The current crisis created by the Corona virus and the lock down has forced most companies to permit their IT workers to work from home. This has simultaneously created issues in meeting the security requirements related to the operations and also the policy corrections that needs to be made. The two are inter related.
Some of the large companies had already enabled BYOD on their network. Some of them might have also moved to Zero Trust Architecture linking access to device identity and user identity possibly with multi factor authentication. Such companies have allowed the registered devices (Laptops or Desktops) to be carried home so that they can log on to the corporate network as securely as they were otherwise doing except that they will be coming through a public internet access instead of an internal network.
However there is a need to ensure that the working environment within the house is as secure as it can be as per the physical security policies that the organization would be currently adopting. There is no physical guard to prevent entry of unauthorised persons into the work room, there is no guarantee that the worker has not allowed his friends to look over his shoulder on what he is doing and also his network being compromised in some manner.
Some of these issues has to be controlled by making the employee responsible for the physical security as if he is the guard himself. An undertaking to this effect has to be taken along with the awareness training that is required to make the individual realize that the company is today an “Aggregation of Each of its employees” and each work unit represents the employee and his working computer along with its surroundings.
Every employee should be asked to take a video of the surroundings under which he works and register it with the company.
The Company may declare that the surroundings under which the person works will be the “Work place” and “Belongs to the Company”. The work space therefore becomes the extended work space of the organization and the employee continues to work within the “Premises”. The only difference is that the “Premises” has dis-integrated and moved to different locations.
In a way the “Virtualization” concept gets re-defined by virtualization of the work space surrounding the virtual data space.
If possible, the Company should incorporate this in the Work From Home (WFH) Policy.
The Company should also declare in the WHF policy that until further notice the employee would be the IS manager for his work environment and would be personally responsible for any data breach arising out of his negligence.
In order to enable the individual to understand his IS role, an immediate training of the broad requirements of the employee in his extended role should be provided.
If the working person and work place is secured from intrusion, then the device security can be handled through appropriate software devices that create a secure connectivity and also enabling the centralized IS team to audit each device remotely to ensure that the individual has not compromised the configuration that has been set by the company.
If the devices used are enabled with audio and video capabilities, the security agent should be enabled for auditing the environment by randomly taking a snap of the employee and listening to sounds captured by the device to ensure that no third party is shoulder surfing.
Yes..this is spying on the employee… not permitted under Privacy considerations…but essential in the extraordinary circumstances in which we are now functioning.