for all users In addition, services employed by employees are secured by two-factor-authentication where available.
Employees
When setting up all technicalities, do not forget about your employees as they also play a critical role in your security strategy. On the one hand, train them regularly to make sure they are familiar with all security processes and what they are asked to do (e.g. password requirements and data sharing platforms). On the other hand, establish a strict access control architecture. Do not forget to remove access when an employee or temporary staff leaves your organization. In OpenProject, fine-grained role-based access control mechanisms ensure that users are only seeing and accessing the data they are allowed to on an individual project level. Last but not least, you should make it quick and easy for your employees to get help from the IT department. This goes hand in hand with having a well-staffed IT team.
Hardware
Whilst you might only be thinking of cyber security software, do not forget about your hardware. Have all devices protected with a complicated password, share that password with the device user only and commit it to memory. Also use a ‘find my device’ software on all laptops, phones and tablets so that you can locate it in case it got stolen or lost. This should also cover remote wiping of any device. And make sure to encrypt the disks of your hardware.
Now enjoy a secure working from home - if you are looking for more tips on remote work, check out this article.