Protect your business online

Remote access security issues

Guide

Remote access is a growing need for many businesses. It allows mobile workers or remote staff to access office systems and processes via the internet from remote locations. Despite its many benefits, remote access can expose your business to risks.

You will have to manage these risks to keep your remote access secure at all times. Otherwise, your network may become vulnerable and your business data exposed.

Remote access threats

Remote working relies on the exchange of business data or services outside of the corporate infrastructure, typically over the internet. It can be achieved through a variety of client devices, including many that are outside the organisation's control.

The remote environment in which these devices are used may also pose risks. For example, security concerns may exist around:

  • lack of physical security controls - creating a risk of device loss or theft
  • eavesdropping - as the information travels over the public internet
  • unauthorised access to systems or data - perhaps overlooking the screen
  • monitoring and manipulation of data - if someone gains access to the device

You can adapt most of the common cyber security measures to meet the unique challenges of remote access security.

Remote access risk assessment

You should assess the specific risks associated with mobile working and providing remote access to staff. The assessment will inform your mobile working policy, establishing processes for:

  • authorising users to work remotely
  • device provisioning and support
  • the type of information or services that can be accessed or stored on devices
  • the minimum procedural security controls

Examine the risks to your corporate network and systems and determine whether you need to increase monitoring on remote connections. If you do so, remember to review and update your workplace monitoring policies.

Remote access security measures

Some specific recommended actions for securing your remote access include:

  • encrypting data to prevent theft
  • using strong firewall and security software
  • using two-tier authentication (eg first with a password and then with a token)
  • restricting access to unauthorised users
  • allowing access to legitimate users but limiting to the minimum services and functions required
  • reviewing server logs to monitor remote access and any unusual activity
  • deleting remote access privileges once they are not needed
  • testing system regularly for vulnerabilities
  • keeping firewall and remote access software patched and up-to-date

You may also choose to restrict the type of data that users can access remotely and use the virtual private network (VPN) software for high level of encryption.

If you're introducing remote access to your business for the first time or scaling it up, you should read the National Cyber Security Centre's (NCSC) guidance on moving your business from the physical to the digital and home working: preparing your organisation and staff.

If your staff is working on personal devices rather than work issued IT, read about secure home working on personal IT.