Chris Hembrow, Managing Cybersecurity Consultant at SureCloud
The unseen threats risking your cybersecurity score rating
During the COVID-19 lockdown, more people than ever before started working from home, including people who may never have done so before. This led to a range of new IT risk management challenges that need to be tackled head-on. Following on from my colleague’s blog on controls businesses should consider for remote working, I will now tackle some unseen threats working from home could bring to your cybersecurity score rating.
What are IT teams facing as we start working from home more?
IT departments will have to issue laptops to staff, configure VPNs and other remote access solutions, and perform capacity planning for increased utilisation of resources. They may even allow staff to connect to the corporate VPN from personal, uncontrolled devices. All of this increases the risks of exposure or compromise.
The well-known risks of employees working from home
Some more obvious risks in allowing more staff to connect remotely are the possible loss of corporate information and the increased chance of malware infection. If staff are accessing information from laptops and are not used to working in this way, they may be storing information locally, where it will probably be uncontrolled. Loss or theft of these devices would compromise the information stored on them. While increasingly organisations are using full-disk encryption on their laptops, this is unlikely to be the case for personal devices. Suppose staff access corporate resources from their own personal devices and store them locally. In that case, critical information would be accessible to any family or friends who may also use a shared computer, as well as in the event of theft.
Corporate devices are also typically kept up to date and should run anti-malware software. But again, this cannot be guaranteed for personal devices. These may never have been updated and could be infected with botnet software or other malware. Allowing these to connect to the corporate network could allow any infection to spread from these personal devices onto corporate resources or allow an attacker with remote access to the device to access the corporate resources through it.
Risks you may have missed
What other possible exposures occur from allowing staff to work remotely?
As staff work outside their typical office environments, the temptation to ignore corporate policies will intensify. Away from the tight controls that may be in place when not working remotely (such as web filtering proxies), users might be tempted to browse unauthorised websites, install unauthorised (and possibly illegal) software, or maybe download pirated films or music. But aside from the possibility of introducing malware, what are the risks of this?
Compromised cybersecurity score rating
More and more, large organisations such as banks and insurance companies are turning to services which track a company’s “cybersecurity rating” in a similar manner to an individual’s credit score, using providers such as BitSight. They use this information to judge the trustworthiness and security of the companies they are dealing with. Poor scores could cause a company to lose out when bidding for work or be declined access to services.
The companies that provide these ratings use a variety of sources for their scoring, such as directly checking for vulnerable or out-of-date services hosted by a company. They also use indirect measures, such as tracking the IP addresses which download illegal content or visit untrustworthy websites. Much of this information comes from services that perform real-time tracking and correlation of online threats.
Infiltration of unknown botnets
As more users work remotely, tripping one of the flags these organisations monitor becomes more likely. Users might not even be doing anything deliberate or malicious. If a user connects their own computer to the corporate VPN while infected by a botnet, the traffic from that botnet will now appear to come from a corporate IP address; this would suggest that the company is infected when, in actuality, the issue is with a non-corporate resource.
Personal device users must disconnect the VPN when clocking off
A user might visit a website which could be considered inappropriate for business use, but relatively innocuous for personal use, if they forget to disconnect from the VPN at the end of the workday before doing their private browsing. This traffic will seem to originate from a corporate IP address. If a user decides to download illegal content to watch a film or television series in the evening, this will likely also be detected. Given that many of these staff members won’t be used to operating this way, the likelihood of these transgressions, either deliberate or accidental, is increased.
Technical actions to take
Knowing the risks, what steps can organisations take to try and prevent or at least minimise the impact?
The controls are a mixture of technical and administrative.
- From a technical perspective, we recommend that all staff’s internet access, even when remote, is monitored and restricted to prevent access to unauthorised or unapproved websites; this is especially important when connected to the VPN. A corporate web proxy should monitor and control all outbound Internet access from the VPN.
- Additionally, all systems should have anti-virus software updated from a central server, even remotely. While it’s impossible to control Internet access from staff personal devices when not connected to a VPN, a corporate license for anti-virus software could be temporarily extended to allow installation on these devices. Some VPN software also validates that systems meet certain requirements, such as checking for up-to-date anti-virus, before allowing connections.
Another option that probably offers the most control is to use a remote desktop solution such as RDS or Citrix. With these, users connect to a server and are presented with a full Windows desktop environment. The environment they are connected to is managed by the organisation and runs entirely under the organisation’s control. All internet access and software could be governed by the same controls as though the user were on site. These solutions can offer some additional benefits; for example, a user can disconnect at some point and then reconnect back into the same session to continue working uninterrupted.
Administrative controls to implement
Lastly, it is vital to ensure that all administrative controls, such as Acceptable Use and Information Security policies, cover remote working and that all staff are fully aware of these and the implications of failing to follow their obligations. If policies do not cover remote working, now is the time to add it.
My colleague Matt Watson covers this topic in more detail in his blog ‘Migrating to Home Working with Controls to Put in Place’.
If you have questions or concerns, please email email@example.com and we will be happy to assist you.
Webinar with CREST President to discuss the New Normal and Beyond…
Check out our fireside virtual conversation on how to ‘Secure Your Cyber Baseline For The New Normal’ with Ian Glover (CREST) and our Risk Advisory Practice Director.
- ‘Top ten’ return to work tips, including establishing new ways of working
- Advice on how to secure a new cyber baseline following a crisis
- Guidance for defining a resilient cyber strategy
Click here to find out how to secure your cyber baseline.
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services, your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.
Discover SureCloud’s Cyber Resilience Assessment Solution.
We can help you develop a security posture that is resilient against existing and new forms of cyber attacks and protects your cybersecurity score – so you can feel confident in your systems and well-equipped to deal with incidents and vulnerabilities if and when they arise. Our IT risk management experts are always on-hand to provide services and products to suit your particular business needs.