Remote access is a growing need for many businesses. It allows mobile workers or remote staff to access office systems and processes via the internet from remote locations. Despite the many benefits, remote systems can expose your business to many risks.
You will have to manage these risks to keep your remote access secure at all times. Otherwise, your network may become vulnerable and your business data exposed.
Due to COVID-19 situation, many businesses are encouraging staff to work from home. This presents new cyber security challenges that must be carefully managed.
If you're introducing or scaling up home working, read the National Cyber Security Centre's new guidance on Home working: preparing your organisation and staff.
If your staff is working on personal devices rather than work issued IT, see the guide on Secure home working on personal IT.
Remote access threats
Remote working relies on the exchange of business data or services outside of the corporate infrastructure, typically over the internet. It can be achieved through a variety of client devices, including many that are outside the organisation's control.
The remote environment in which these devices are used may also pose risks. For example, security concerns may exist around:
- lack of physical security controls - creating a risk of device loss or theft
- eavesdropping - as information travels over the public internet
- unauthorised access to systems or data - perhaps overlooking the screen
- monitoring and manipulation of data - if someone gains access to the device
You can adapt most of the common cyber security measures to meet the unique challenges of remote access security.
If you're introducing remote access to your business for the first time, read the NCSC's guidance on moving your business from the physical to the digital.
Remote access risk assessment
You should assess the specific risks associated with mobile working and providing remote access to staff. The assessment will inform your mobile working policy, establishing processes for:
- authorising users to work remotely
- device provisioning and support
- the type of information or services that can be accessed or stored on devices
- the minimum procedural security controls
Examine the risks to your corporate network and systems and determine whether you need to increase monitoring on remote connections. See how to set up workplace monitoring policies.
Remote access security measures
Some specific recommended actions for securing your remote access include:
- encrypting data to prevent theft
- using strong firewall and security software
- using two-tier authentication (eg first with a password and then with a token)
- restricting access to unauthorised users
- allowing access to legitimate users but limiting to the minimum services and functions required
- reviewing server logs to monitor remote access and any unusual activity
- deleting remote access privileges once they are not needed
- testing system regularly for vulnerabilities
- keeping firewall and remote access software patched and up-to-date
You may also choose to restrict the type of data that users can access remotely.
Virtual private network (VPN) software will give you a high level of encryption to access your network remotely. Read about VPNs and advanced computer networks.