The general response to the Covid-19 (Coronavirus) pandemic is social distancing, which in the extreme for business and non-profits is employees will work from home. We are likely facing a credit and business development crunch. The Information Technology support function has to maintain the level of operational capability to provide the ability for critical business processes to work where people are disconnected from each other, but not disconnected from the systems and data necessary to sustain the organization.
Here is a helpful guideline for this, considering security, changes for users and managers, and system changes.
Security Remains #1
Security is always important, but when there are many changes and anxiety, IT and business personnel may make quick decisions that create new security holes. Many of the changes are very small by themselves but have a significant impact on the technology environment. For example, the simple request to “add a user to a group that can login remotely” may have various ramifications, including that the group also has access to financials, or the use may now connect from insecure devices, or the wrong accounts are added.
Because of this, three things must be done, and another is suggested.
- Review security settings – have your IT team review active accounts, security groups, VPN settings, and other systems that will be accessed for the latest patches and best practices.
- Review the IT Disaster Recovery Plan (IT-DRP). This is especially true if you make significant changes like adding a Remote Desktop server capability. Additionally, review it for the recoverability from virus-based events.
- Educate Users – There are two things to be mindful of:
- Social engineering hacks – with new access comes new vulnerabilities. A user suddenly gets a call “from the IT department and needs your account and password to further configure your access”. And the user, who is understandably confused and just needs to get to work, gives it over.
- Phishing attempts and malware – particularly those offering new information on Covid-19. See these articles from Vox, and Wired.
- Suggested: Test security by doing a penetration and vulnerability test, which will look for openings into the environment from outside and inside.
How Information Technology Can Respond Well to Covid-19
The items above are a minimum, but to respond well, these should also be in your playbook. Some are expansions, and “how-to” do the things above, others are additional vital practices.
Plan for secure access and emphasize this with IT personnel. In other words, set the priority for IT and give them a clear direction that you must have security over speed, but need both. Some key points to include:
- Have a process, like how you may add a new employee, in which management signs off on access rights provided. This may be a simple form or a spreadsheet of employees with columns for changes to be made.
- Only allow authorized devices protected by corporate security tools to access the network. Require computers joined to the corporate Domain, not home PCs. Home PCs are a significant problem for security, performance, and IT support. Only company assets, properly configured, should be used. Some companies are leasing laptops on short term agreements of six months.
- Review technology policies and any documents employees must sign for IT access and use
- Review and, as needed, expand the use of virus blocking and email protection tools. Because no single tool can adequately block all threats, Keystone uses a layered approach to increase protection. Also, check your logging internally and on email systems like Office 365 to collect data in case you have a security incident.
- Implement Multi-Factor Authentication (MFA) – especially on email, cloud systems, and critical internal applications. If some users have it, review and expand it through the organization.
Educate Users and Managers
Since the most significant change will be at the user level, you should consider how you can prepare and support them. It may be helpful to create a “Remote Work Survival Guide” or FAQ that employees can refer to. This should include:
- Good security Practices:
- Current prevalent threats (social engineering and phishing). Consider online, automated training to educate users, like KnowBe4.
- What devices are allowed and why – so they understand what they can and cannot do
- What the experience may be like, and what performance issues they may encounter. Set the expectation that the home internet experience may be slower than when they are in the office.
- Printing – this is one of the biggest issues, especially for smaller businesses that do not have expensive software to make it easier. Consider using less paper, and focus on electronic sharing, or systems like SharePoint and Docusign for online document sharing and signing.
- Train users in the broader aspect of working remotely and how to do it well. Review the article on Keystone’s website: ”10 Tips to Work Remotely”. They need to prepare to be productive and stay connected with people.
Managers should also be trained in different techniques and tools to stay connected and manage the process and employees remotely.
- Use tools to stay in touch:
- Reach out via calls to employees and clients – ask them how they and their family are doing, how the remote tools and work are for them, and if they have any concerns about teammates or key clients. The information and connectedness will be very beneficial.
- Daily or semiweekly huddles calls for teams – Schedule regular, short, stand-up type calls with your team using tools like Microsoft Teams. Everybody can connect and view a user’s desktop or whiteboard setup and connect visually using webcams.
- Managing the process – what are the capabilities of systems to report or show via dashboard the efficiency and flow of the process. Are orders getting stuck? Are internal sales responding? Review reports and consider new ones that can easily be created to support management.
- Review the means to measure employee performance – Managers will have to focus on measurement by results instead of by walking around. How can they review the actual work level and product of their team?
- Lastly, LinkedIn has two videos on remotely managing a staff that may be helpful:
Build the Environment
These are the changes or expansion of the existing technology that makes up your IT platform.
- Get the devices needed
- Get laptops – these may be leased if needed for a short time.
- Get webcams if needed – while most laptops have webcams, they may not be as effective for placement or quality as an external camera.
- Get cell phones if needed – some employees may now need these.
- Review and Establish Policies and Update Tools
- IT Departments use something called “Group Policies” to provide capabilities or limitations. A common group policy is “do not allow unencrypted USB drives to attach to this PC”. With new requirements to work remotely, the group policies should be reviewed for security and capability implications.
- Update tools are in place in most corporate IT workflows, these ensure that systems are patched, anti-virus is kept up to date, etc. With systems going remote, will these tools still work to keep them safe wherever they are located or however they are connecting?
- Setup good remote access and team communication tools
- Microsoft teams, with video capabilities – This is part of the Office 365 subscriptions so many organizations have already. It provides text chat, voice and video calls, screen sharing and white boarding, and more. It is a great way to stay connected with internal and external people. Microsoft offers a free version which is quite capable (https://support.office.com/en-us/article/Differences-between-Microsoft-Teams-and-Microsoft-Teams-free-0b69cf39-eb52-49af-b255-60d46fdf8a9c). And for the next six months as a response to Covid-19, Microsoft is expanding the availability for free.
- Phones – If your phone system supports it, make sure all devices have soft phones (software that connects to the phone system and emulates a desk phone). Alternatively, employees may be able to take their desk phone home and connect it for access. Note that is requires a very reliable home network and internet connection. The use of a soft phone may also require a headset with a good microphone.
- Virtual Private Network (VPN) – This is the most common secure way to access the organization’s network. It requires some internal system, often the firewall, and a client installed on the device like a PC. The user initiates the connection and validates and can then work just like they are in the office.
- Direct Access – something Microsoft Windows has offered for a while, but few organizations implement is Direct Access – this effectively makes a PC appear as if it is directly connected to the corporate network, without first connecting to a VPN. It is an “always-on” technology, where it will always connect as soon as the user gets an internet connection. It will not support all access needed but may make it easier for some.
- SharePoint and/or OneDrive For Business – Another technology that has been around for many years, but some companies are still not using as much as they could. SharePoint is many things, but the most prevalent use is its document libraries, where you store any document (Word, Excel, PDFs, images, etc.) and can access them from anywhere. It has great sharing capabilities (multiple people can edit a document at once), version control, extensive security, and fast search. It should be used by most organizations.
- Remote Desktop Servers – If you have this, you will appreciate it in the coming weeks. The IT team installs applications and user accounts on this server, and users can connect from just about any device like a PC, Mac, iPad, etc. and work like they were in the environment. If you do not already have it, it will take some time to setup.
- Remote Access to Desktops – this is less secure, but still an option, to allow users to connect to their in-place desktop PC at the office from a remote device.
Look to the Future
Take advantage of the situation to plan – what long-term changes can be made which will benefit the organization? Some things you may watch for:
- Move files to cloud systems like SharePoint
- Move to a cloud Voice Over Internet Protocol (VOIP) phone system.
- Use laptops, not desktops. Even if the employee usually sits at their desk and works, the laptop helps a lot in this situation, as well as for business travel.
- Should some on-premise applications go to cloud versions? Could your ERP system work as well or better from a cloud platform?
- Does employee productivity go up? If so, consider a long-term change of working remote one day per week.
- What new management practices were uncovered?
- What employees really excelled, and which did not? Can that be used to revise how people work?
- How can you improve efficiencies, for example how can you reduce paper?
Summary and Key Takeaways
Set a plan and pace that will keep the organization secure and transition the user and teams to a successful experience. Do not make hasty decisions, but diligently move forward. Keep the focus on security; it is too easy to quickly open a door that should have been locked. Educate the users and managers. And set up the systems and add new capabilities that will enhance the ability of everybody to stay connected in their newly disconnected world.