When the COVID-19 pandemic arrived and forced the closure of offices around the world, many companies that hadn’t previously allowed remote access to servers and various IP addresses in their corporate network had to do so—and quickly. Trying to maintain business operations in that new manner, while also protecting data against unauthorized access, put many businesses on unfamiliar ground. And it brought into focus why organizations should develop a robust remote access policy, ideally before you ever need to use it.
Why is a remote access policy important?
A remote access policy is important to assure that your organization can maintain its cybersecurity even with all the uncertainty that remote access brings: unknown users (you can’t see the person, after all), using potentially unknown devices, on unknown networks, to access your corporate data center and all the information within.
Those are significant risks, but life during coronavirus has made extensive remote access an unavoidable fact of life. Some users simply must have remote access so they can keep performing their duties from home.
Remote access policies guide how that activity will happen, so your data can still be secure and your operations can still meet any regulatory compliance obligations.
The good news is that organizations such as the National Cybersecurity Society and NIST have developed remote access policy templates that can be quite helpful if you’re developing your policy from scratch. . In this piece we’ll review what a remote access policy should achieve, how to develop one, and several pitfalls to avoid.
What is the purpose of remote access policy?
A remote access policy spells out what the company will do to provide cybersecurity while users access data off-site; what’s expected of users as they access that data; how to establish secure connections; an explanation of when and how exceptions to policy might be granted; and what disciplinary action might result from violating the policy. The objective of a remote access policy is to keep corporate data safe from exposure to hackers, malware, and other cybersecurity risks while allowing employees to work from remote locations.
- The remote access policy defines how secure remote access should work.
Remote access is granted via a virtual private network (VPN) that uses encryption and strong user passwords to protect data and govern access control. Older modems and public wifi connections are notorious for their lack of cybersecurity, and in general should not be used. Strive to use the best remote access technology available; this should be configured and implemented by the company, not by the remote worker.
- The remote access policy defines how remote workers should respect cybersecurity.
First, remote users should protect their passwords and usernames: no notes with passwords taped to the device, even when the user only works from home. A two-factor authentication (2FA) process may be added for extra protection against unauthorized use of company hardware and VPN connections. VPNs should be set to terminate as soon as they’re no longer active, so an unauthorized user can’t gain easy access on a laptop mistakenly left open.
- The remote access policy defines what a secure connection is.
Safe remote access depends on a secure connection and the appropriate use of it. Authorized users of any internal network typically have to adhere to an acceptable use policy, which spells out which activities are prohibited while using the company network. Those same rules apply for remote access workers, and compliance should be carefully monitored and enforced. It’s easier to forget you are working on the company network when you are sitting in your own living room.
The remote access policy should also clearly state which software and firewalls may be used by those who have remote network access, and how often operating systems, security software, and anti-virus protections should be updated. When everyone is present in the same physical location, typically the IT department can manage such tasks itself. In a remote access world, employees may need to do some of this work themselves. Your policy should explain that.
- Limit remote user access to only what’s needed.
One important goal of remote access policy is to divide remote users into groups defined by the access level they need. Nobody should be allowed a higher access level just because that person now works remotely. Not only does this make the management of remote workers easier; it also allows you to stop a cyberattack more quickly when one account has been compromised.
Here’s a quick checklist to keep in mind as you work on your own remote access policy:
- Define what a secure password is, how often it should be changed, and how the remote user should protect it.
- Define what a secure connection is and who’s responsible for providing it.
- Define what types of hardware a remote user may connect to the company network.
- Establish a schedule and procedure for software updates.
- Divide users into subgroups depending on the access each group needs.
- Monitor and make sure remote users comply with guidelines.
- Spell out the level of disciplinary action that may be taken if established guidelines are violated.