How to Set Up Your IT Team to Enable Remote Work
In the wake of remote work becoming the new normal, businesses today have newfound gratitude for their IT teams. IT admins have been working tirelessly to make sure you have a seamless work-from-home experience by giving you the best technology, warding off bad actors from getting their hands on your company’s data, and onboarding or offboarding employees.
In this interview, Prasad, the Chief Information Officer at Freshworks shares what goes on behind the scenes of our IT team.
Hi Prasad, how are you doing? How is the situation in California?
I’m doing pretty good. The situation is different between various countries. Here, some of the shipping facilities and grocery outlets are still available. So, we do have the ability to move around and get what we need.
How hectic has it been for your team since we started operating remotely?
The responsibility of the IT team to keep the business running in such a situation is extremely high. Part of the reason is that IT provides the technical, physical, and computing infrastructure that is being used by all the employees. So, we need to ensure that employees have what they need to run their day-to-day operations, irrespective of whether they are working from home or working from the office.
There are a few challenges that you might face when you are working from home, which normally would not be there when you’re working from the office. For instance, when you are working in the office, you take the network for granted. But, at home, the network may not be reliable in certain parts of the world. Or let’s say you spilled coffee on your laptop, in the office you can actually bring it to an IT admin and we can give you a spare laptop while we repair yours. But you cannot do that remotely.
So, we have come up with creative ways by which we can still continue to support our employee base. But, it’s not been easy. Hats off to all our employees for being patient through the process and understanding that it’s a new normal, and hats off to the IT team for stepping up.
I know that virtual onboarding is new for several organizations, including Freshworks. How hectic has it been for your team from that side of things?
Most companies today are taking a step back and assessing how many people they really need to hire. The reality is, you still have people joining. In the last four weeks at Freshworks, we’ve been in a work from home mode and still onboarded hundred plus employees in different parts of the world.
In a normal onboarding scenario, we try to onboard new employees on the same day every week. So, Monday is our onboarding day, and we name the batch based on the day they join us, for instance – the batch of 23rd March, the batch of 30th March, and so on. Usually there are around 30-40 people that we onboard at a time. In the last month, we have onboarded around 20-25 employees on a weekly basis. Usually, we bring everybody into a conference room, take care of their official paperwork in terms of their employment contract and verification of their eligibility for employment. And then we hand them a laptop and then provision them access to the business applications and the IT services that they need. After which it goes off to the individual manager to take care of the further onboarding into the team and so on.
So with pretty much the whole world being in a work from home mode, we have been able to still continue to do this and the way we have gone about doing it is more region based. In countries where the shipping facilities are still open, for example in the US, Europe, Australia, we have laptops prestaged by the IT staff according to the role of the new joinee.
So if you were joining the team, we would create an image of whatever machine is needed by her, and then create your profile on that machine with all the required security tools that need to be installed. Because at the end of the day, employee security, IP security, and our customer data security is extremely critical to us. So, we don’t do anything that will compromise that. We then ship the laptop over to that person’s residence.
On the other hand, India is a country where we have a large operation, and the shipping facilities have been stopped. The government of India has permitted only essential services to be shipped. Laptops are not considered essential services, since you cannot eat them. So that has made life a little bit more interesting.
We have enabled employees to come on board by asking them to use their personal laptop. So pretty much everybody that’s joining us has either a desktop or a laptop at home, given that we are a technology company. We created what is called a virtual desktop environment within our server farm. Again, completely on the cloud, by leveraging either Microsoft or Azure, or Amazon.
So when an employee logs in, there is almost a virtual session that is created. This virtual desktop will make it seem like you’re using one of our computers. HR and legal teams came up with their own BCP plan in which they said, instead of onboarding employees and taking care of their paperwork physically with all of us being in a conference room together, let us have Zoom sessions where we can onboard employees, walk them through the paperwork, answer any questions they might have regarding health insurance or retirement savings. So that’s how we enable virtual onboarding.
On the flip side, could you give us a little more insight on the IT side of things when it comes to offboarding? Is it somehow a little bit more complicated than onboarding especially when you’re talking about situations like in India where the government has stopped shipping things altogether?
You’ve hit upon an extremely critical point. While onboarding is an extremely important aspect of the IT team’s role in a remote workforce, offboarding is equally important, if not more. Because this is where we have an employee who has access to company IP, customer data, and company assets, all of which needs to be secured and taken possession of by the company.
So what we did is kind of similar to what we did for onboarding. For starters, we have a standard operating procedure for offboarding – when a person leaves the business, on the last day of their employment, we do turn off access to all company related assets. We basically lock everything down.
Since we are SAAS-first company or cloud-first company, there are no applications that are running in the person’s laptop. This gives us the ability to turn on and turn off the switch remotely. So that’s done as step number one irrespective of whichever country you are in.
In countries where shipping is available, we give the employee a FedEx label or a UPS label and tell them use the label, go to the nearest UPS Store or the FedEx store and to ship it back to our to our facilities (either to our office if our office is open or to the home of the IT engineer who takes possession of that laptop).
In countries where shipping is not available like India, we handle offboarding using advanced legal paperwork. One is securing the laptop and making sure that once the employee has departed, he or she doesn’t have access to company assets and confidential information. We have the ability to remotely do that. We use a combination of technologies from Microsoft and Jamous to do a remote wipe of the person’s laptop. We then ask the person to hold on to their laptop, we tell them to acknowledge that they are holding on to our company’s assets and our company laptop and that they do not use it for any more company related activities or for any of personal activities. And then when the shipping becomes available, they can come in either drop it off to the shipping company or come to our office and drop it off.
Out of curiosity, roughly how many people do you think we have offboarded in this time?
I would say less than 10, and this is people who had already turned in their resignation and had their last date at the end of March or at the beginning of April.
What do you think are the advantages of being a cloud-first company when it comes to security? Especially since everyone is working from home and they might be accessing networks that are not secure. How are we dealing with that?
So I think there are different advantages that come from being a cloud-first organization. What enabled Freshworks to rapidly move from a business-as-usual model where people are coming into the office, to what we call as an ‘optional work from home’ where you can choose to work from home if you don’t feel comfortable coming to the office.
We then went to mandatory work from home. So what really enabled us to deploy a full BCP plan here was the fact that we are a cloud-first company. There was nothing running within our data centers – if you actually come into a data center in our offices, what you will see is a set of switches which enables you to connect to the internet. That’s all we have in our data center and this means if a person has a network connection from wherever they are working, they can continue to work.
Now, having said this, there are certain functions which have access to customer or sensitive data or the production environment. Everything that these functions have access to has been secured a bit more to make sure that there is no snooping of traffic happening from bad actors and that none of the customer or employee information gets compromised.
So we have implemented VPN servers, which are virtual private network servers. From a capacity planning perspective, since 100% of our employees are working from home, we needed to make sure that we enhance the capacity of our VPN servers. Given that we need a failover for cases where the VPN is maxed out, we also enabled a few VDI servers. This allows the employee to log in to a virtual desktop interface from home through a secured connection, from which there is a connection to our production assets.
Now, given that we were born in the cloud, we already have multiple levels of security to secure access to the production environment. Even if you are accessing it from the office, you have to go through multiple servers, before you actually access our production server. That’s part of our cloud security model. So in this case, we made it a bit more intense where the connection from the person’s home to the VDI and from the VDI to production environment is all with an extra level of security. So this way, we enabled an environment where people could continue to do their job, especially people working in our cloud infrastructure team, or our security operations team.
To wrap up, do you have any tips for organizations that are trying to keep their data secure and protect their customers’ data, especially when they’re trying to also implement a remote workforce?
Build security controls that are independent of the mode of working
I think it all comes back to common sense security controls. Irrespective of whether you’re working in a normal business as usual mode or a disaster mode, like the way we are in right now where a portion of your employees are accessing company assets and company data from a remote location. I would say there is no real difference between the two models.
If somebody is accessing sensitive information from outside the office, you already need to have all of the checks and balances to make sure that you are securing your employee data, your confidential data, your PII data, and your customer data. So, it is important to come up with a set of controls which are not specific only to a BCP model. Because security involves keeping away bad actors who try a 1000 times and need only one chance to be able to gain access to your environment. So you need to have security controls, which are independent of this current situation.
Add an extra layer of checks and balances on your crown jewels
Make sure that you identify and fortify the crown jewels that you want to protect. For example, if you are a product company, you want to protect the integrity of your customer data, your employee data, you want to protect the IP, and engineering assets that you’ve developed. So, fortify the access to that by putting the extra levels of checks and balances. Here is where implementing Single Sign On and SAML mechanisms can help you maintain a single point of entry for the employee. Even when I’m offboarding an employee, I don’t have to go to 45 different applications and offboard the employee. I go to one pane of glass and say this person is not an active employee anymore, and that decommissions access from all of the applications. Centralize the access mechanism to make sure you reduce multiple points of failure and have control at one particular point.
Be proactive when it comes to monitoring security
Implement tools using which you can monitor your security controls in case an incident occurs. Sometimes, you might not even know that you have been breached. If you read the industry statistics, it takes almost seven to eight months before companies realize they had been breached. For instance, when Target was breached, the bad actors had access to all the sensitive data for eight months. So having ways by which you can monitor and alert your security and your infrastructure teams to put some checks and balances to make sure that you’re stopping the bleeding and then adding an additional response.
So take a proactive approach to security because if people are trying to now put a bunch of tools, it is only free money that you’re giving away to the tool vendors, there needs to be security by design. If there is a tool that you’re evaluating does not have an HTTPS protocol with the digital certificate, don’t buy the tool. Why do you want to expose yourself to that? Evaluate the Soc 2 reports coming from them to make sure that they meet the security requirements of your organization. The wealth of information you get from a company’s soc 2 report gives you a picture of how a company is controlling access, handling employees leaving and joining the business, and ensuring that the integrity of your data is being maintained. Ensure that the data is encrypted at rest. By that I mean even if a bad actor tries to gain access, if the data is encrypted, all you’re going to see is a bunch of gobbledygook – you will not see the real data and you cannot decipher it. So it is about putting these common sense controls, independent of the disaster is basically what I’m saying.
#1 Make sure you provide your employees all the right tools they need to carry out their day-to-day without any hassles. Centralize the access mechanism to these tools in order to reduce multiple points of failure and have control at one particular point.
#2 Adding an additional layer of security can prevent bad actors from accessing your sensitive or critical information. To this end, you can use VPN servers to provide a secure connection to important applications.
#3 Carrying out onboarding sessions on Zoom is a great way to help new joinees with their paperwork or answer any questions they may have. On the other hand, getting into a legal agreement with an employee that needs to be offboarded is a safe way to ensure that they do not misuse company assets.