An increasing number of companies are adopting teleworking, a fast-growing practice that is popular with employees. Companies adopting this trend should nevertheless take a few precautions, in order to avoid unpleasant surprises in terms of data protection.
The reform of the French Labour Code in September 2017 further expanded the legal framework for teleworking in France. Employees can now exercise their professional activity outside company premises on a more or less regular basis.
According to a survey conducted in 2017 by RH Kronos more than two French people in three are favourable to the development of teleworking, even though barely 17% practice it more than one day per week. This is a long way from the European average of 30%.
Teleworking: a popular practice but with attendant IT risks
In a recent survey by a cybersecurity player, 86% of employees interviewed said that they used their personal computer for business purposes. At the same time, 42% said that they did not update their security regularly, compared to 70% of their German counterparts. So the development of teleworking, where employees have regular access to sensitive business information, could well be the stuff of nightmares for IT managers.
Three types of risk in particular must be planned for:
- employees being unable to access the resources they need in order to work,
- contamination of the business network by a security breach on the employee's computer (and vice versa),
- leaked or lost data.
Raising employee awareness concerning the IT risks of teleworking
To prevent this type of problem, it is clearly essential to raise user awareness of IT security issues linked to teleworking. Teleworkers need regular reminders concerning good practices: regular antivirus updates, separate personal and professional emails, external peripherals (USB sticks, hard disks, etc.) used only when necessary to transfer data from one computer to another, and so on.
"It is essential to raise awareness but not sufficient in itself", warns Jocelyn Krystlik, Manager of the Data Security Business Unit at Stormshield. "It is simply not realistic today to place an overwhelming burden on users. Businesses cannot rely solely on this type of preventive measure for their IT security."
Protection solutions based on identification systems and cloud technology
Businesses need to implement practical measures and technical solutions to limit the IT risks arising from teleworking.
- Profiling teleworkers. For the company, it is essential to plan ahead and to establish the profiles of teleworkers, based on their attributions and the sensitive information to which they may or may not have access. . The security mechanisms will not be the same for full- or part-time teleworkers, and those who require only occasional weekend access.
- Authenticating remote access. The main way to prevent hacking of the business network is to put in place a system to identify teleworkers when they log in (ID, password, single-use code, etc.).
- Dissociating and protecting computer systems. Looking beyond basic anti-virus software, the easiest way to prevent cross contamination between the employee's computer and the business network is to minimise administration rights. This means providing teleworkers with a PC that is strictly for professional use and updated regularly – from a security standpoint – by the IT department.
- Ensuring secure data access. To secure the data flow between the employee's workstation and the business network, you can also use a VPN (Virtual Private Network), even if "this model is becoming less relevant with the development of cloud technology", notes Jocelyn Krystlik. With a virtual office platform, you can access sensitive business data anytime, anywhere, without a direct physical connection. "Cloud technology lets you decorrelate authentication for using the computer, which is always difficult to protect, from authentication for accessing sensitive information. Ultimately, what counts is the security of the stored data scheduled for transfer", concludes Jocelyn Krystlik.