Stick with Security: Secure remote access to your network
Used with permission from FTC.gov
by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
Ask a business person where their office is located and the likely answer is “everywhere.” They’re working from home, staying in the loop while traveling, and catching up on email between sales calls. For productivity’s sake, many companies give their employees – and perhaps clients or service providers – remote access to their networks. Are you taking steps to ensure those outside entryways into your systems are sensibly defended?
If your business wants to start with security, it’s important to secure remote access to your network. Here are some examples based on FTC investigations, law enforcement actions, and questions that businesses have asked us.
Ensure Endpoint Security.
Your network is only as secure as the least safe device that connects to it – and there’s no guarantee that an employee’s home computer, a client’s laptop, or a service provider’s smartphone meets your standards for security. Before allowing them to access your network remotely, set security ground rules, communicate them clearly, and verify that the employee, client, or service provider is in compliance. Furthermore, wise companies take steps to make sure that devices used for remote access have updated software, patches, and other security features designed to protect against evolving threats.
Example: Before allowing employees to access the company network remotely, a business establishes standard configurations for firewalls, antivirus protection, and other protective measures on devices used for remote access, and conducts periodic in-house training. It also provides a token with a dynamic security code that the employee must type in to access the company’s network, and maintains procedures to ensure that employees’ devices have the mandated firewalls, antivirus protection, and other protections in place. In addition, the company regularly re-evaluates its requirements in light of emerging threats and blocks remote access by devices with outdated security. By approaching endpoint security as an ongoing process, the company has taken steps to reduce the risks associated with remote access.
Example: An executive search firm has files on its network that include confidential information about job candidates. When a prospective employer retains the search firm, the firm gives the employer remote access to its network to view those files, but doesn’t check to see that the employer’s computers use firewalls, updated antivirus software, or other security measures. The better approach would be for the search firm to contractually require minimum security standards for employers that want to access the firm’s network remotely and to use automated tools to make sure employers meet the requirements.
Put Sensible Access Limits in Place.
In this blog series, we’ve already talked about is the need to control access to data sensibly. Just as security-conscious companies restrict in-house access to sensitive files to staff members with a business need for the data, they also put sensible limits in place for remote access.
Example: A retailer hires a contractor to revamp its online payroll system. The retailer gives the contractor remote access to the portions of the network necessary to complete the task, but restricts the contractor from other parts of the system. In addition, the retailer discontinues the contractor’s authorization as soon as the task is complete. By limiting the scope and duration of the contractor’s remote access, the retailer has taken steps to protect confidential data on its network.
Example: A company decides to update its information infrastructure and signs contracts with multiple vendors to remotely install and maintain software on numerous systems on the company’s network – a project the company anticipates will take one year from start to finish. Because the vendors will be working on different portions of the network at different times, the company creates user accounts to provide each vendor with full administrative privileges throughout the company’s network for the entire year. Although this might be the fastest way for the company to manage vendor accounts, it’s an insecure choice. A wiser option would be to tailor vendors’ access to the scope of their work. For example, the company should determine if some vendors can perform their duties without administrative access privileges throughout the company’s network. Other vendors may need administrative access, but only for a limited period of time. Furthermore, if a particular vendor will have multiple employees sharing administrative access, the company should implement a method so it can audit and attribute account use to a particular vendor employee.
Not many burglars bulldoze down a wall. Instead they exploit weaknesses in doors, windows, and other external entrances. The message for companies is if you allow remote access to your network, be vigilant about defending those entryways.