Determining what level of employee remote access is appropriate for your institution is an important decision. If you provide no remote access to employees, you risk lower productivity and less business continuity options. If you provide access to everyone, the attack surface for your institution is larger and requires more controls and oversight. This week, we provide some key questions to answer as you determine the proper level of employee remote access.
- What needs are you addressing? Start by asking what needs remote access will address so that you can identify what users need access. Common needs include:
- connectivity for remote employees;
- access for key IT staff to manage systems when problems occur after hours;
- business continuity planning;
- convenience for employees.
Once needs are identified and the number of users identified, an assessment should be performed to determine if the cost of securing remote access is really worth the benefit that the institution gets from this access.
- Where can employees connect from? One key decision to make is whether employees will be allowed to connect from any computer, or whether you will only allow connectivity from company-controlled devices. Your institution likely devotes a lot of resources to ensuring that employee PCs are patched and protected by several levels of security controls. Allowing an employee to connect from their own PC to your network may expose the network to infection from a non-controlled system. Implementing controls to limit access to company-controlled devices will add cost to the solution but will reduce the risk of these remote connections.
- What method will employees use to connect? The most common way for employees to remotely connect is by using a VPN client to connect their computer directly to the network. This is fairly simple to implement but may expose the bank’s network to whatever threats are present in the network that the employee is using. Another common method used is to implement a virtual desktop solution that connects remote employees to a desktop on a server. An added benefit of a virtual desktop is that it can also mitigate (with proper controls) the risk of employees using their own PCs to access remotely. Virtual desktops mitigate the risk of a direct VPN connection, but employees may find that the remote desktop is not as responsive as a local desktop would be and that some functionality is missing.
- What will remote employees be able to access? Any remote access method can be configured to limit access to only the internal systems that the employee needs access to. In a VPN connection, this usually means limiting the IP addresses that are accessible by the remote employee. In a virtual desktop environment, it usually means that the employee will only have icons on the virtual desktop for the applications that are deemed necessary. Implementing controls to limit the scope of remotely accessible systems increases the complexity and cost of implementing and managing the solution, but effectively mitigates the risk that an unauthorized person is able to gain unrestricted access to the network.
Assessing risk is a key function of an information security program. Knowing what risk to accept, what controls to put in place, and what risk you aren't willing to take on can be a big task. And in today's world more and more employees are pushing for remote employee access.
If you struggle to feel confident knowing what risk you should and shouldn't take on we have a solution for you!
Our Risk Management Module helps you understand where your cyber risks are and what controls you have in place to reduce that risk. Your vCISO Specialist will perform a Risk Assessment, along with a Cybersecurity Assessment Tool analysis and will help you prioritize what you should work on and where you should focus. You also get up to three risk assessments of new technology being considered by your institution.
Deliverables:
- Risk Assessment Workbook & Management Report | Annually
- Cybersecurity Assessment Tool Analysis & Report | Annually
- Risk Appetite Statement & Report to Management for Board Approval | Annually
- Up to 3 New Technology Risk Assessments | Annually
