How to organize a safe and effective remote work. Real company experience
News | 24.03.2020
Autor: Paul Zhdanovich, Managing director at Softprom
In our company, many have been working from home offices for 7 years. I know from my own experience that remote work disciplines a lot. If it is properly organized, it is more intense and productive than the office work.
The employees with remote access respond, as a rule, to letters faster, assign the conference calls for tomorrow, but not in a week, prepare the document edits quicker. It seems to me that this is because such employees do their best to prove to others that they are not messing around.
A couple of hours that an employee does not spend on trips to work and other logistics, and the opportunity to work, when others have not started or ended a working day, is a serious competitive advantage.
However, with all the obvious advantages, the remote working mode increases the IT security risks and employee's control problems. Further, we will focus not on the organization of remote work, but on useful programs that solve the indicated problems. We do not pretend that the choice, here presented, is perfect but we have accumulated some experience (and experience is usually a set of mistakes) and we will be happy to share it in this difficult time.
Who does not like longreads here is a link to a table with programs.
Clouds are our everything
We switched to cloud-based mail, ERP, CRM, telephony, and video conferencing immediately after the crisis of 2008 due to the distributed business structure, the high cost of servers support and administration in different countries.
Then the choice of sales automation in the clouds was limited to NetSuite and Salesforce. Now, the number of cloud CRM and ERP is measured in hundreds. At that time, we even partially localized Salesforce for ourselves, but in the end, the choice fell on NetSuite only because there was ERP, CRM and an affiliate portal. A couple of years ago, Oracle bought NetSuite, and although the system is not cheap, the support and implementation are not easy, everyone is already accustomed to looking at it not as a program (which will always be inconvenient to someone), but as a technology.
We had no doubts with the mail and the corporate Gmail solved partly the problems of document storage and basic security such as two-factor authentication, anti-spam and archive.
By that moment, we had used MS Exchange for 10 years, and to my surprise, even the most ardent fans of Outlook-Exchange switched to the Gmail web interface. I think, the speed of the search and the labels convenience helped a lot.
Now it’s smart to use Swiss protonmail for privacy. But it's an acquired taste, as the saying goes.
The colleagues immediately appreciated the capabilities of GoogleDrive for document storage and file sharing, plus Hangout for communications.
Another important point, related to Google services, we have created a wiki on Google Sites to inform staff and internal documents. As for the workflow and archive of documents, now there are many different options, but our option is very simple. Docflow and we decided that once there was already GoogleDrive, then why not use it and took the AODocs plugin.
Docusign was purchased for digital signing of documents. But for now, everyone has a free signature system in Adobe Acrobat for internal approval. According to various reports, China, apparently, has almost restored the supply of hardware, but I think that AWS, GCP and Azure will now be real bestsellers, since no one will want to let people into the server rooms in the near future.
We chose AWS as the main standard, where we moved all the servers, including at that time legacy 1C Accounting and Asterisk telephony, but left something on Azure. AWS is an expensive choice, but it's all worth the money — we don’t have a headache about load balancing, timely allocation of resources on demand, DDoS and more. To optimize the price of the clouds, we use AWS standard tools, but if you have many cloud providers, we recommend CloudHealth from Vmware. We set it up ourselves "for growth".
For remote employee — remote access
We are actively applying the BYOD policy — the company staff uses their own PCs and smartphones in work. For the delivery of desktops and applications to the final, including mobile, devices of employees (implementing VDI technology), the bet is on Citrix, AWS Desktop as Service. In addition, we test IGEL thin clients and VDI from Vmware. TeamViewer is implemented to remotely solve users' problems.
Now, almost all communications take place in e-mail, but there is an understanding that this is primarily a means of communicating for external counteragents and agreements recording, since correspondence is valid in court. We stridently move the internal discussion from mail to slack, and all standard documents, workflow and business processes to ERP.
Despite the fact that NetSuite has project management modules, the department of presale and services for project management uses Trello. Before that, in another project, we chose between Asana, Wrike, Basecamp and certainly Jira, but for some reason the choice fell on the current option. Our company still does not use the HRM system (we believe that Linkedin is enough ), although NetSuite has such a module.
The customer portal in Oracle NetSuite is in our basic version, they say the advanced module is used even by global software vendors for the sale of electronic licenses.
In the absence of face-to-face meetings and business trips, video conferencing is the main tool when working with partners.
For a long time, our company relied on Adobe Connect and GoToMeeting, but 2 years ago we ordered an independent comparison of video conferencing applications. Having studied the results and being a partner of all manufacturers including the most popular at that time Cisco/Webex, we come to the conclusion that Zoom is the most optimal in our case and we make it the corporate standard. Since then, I have never regretted, except that it is necessary to carefully monitor so that the video calls of different employees must not coincide. This, by the way, is another confirmation of the assumption that remote work brings great discipline. And what more — we often record videos and upload them to youtube.
The employees even use Google Hangout, Amazon Chime and Skype, if necessary in communication with customers and partners.
Today, it is no longer possible to organize negotiations in the consultation room, and the business does not trust to carry out the confidential talks using mobile communication. I don’t presume to evaluate who is “listened” from the messengers and who is not, but for some reason, Swiss products like Threema, Wire are the most trusted in the business environment. However, this does not solve the problem when communicating with all countries. Somewhere, for example, Skype, WhatsApp, Viber, Telegram does not work, but IMO or WeChat works Now, we have high hopes for the Swiss manufacturer Adeya, which offers a military-grade cryptography level (or you can put your own cryptographic library) and allows you to deploy the system to yourself in the company or in their cloud, which is hosted and protected by Swiss privacy laws.
Control of employees' work
Despite the employee's consciousness, sometimes you have to figure out what the employee was doing at one time or another. If someone needs to watch the hourly work of employees, not for surveillance, but for example, billing your customers, there are tons of products like Time Doctor, Hubstaff, Harvest, Toggl, TSheets, etc.
It is forbidden to monitor your employees under the laws of several countries, but it is possible and necessary to investigate the security incidents. The session recording products are offered by CyberArk, ObservIt, Ekran Systems, Netwrix, Balabit (One Identity), etc. We use CyberArk because their system also solves a number of other IT security problems.
VPN and two-factor authentication are the basis of digital hygiene
When users are outside the secure perimeter and usually connected via home WiFi, the minimum security requirements must be followed. In addition to regularly changing complex passwords, everyone must use a VPN. We use solutions from Barracuda Network and Forcepoint/Stonesoft, as well as free OpenVPN and ProtonVPN.
For smartphones, we also use these solutions and require our employees to turn off the automatic connections to well-known WiFi networks in order to protect against wardriving. We switched all cloud services to two-factor authentication, since someone tried to break our mail periodically.
I will not remind about antiviruses on each PC and installed firewall – these are mandatory options for a remote employee and listing them will take paragraphs.
House employees are more vulnerable to scammers
In 2018, the cybersecurity market was estimated at $ 248 billion, and it will grow in the next 3 years by 10-13%annually. The anti-fraud part of this market, although it was at the level of $ 20 billion, is growing at 25-30% per year. And part of the market — Security Awareness and Training —is growing at a rate of 40-50% per year. This is due to the fact that man is the weakest link in security. The employees need to be constantly trained and it is better to have this happen on their own mistakes. We use CybeReady to teach colleagues how to avoid phishing. Such solutions are also offered by Cofense (Phishme), Dcoya and Barracuda Network and others.
There is no little security
We have a diverse fleet of computers and OS, and we must ensure that everyone updates their browsers, OS, and installs patches. Ivanti is used as a Patch Management platform. Rapid7 products are used to manage vulnerabilities; there are worthy solutions from Tenable, Qualys. We use CyberArk to manage access for privileged users.
In some countries, websites are blocked by the government. There is an elegant solution without Tor Browser and other things. It is called an isolated remote browser and relieves the headache of Web security, and also solves the censorship problem. Similar solutions are offered by Ericom, Symantec, mcafee and Menlo.
If your company is small, you probably won't need SIEM. Depending on the specifics of your business, you may need DLP, SWG, encryption, OTP, etc. Migrating seriously to the cloud will require the CASB. If you have your own SOC or use the outsourcing of Security as Service, then our advice is most likely superfluous to you.
And if we have production and controllers, but not an office and computers?
Our company in the EU countries is more focused on the safety of industrial networks and critical infrastructure. One of the must have options for SCADA security is Data Diode – a device that physically does not allow signals to be transmitted to an industrial network, but only makes it possible to read “so that they cannot explode”. We do not have production in the company, but WaterFall, the leader of this market, offers in crisis the "free" option of remote production management, when people are not allowed there, using Remote Screen View.
Планы в кризис
This week’s immediate plans include asking all vendors for temporary free or preferential access and promotions to support our customers. Everyone is understanding.
If we talk about our long-term plans, we have wanted to implement Coursera training for remote users for a long time, the introduction of quarantines will just speed it up. Of course, you need to implement DocuSign for external contractors, as we will not see them during personal meetings for a long time.
We see how often employees use confidential information on smartphones and there is a clear need to install the MDM/EMM solution, most likely from MobileIron, which specializes in this (alternative to Vmware WorkspaceONE, Citrix MDM). If the last crisis sent us to the clouds, then probably this time the situation will force us to use smart AI. We are thinking about sales assistants and the Omni channel, but so far it looks a bit futuristic.