In the coming days and weeks, it is becoming very obvious that a significant proportion of the workforce will be asked (forced?) to undertake their duties from home. This will necessitate some forward thinking in order to make the operation as seamless as possible.
Please be aware. This is not exhaustive advice – iTWire does not know the details of your business or its computing infrastructure. You should treat this as a useful starting position and adapt it to your needs. What is discussed here is an amalgam of common sense, various reports across the Internet, and also material from the Australian Signals Directorate.
First, we will deal with the major points that will apply to employers and how they can facilitate the process. There will be a second report discussing the needs and requirements for employees.
Every organisation MUST develop a robust 'work from home' policy and surrounding rules / procedures. This ought to include these major points:
- A definition of 'work from home.' This should be flexible enough to describe the needs, habits and situation of pretty-well every employee required to undertake this activity. Consider including this definition in the job description of every employee.
- An acceptance that work output is more important that work hours - staff members may have children or elderly in the house who may need intermittent attention. As long as the expected work is completed, the total hours and time of day are not important. Micro-managing cannot possibly work!
- OH&S. For the duration of any 'work from home,' the home must be considered to be an extension of the workplace. This means that any incidents directly work-related should be subject to WorkCover (whatever the name of the agency is in your location) and dealt with by them. This also means that, just like your normal workplace, there are a number of ergonomic and safety requirements that should at least be considered. Most homes have smoke detectors - these should be checked.
- Further, since no organisation would be able to visit every home for safety checking, it would be wise to develop a simple checklist for each employee to use as a basis for broad compliance. Such questions as safe exit strategies in the case of emergencies, sufficiently comfortable workstations etc. ought to be included. In addition, a simple education module (perhaps a PPT presentation) could be used as evidence that workers have received suitable training. Some have also suggested that a simple video conference tool might be used for the facilities manager to view the intended working location and how the space will be utilised. Based on the review, employees may be encouraged to obtain better furniture (perhaps via salary sacrifice) or even collect their current office chair to take home for the duration. Perhaps also take additional monitors, keyboards and so on from their normal; desk to replicate the full working environment as much as possible.
- There must be a robust communication structure in place as this will have to take the place of formal conversations, meetings, casual chats etc. Skype, Microsoft Teams, Slack, Trello (and others) can easily support this. Most businesses ought to have at least one of these in place already, although additional licencing and configuration may be required.
- Probably one of the most difficult aspects is security of workplace 'secrets.' Most workplaces are relatively secure and obviously the greater the 'secret' the better the systems are for securing information - locked safes etc. However, when used at home, these secrets are more difficult to protect. Each organisation will have to decide for itself, but the simplest solution is probably a blanket ban on holding hard copies of secrets.
- Enhance the education for staff on their ability to manage their time and resources without the close attention of managers and technical staff. Surely you trust them, but there's nothing like a few good hints.
From a technical perspective, there are many aspects to consider. Broadly however, we will assume that all work from home employees will be using a company-provided laptop which has full anti-malware protection and access to VPN client software or some form of remote desktop client (perhaps both).
- You should immediately load-test your remote access solution. With every employee working from home, your servers and communications infrastructure will be stressed like never before. Make sure you can handle the full throughput on your existing internet connection and your array of servers.
- Ensure EVERYTHING is fully patched and up to date. The 'bad dudes' will be loving the opportunity to attack channels not normally available to them.
- Confirm that regular security patching (for all installed products) will continue to function when none of the client computers are inside the building.
- Determine how you will direct incoming phone calls to the person at home? Most modern systems will permit a call-forward to a mobile, but you will need to have every person configure this - many will be using personal mobile phones or home fixed lines for which they don't particularly want the company or customers to know the number.
- Consider enhancing your systems to permit multi-factor authentication. This may be difficult to achieve in the limited timeframe available, but may be considered in the context of prudent updates in the mid-term future.
More generally, now (right now!) would be a great time to review all aspects of your business continuity planning along with broad advice to all team members regarding public statements and unauthorised communications outside of the corporate umbrella.
Further advice is also available at SANS.
Tomorrow, some guidance for employees. Please, any suggestions, additional contributions or comments gratefully accepted in the feedback section below (I'm sure I've forgotten something!).