Telework: Addressing Information Security Issues

Posted by Tobias Eichenseer Thu, 08 Jan 2015 14:55:00 GMT

In our last post on teleworking, we discussed how remote working is gaining momentum and becoming more widespread. If a company implements, or is planning to implement, teleworking policies, there are a series of steps to take in order to address security implications.

Creating a Secure Teleworking Program
Prior to establishing teleworking policies, organizations must address information security issues by first defining requirements for both employees and employers. To ensure the security of teleworking, the following aspects should be considered:

1. The employer must determine whether to issue a company-owned device or allow employees to use a personal device for remote working. If the employer provides a computer, the employer can control what is installed and which activities are allowed or prohibited (such as instant messaging).

2. The teleworking policy should state what software is required for the employee to work remotely and what software types are forbidden on the computer.

3. If the network connections are secured incorrectly, sensitive corporate data can be intercepted during the data transmission between the home and the office network. To mitigate this risk, a virtual private network (VPN) is the best practice for securing communication to the organization’s internal network. When connected to the organization’s network, all transmissions should be encrypted, both coming from and going to the corporate network.

4. f the remote worker accesses the organization’s network from home, the organization should consider implementing a two-step authentication method- using two of the three commonly available authentication techniques (knowledge-based, object-based and ID-based). For instance, using a password and a security token is a good defense mechanism, as it forces an attacker to steal both the password and the physical token to gain access.

5. The operating system and all applications should be kept up-to-date. By regularly updating the device’s operating system with the latest patches and other software fixes, attackers cannot take advantage of software flaws that would otherwise be utilized to facilitate a hack.

6. The teleworking policy must describe what security features must be installed and maintained on the computer. Anti-adware/anti-spyware software, antivirus software and firewalls are just some of best practice security features.

7. Employees should be trained on security procedures.

8. The policy should explain to whom the user will report in case of suspicious activity on the computer. Support personnel should be ready to advise employees on how to configure the computer and the employee’s home networks for utmost security.

Conclusion
In today’s work environment, teleworking is increasingly being discussed as organizations analyze remote workforce options. VPNs create new possibilities that allow people to work from home and connect seamlessly and securely to the organization for which they work. By taking the necessary defensive measures and enforcing a secure teleworking environment, security risks can be minimized.

If you are looking for a reliable teleworking solution, we recommend you to have a look at HOB RD VPN, the comprehensive Secure Remote Access Suite “Made in Germany”. When using HOB RD VPN, companies benefit from SSL-encrypted connections, modern authentication methods and a maximum of usability. More information on HOB RD VPN can be found on our website: www.hobsoft.com

no comments |

4 Critical Advantages of Pure Software VPN Solutions

Posted by Stefanie Kober Tue, 28 Oct 2014 14:08:00 GMT



Most companies are turning to virtual private networks (VPNs) to reduce costs and increase security and performance. By using a public network, VPNs can connect off-site users, such as teleworkers and remote workers, vendors, and customers, to a larger centralized network. A VPN is considered as important as the internet connection itself, therefore choosing the right VPN solution is essential.

VPN Solutions
There are several different VPN solutions in the market today, therefore extra caution must be taken to ensure that the best possible decision is made when choosing a business VPN solution.
The two main product categories are dedicated VPN hardware appliances, and software VPNs (also called server-based VPNs). In the case of software VPNs, the VPN endpoint is actually software running on the device itself, whereas a hardware VPN is a virtual private network based on a single, stand-alone device.

The following four key points highlight how software VPNs are superior to hardware VPNs:

 

  1. Cost-Effective
    VPN software is generally considered to be a relatively low-cost way to deploy a VPN; dedicated hardware VPN appliances are more expensive than a software VPN because, generally, the VPN software is installed on an existing device. This means there is virtually no other investment required apart from software upgrades.

  2. Easy Network Management
    A further advantage to the software VPN approach is that the network does not change. No additional devices need to be installed, and management of the network remains the same. In contrast, a VPN appliance involves adding a new piece of equipment to the network, therefore increasing the complexity of the networking environment.
     
  3. Less Training
    Another benefit is that generally, less training is required in the case of software VPNs. Conversely, in hardware VPNs, the IT staff would require more intensive training since the configuration and management tools will probably be different than the ones used on the corporate routers.
     
  4. Performance and Scalability
    The performance factor is equally as important. The ability to expand the VPN to support more sites or users should not be underestimated when choosing a VPN. Pure software VPN solutions benefit from high scalability. This is not the case for a hardware VPN. If a company were to start with a VPN appliance designed to support 50 simultaneous VPN sessions, and later experience considerable increases in personnel, the VPN would need to accommodate more users. This would require scaling up the VPN will require the purchase of more appliances. Selecting a VPN that is not scalable can easily double the cost if or when the VPN capacity is outgrown.


SSL VPN
When choosing a VPN, special attention should be paid to the merits of the various deployment models (SSL VPN vs. IPsec VPN). Modern, pure software SSL VPNs do not require the installation of specialized client software on the end user’s computer. This translates to high scalability and the ability to support many different platforms (such as Windows®, Mac, Linux/Unix), from virtually any device. SSL VPNs enable secure server-based computing environment with strong SSL encryption and strong authentication.

HOB RD VPN is a very performant software SSL-VPN solution, which was only recently certified by the German Federal Office for Information Security. If you are interested in VPN solutions, don’t hesitate to visit our website www.hobsoft.com and inform yourself about HOB software solutions “Made in Germany”.
 

no comments |

Cybercrime Prevention Tips (Part 2)

Posted by Stefanie Kober Thu, 23 Oct 2014 13:24:00 GMT



In one of our previous blog posts, we started our discussion with cybercrime prevention tips. In the following article, we shall further provide advice on how to prevent cyberattacks, with a more in-depth focus on mobile technology and deployments.

Preventing Cybercrime
Many cybercrime attacks can be avoided with the implementation of straightforward preventative steps. Cyber criminals prefer to attack easy targets, thus the more difficult you make their job, the more likely it is that they will move on to an easier target.
By implementing the following precautionary measures, you can effectively fight cybercrime:

 

  1. Protect your computer with security software
    Several necessary security software elements are required for basic online security. Antivirus programs and firewalls are just two examples of security software essentials. Generally, a firewall is the first line of cyber defense, as it controls who and what can communicate with your computer online. Firewalls block connections to unknown or phony sites, and will prohibit certain types of viruses and intruders. Antivirus software monitors all online activities such as e-mail messages and Web browsing, offering protection from viruses, worms and other types of malicious programs. More recent versions of antivirus programs also protect from spyware and potentially damaging unwanted programs, such as adware.   
     
  2. Secure your mobile device
    Mobile devices, such as smartphones and tablets, are also vulnerable to cyberattacks; these devices are attacked by cyber criminals in a similar way to computers. A more in-depth look into smart phone security can be found here.
    When smartphones are used for business purposes, a number of safety practices should be followed, such as not saving any sensitive business data directly on the device, to prevent unauthorized data access.
     
  3. Turn off location settings
    Numerous smartphones, tablets and even some digital cameras now come GPS-enabled, allowing geotagging (the addition of GPS coordinates to your online posts or photos) is especially popular with photos. A geotagged photo is the most marked threat for the user’s personal privacy and security.
    The problem with such location-based services is not the information they provide, but rather the information they might also provide to other parties. Providing information about your current location is risky, but even more precarious, the data may be permanent and searchable, allowing criminals to build up a clear picture of your activities through time.
    To mitigate these risks, the best thing to do is to completely disable the location settings when requested by applications and refrain from using geotagging. Alternatively, in some cases, these may be turned on only when you specifically need it, then turned off again immediately after; even in this scenario, only a restricted number of friends should be able to see the information of where you are and where you have been. 
     
  4. Secure your offsite workers
    Offsite workers, such as teleworkers and remote workers, including vendors and customers, making use of any type of mobile device (e.g., laptops, smartphones and tablets) should be equipped with remote access solutions or other modern solutions, so as to assure a secure access to the corporate network.
  5. Back up critical dataAlthough this is not strictly a way to prevent cybercrime, backing up critical data is a crucial step in the event of an attack. Recovery of data and return to normal operations is essential for business continuity; any down time to mission-critical systems may be harmful. Details of the backup processes should be part of the business continuity and disaster recovery plans.


Keeping Balance

The most really effective steps taken by a computer user to avoid being a victim of a crime render the user’s computer somewhat less convenient to use. Every user must balance how much security is considered enough to keep unauthorized intruders at bay. The German software developer HOB offers its customers the perfect balance between user experience and security. The Secure Remote Access Suite HOB RD VPN allows users to remotely access corporate files and servers from anywhere, at anytime. Due to SSL-encryption and modern authentication methods, HOB RD VPN offers its users a maximum of security. The recent Common Criteria (EAL4+) certification is yet another independent proof for the high security level of HOB RD VPN. If you are interested in learning more about HOB products, please visit our website www.hobsoft.com.
 

no comments |

Successful Home Offices Need the Right Management System and IT Infrastructure

Posted by Stefanie Kober Tue, 09 Sep 2014 12:26:00 GMT



In today’s culture, flexible work is quickly becoming the norm. This type of working arrangement is preferred by workers, with 72% of employees stating that flexible work arrangements causes them to choose one job over another *.

Ideally, a company or organization has a single performance appraisal for all employees, independent of where they are located. This implies that the basis for evaluation is the same amongst all workers, without any differentiation between on-site and remote workers.

Management by Objectives
In the 1950s, Peter Drucker invented the concept of “management by objectives” (MBO), whereby he explained that if the overall goals are to be achieved, each job in the company must contribute to the objectives of the whole organization. Workers are evaluated based on performance, rather than their physical location. This change in the style of leadership and corporate infrastructure leads to an increase in productivity, as the sheer physical presence is no longer defined as a positive accomplishment. It also clarifies the type of performance the organization requires of the employees, while simultaneously accentuating and rewarding good performance. Entrepreneur David Heinemeier Hansson states that the most important thing for remote work to succeed is creating a culture where the work itself matters.

Teleworking Programs Best Practices
Although employees are in different places, the work required remains the same. Nonetheless, remote working requires redesigning business processes, employing alternative technologies, and changes in managerial operations and communications.

Managing Remote Workers
An effective remote manager is no different than one who manages employees on-site; clear objectives and rules should be established, and the manager should know his or her employees. It is necessary that a performance evaluation process focuses on defining and tracking goals, achieving results, building leadership effectiveness, and driving employee engagement.

When managing home offices, management by objectives is advisable, as the work outcome is rewarded, rather than simply monitoring the employees’ activities via direct observation.

IT Infrastructure
For a successful teleworking program, data needs to be stored digitally, such that it can be accessed and processed virtually from anywhere. In addition to going paperless, the usage of mobile devices such as laptops enables people to work from wherever they are.

Therefore, apart from an adequate management system, remote working requires implementation of the right IT infrastructure. In order to accomplish this, the following major components of user-access management must be analyzed:
 

  • Users — defining the authorized users within and outside the organization
  • Assets — defining what needs to be protected by the organization and
  • Privileges — delineating which users require access to particular assets, and to what extent


Technology tools enable remotely located employees to access all (or selected amounts) of the company’s resources and software, such as applications, data and e-mail. Employees in home offices are connected via a networking infrastructure, enabling a company with a distributed workforce to securely connect its workers and teams; they also have the ability to share files securely and access the company’s databases, file sharing and telecommunications. This allows for:
 

  • Web-based remote access
  • Safe and secure mobile device connection to enterprise data and 
  • Wireless networks within company facilities


Deployment of Collaborative Technologies

High quality communication is of vital importance, particularly with remote workers. Affordable software-based collaborative tools increase productivity and effectiveness. These include:

 


Remote Access Choices
Remote access is rapidly becoming the preferred connectivity method for various business roles using several types of company or employee-owned devices. So a remote access solution must be flexible, secure and compatible with the anytime/anywhere resource access model and, ideally, no data is saved locally on the end device at any time. Thus, in the event that the device is lost or stolen, problems of data falling in the wrong hands are avoided.

Technological hurdles need no longer be a barrier to implementing work from home policies, which is also made more attractive for enterprises by the shift from managing employee presence to managing employee output/performance. This shift from central-office-centric work, to more flexible home-office work, is expected to continue to increase.

If you would like to find out more about home offices and best practices for remote access solutions, and also learn more about comprehensive company resource protection, please download this free eBook, Home Offices Made Easy.


Sources:
*The Edge Report - Robert Half International Survey, 2008, as cited by Jason Gregg, Tell Your Staff to Go home! The Complete Guide to Telecommuting: books.google.com/books?isbn=1619793628


Author: Hazel Farrugia
 

no comments |

8 Things to Learn from a Data Breach Study (Part 2)

Posted by Stefanie Kober Tue, 12 Aug 2014 12:42:00 GMT



In our previous post on IT security, we discussed four key findings from a data breach study conducted by Ponemon Institute. In this article, we will further discuss these four key findings and outline preventative measures to avoid security breaches.

Key Findings (Continued)

5.    Cybercrime Costs Differ by Company Size, but Smaller Organizations Sustain a Significantly Higher Cost than Larger Organizations

While everyone is vulnerable to cyber-attacks, smaller organizations are more at risk. A common cyber-attack is the theft of sensitive data, and for a small organization, the loss of project files or customer databases can put them out of business.

Smaller companies (employees<20) should implement a VPN for secure connectivity anytime, anywhere. Due to their ease of use and versatility, SSL VPNs are well-suited for small companies allowing users to only access specific applications and services, and providing access to Web applications, Windows Terminal Servers and their applications or internal network connections.

6.    Information Theft, Followed by the Costs Associated with Business Disruption, Represent the Highest External Costs


Annually, information loss and business disruption (or lost productivity) account for 43% and 36% of external costs, respectively. (In the context of this study, an external cost is one that is created by external factors, including fines, marketability of stolen intellectual properties and litigation)

Setting up strong network security is therefore crucial. Increasingly, more organizations are adopting SSL VPNs, which ensure a secure network connection through the use of encryption, single-sign on options, and firewalls.

In order to minimize costs associated with business disruption, it is imperative that all organizations have a contingency plan in place that outlines how to contain and recover from a substantial security breach. The IT staff must quickly solve the issue, hopefully restoring data from backup files, and returning systems to service without any significant downtime. Nonetheless, any downtime can be disastrous in the case of mission critical systems. 

7.    Recovery and Detection are the Most Costly Internal Activities


Combined, recovery and detection account for 49% of the total internal activity cost per year; cash outlays and labor account for most of these costs. This highlights the importance of back-ups. A data-backup policy is especially important if the organization has several laptops or other mobile devices that can be lost or stolen. To avoid data theft from loss or stolen mobile devices, no data should be downloaded to the device, but rather all data is completely and securely located in the central corporate network.   

8.    A Strong Security Policy Minimizes the Cost of Cyber Attacks


As expected, businesses that invest in a strong security policy and system are better off than their counterparts. This stresses the importance of a strong security policy, which provides the plan for the overall security program adopted by the organization.

Conclusion

As cybercriminals have become more sophisticated in their tactics, fighting cybercrime has become increasingly challenging for organizations worldwide. Although sustaining an organization’s security posture or compliance with standards, policies and regulations also comes at a cost, the benefits of strong security measures outweigh the plausible costs incurred by cyber-attacks.

Author: Hazel Farrugia

no comments |

8 Things to Learn from a Data Breach Study (Part 1)

Posted by Stefanie Kober Thu, 07 Aug 2014 13:00:00 GMT



Recently, the sophistication of cyber-attacks has grown significantly. Cybercriminals are specializing and sharing intelligence so as to steal sensitive data and disrupt critical business functions. Consequently, the topic of cybercrime has been kept top of mind as the repercussions of a cyberattack are costly and potentially very damaging.   

Key Findings
The study, 2013 Cost of Cyber Crime Study: United States, was conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products.

1.    Cybercrimes are Still Costly for Organizations

The average annual cost of cybercrime per organization was $11.6 million, an increase of 26% over the average cost reported in 2012. Considering this increase in cost, IT security should be a top priority for all organizations, as there is no single failsafe solution to protect against cybercrime.

2.    All Industries are Susceptible to Cybercrime

The average annual cost of cybercrime appears to differ according to industry segment; organizations in financial services, defense, and energy and utilities experience markedly higher crime costs than organizations in retail, hospitality and consumer products. The organizations facing higher security threats are not only at risk for financial loss due to cyber-attack, but are also more vulnerable to phishing attacks that could compromise sensitive customer data such as credit card, bank account and social security numbers.

3.    Denial of Service Attacks, Malicious Code and Web-based Attacks are the Most Costly Cybercrimes

These are responsible for more than 55% of all cybercrime costs to organizations. Denial of Service (DoS) is an attack which renders information or data unavailable to its intended recipients. Organizations using VPNs can mitigate such risks by configuring access control lists, a method of defining access rights according to user (such as a file directory or individual file).
Malicious code is a piece of executable code designed to harm a computer or its information, or prevent normal computer operations. Malicious code can come from various sources, such as the Internet, infected diskettes, files received via electronic mail, and worms that exploit several system vulnerabilities. It could also be introduced via a disgruntled insider, who has physical access to a computer or network.
A multilevel strategy is required to effectively defend against malicious code, including physical security, password management, product selection, configuration and maintenance, user awareness and education, up-to-date anti-virus software for servers, clients, and electronic mail and adequate system backups.       Web-based attacks focus on an application itself, as application vulnerabilities could provide the means for malicious end users to breach a system's protection mechanisms. Generally, such attacks take advantage or gain access to private information or system resources. To mitigate Web-based attacks, firewalls, reverse proxies, and intrusion detection and prevention systems (IDPS) should be used, which actively monitor for attacks and attempt to block or change the environment, thus preventing further attacks from reaching the protected application or system. 

4.    Cyber-attacks Can Be Costly if Not Resolved Rapidly 

The results show a direct and positive relationship between the time required to contain an attack and the organizational cost. The results also demonstrate that both the cost and the time taken to resolve an attack increased from the previous year. Failure to resolve the problem quickly leads to prolonged business disruption and gives competitors a distinct advantage.

Conclusion

The results of the study reveal that no one is immune cyber-attacks, which have the potential to inflict significant financial and reputational damage to the targeted organization. Stay tuned for Part 2 where we shall further discuss the findings of this data breach study and how organizations should protect themselves from becoming a victim of cyber-attacks.
  
Author: Hazel Farrugia

no comments |

3 Main Security Concerns as revealed by HOB Remote Access Study

Posted by Tobias Eichenseer Tue, 05 Aug 2014 13:56:00 GMT

Remote access solutions are gaining prevalence as organizations are adopting the mobile workforce strategy, benefitting from increased productivity and reduced expenses. When evaluating and planning a VPN solution, it is essential to understand the security risks that are associated with this technology.

Top 3 Remote Access Security Concerns  
In fall of 2013, HOB conducted a research survey on the state of remote access in the US. Over 200 CTOs and CIOs were polled, and findings revealed three main concerns regarding remote access security issues.

1.    Hackers gaining access to the Network during Employee Remote Access Solutions

Hackers have succeeded in breaking through two-factor authentication and identifying and exploiting vulnerability in a Web application to access an enterprise’s network. Therefore, it is not surprising that 66% of the polled respondents are concerned with hackers gaining access to the network during employee remote access sessions.
Organizations should implement safe and reliable VPNs which provide an adequate level of security, without compromising performance.

2.    Employees accessing the Network through their Personal Devices

Today, mobile devices such as smartphones, laptops and tablets have become an integral part of everyday life. As more organizations implement remote working policies, IT managers have less control over enterprise data from numerous devices. Furthermore, determining which devices are accessing which systems and data has become increasingly difficult.  
The repercussions of data breaches resulting from lost or stolen devices can be severe. In addition, IT managers generally lose data access visibility when multiple personal, unmanaged devices are connecting to the network simultaneously.
This highlights the importance of a comprehensive mobile workforce security policy, which should also include who is responsible for device maintenance and support, and which security measures should be implemented.

3.    Errors by the IT Team leaving the Network open to Intruders


Cyber-attacks are increasing in sophistication and frequency; the costs associated with cyber-attacks are not limited to monetary costs, but also encompass reputational loss and diminished competitive advantage. Security holes unintendedly created by the IT team may potentially lead to the exposure of sensitive enterprise data, financial fraud or even bankruptcy.
The results indicate that enterprises require new strategies in order to combat and prevent advanced cyber-attacks; IT teams should be wary of software and systems use and investigate any suspicious behaviors that are known to be associated with malicious activity.

Conclusion
As organizations make use of remote access to satisfy various business needs, securing the corporate network becomes priority. The findings of this study stress the importance of a robust mobile workforce strategy.

If you would like to learn about the state of remote access in the USA, please download our free eBook “The State of Remote Access in the US”.
 


Author: Hazel Farrugia

no comments |

5 Best Practices to Boost Remote Worker Productivity

Posted by Stefanie Kober Thu, 10 Jul 2014 10:44:00 GMT



Introduction:
Today, mobile workforces stay connected in and out of the office and use their devices for work and personal purposes. The ultimate goal of a remote working strategy is to increase productivity and reduce costs; indeed, studies by Best Buy, Dow Chemical and many others have proven that teleworkers are 35-40% more productive than their in-office counterparts.

The drafting and implementation of an organization-wide workplace strategy will ensure that end users at all levels of the organization will enjoy a positive experience. The following are five best practices that effectively boost remote workers’ productivity:

1. Maximize Employee Participation
Maximizing employee participation is the first step to maximizing employee productivity. Not all employees benefit equally from remote working; however, without a critical mass of users, the benefits will be limited. IT teams should not restrict solutions, such as mobile workplaces, to only those who “seem” to need it. Remote working allows employees to respond to colleagues and customers faster, therefore IT teams and managers should not deter employees from working anywhere and anytime.

2. Ensure Employees Have the Productivity Tools they Require

Employees should be encouraged to use a wide range of productivity tools which do not pose network security risks. However, if IT teams are uncertain how to handle such employee requests, they generally allow employees to use these tools without providing adequate security, or block the use of the tools entirely. Regardless of the circumstances, IT teams should circumvented security risks by deploying security solutions that allow employees to utilize tools without compromising the network security.

3. Free Use of Personal Apps and Services
Whether the device is personally owned or provided by the company, employees should be able to use their personal apps and services. Blocking an employee from storing their personal information with a cloud service provider is significantly different from ensuring corporate data does not end up in the public cloud. IT teams should focus on controlling data rather than controlling devices.

4. Offer Self-Service Support for Everyday Activities
There is a common notion that mobile devices will result in an increase in support costs – however this is a misconception. Conversely, if the IT teams provide a self-service capability, particularly for routine activities, it usually results in decreased in support costs. IT teams should stop short of supporting personal apps and services, but should invariably offer to assist with supporting business apps.

5. Support Wide Range of Devices
For the mobile workplace program to be widely adopted, the program should support a wide range of devices. Though challenges may arise, such as Android’s variability regarding support for on-device encryption and other enterprise-level security and management controls, the overall benefit is net positive.

The Future of Remote Working
The current trend towards remote working is expected to become even more prevalent in the future. With the right practices and controls in place, employee productivity can be maximized, without putting the security of the network at risk.

If you would like to learn about the advantages and limitations of mobile workplaces, and find out how to develop a strategy for mobile workplaces with the help of VPNs, please download our free eBook “Home Offices Made Easy”.

Author: Hazel Farrugia

no comments |