Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Download PDF

Remote working is the practice of an employee, contractor or volunteer working at their home, or in some other place that is not an organisation’s usual place of business. 

Remote working brings an increased reliance on technology. It is therefore important to have good security controls and clear policies and procedures that help staff minimise the risk of a cyber breach and practical steps to take should something happen.  

 Off-site working means that rather than being connected to the internet via an organisation’s secure networks, staff are connecting their devices to home networks or other untrusted networks with unknown levels of security.  

 Firewalls 

When you connect to the internet from a device on a regular network, the data you send and receive over your connection could be intercepted by hackers. If you have a boundary firewall enabled in your router and on your device software, this risk is very much reduced, however, if you are using a public wifi connection, such as the free internet in a coffee shop or on a train, it's not difficult to hack into a laptop or mobile device that has no protection. 

An organisation's network firewall, installed at their network boundary will protect the devices working within that network. 

A home worker’s boundary firewall is usually in their home router and if that home router is provided by the organisation, that router is in scope and needs to have the Cyber Essentials controls applied to it. However, if a worker’s home router is provided by their internet service provider (eg Plusnet, BT, Virgin) and not their organisation, it is not in scope for Cyber Essentials.

The software or host based firewall, installed on each laptop or computer, must be turned on and configured to meet Cyber Essentials requirements. Where you do not control the boundary firewall, for example, in a coffee shop, hotel or conference centre, the host-based firewall on your device will act as your boundary. 

Using a Virtual Private Network to transfer your boundary to the organisational firewall

A virtual private network or VPN is a technology that allows a secure and private connection on the internet. There are several different types of VPN and they don't all provide the same level of security.
To meet the Cyber Essentials requirements, the only secure option is a corporate VPN which is a direct single tunnel that connects remote workers back to their organisation's office location, or to a virtual or cloud firewall. The corporate VPN must be administered by the organisation so that the firewall controls can be applied. 

Secure authentication 

When accessing accounts over the internet, in addition to passwords, user identity must be confirmed with multi-factor authentication (MFA) wherever this is available. This is even more important for remote workers who are potentially logging in via an untrusted network.

If multi-factor authentication (MFA) is enabled on an account, you have to perform two or more steps to gain access to it. These may include entering your regular password plus a number that is sent via a text or email, a fingerprint or face scan or a verification process on an authenticator app.  According to Microsoft, using MFA blocks 99% of all password safety issues.

It is not, however, always necessary to have MFA enabled on every single service. Some authentication methods link the sign in of one account to the sign in of an existing trusted account where MFA is already in use. Whether signing in to an account directly or indirectly, the point of the login that makes it secure, is that MFA is required.

The NCSC recommends the following forms of MFA, in order of effectiveness:

  • Using a physically separate extra factor - such as a FIDO2 key

  • Using an authenticator app on a trusted device as an extra factor - such as Google Authenticator or Microsoft Authenticator

  • Using an app-based code generator - an app is used to generate a one-time code

  • Using a hardware-based code generator - a physical token is used to generate a code

  • Using a message-based method - an email, SMS message or voice call

See https://www.ncsc.gov.uk/collection/mfa-for-your-corporate-online-services/recommended-types-of-mfa for details.

Each method varies in security and usability features, for more information about authentication methods, please read Bulletproof your passwords.

Remote Desktop Protocol (RDP)

Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.

Remote Desktop Protocol is a common entry point for ransomware and should only be used on internal networks.

Close or block the RDP port at the firewall so that it is not open for use across the internet.
Where possible, rather than using remote connections, utilise cloud services such as OneDrive or Google Drive. Cloud services need to be correctly configured and users need to have training to understand how to use them securely. 
 

Remote Working Procedure and Policy  

 If you are allowing users to connect to the organisational network remotely, ensure security requirements are explicitly referenced in any agreements and that the policies reflect behavioural expectations and security expectations, even in the home environment.  

Organisations should ensure that policies and procedures that support remote working are reviewed regularly. 

 

© The IASME Consortium Ltd 2025 All rights reserved.

  • No labels