Security in a Work From Home situation

The current crisis created by the Corona virus and the lock down has forced most companies to permit their IT workers to work from home. This has simultaneously created issues in meeting the security requirements related to the operations and also the policy corrections that needs to be made. The two are inter related.

Some of the large companies had already enabled BYOD on their network. Some of them might have also moved to Zero Trust Architecture linking access to device identity and user identity possibly with multi factor authentication. Such companies have allowed the registered devices (Laptops or Desktops) to be carried home so that they can log on to the corporate network as securely as they were otherwise doing except that they will be coming through a public internet access instead of an internal network.

However there is a need to ensure that the working environment within the house is as secure as it can be as per the physical security policies that the organization would be currently adopting. There is no physical guard to prevent entry of unauthorised persons into the work room, there is no guarantee that the worker has not allowed his friends to look over his shoulder on what he is doing and also his network being compromised in some manner.

Some of these issues has to be controlled by making the employee responsible for the physical security as if he is the guard himself. An undertaking to this effect has to be taken along with the awareness training that is required to make the individual realize that the company is today an “Aggregation of Each of its employees” and each work unit represents the employee and his working computer along with its surroundings.

Every employee should be asked to take a video of the surroundings under which he works and register it with the company.

The Company may declare that the surroundings under which the person works will be the “Work place” and “Belongs to the Company”. The work space therefore becomes the extended work space of the organization and the employee continues to work within the “Premises”. The only difference is that the “Premises” has dis-integrated and moved to different locations.

In a way the “Virtualization” concept gets re-defined by virtualization of the work space surrounding the virtual data space.

If possible, the Company should incorporate this in the Work From Home (WFH) Policy.

The Company should also declare in the WHF policy that until further notice the employee would be theĀ  IS manager for his work environment and would be personally responsible for any data breach arising out of his negligence.

In order to enable the individual to understand his IS role, an immediate training of the broad requirements of the employee in his extended role should be provided.

If the working person and work place is secured from intrusion, then the device security can be handled through appropriate software devices that create a secure connectivity and also enabling the centralized IS team to audit each device remotely to ensure that the individual has not compromised the configuration that has been set by the company.

If the devices used are enabled with audio and video capabilities, the security agent should be enabled for auditing the environment by randomly taking a snap of the employee and listening to sounds captured by the device to ensure that no third party is shoulder surfing.

Yes..this is spying on the employee… not permitted under Privacy considerations…but essential in the extraordinary circumstances in which we are now functioning.

Comments?….

Naavi

This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Security in a Work From Home situation

  1. V Rajendran says:

    Your points about Work from Home is absolutely valid. In fact, these are exactly the points which I also said in an interview on the topic of “Security concerns and Hacking attempts while Working from Home” given to Puthiya Thalaimurai Tamil TV’s English telecast yesterday. The point on ‘extended office space’ and should be permitted to keep the video and audio on always and permitted to capture the same ….are all innovative to Naavi and original ones. I am guided suitably and thanks. On the question of ‘spying’, I dont think this can be called spying. After all, in an office, there can be cameras in the work place everywhere. This should be taken as an extended work place. And there must be clearly worded bilateral contracts enabling this, with the Work From Home Policy providing for it.

    • Durai Kannaiyan says:

      While agreeing to enhance and derive policies on Work from Home capturing audio and video point we may need to brainstrom. As someone say somewhere, home is the place for the family members with their own liberty and privacy to roam around, capturing video may impact them as everybody cannot affort an ideal office like setup at home.

      Moreover, in my office we dont have cameras in the work place…only at the entrance. Also we have strict policies on privacy compliance. Current Corona situation will lead new policies to the industry.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.