Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Cyber Security

Is Remote Working Putting Your Organisation’s Cybersecurity Score Rating at Risk?

Is Remote Working Putting Your Organisation’s Cybersecurity Score Rating at Risk?
Written by

Chris Hembrow

Published on

4 Jan 2020

Is Remote Working Putting Your Organisation’s Cybersecurity Score Rating at Risk?

 

The unseen threats risking your cybersecurity score rating

During the COVID-19 lockdown, more people than ever before started working from home, including people who may never have done so before. This led to a range of new IT risk management challenges that need to be tackled head-on. Following on from my colleague’s blog on controls businesses should consider for remote working, I will now tackle some unseen threats working from home could bring to your cybersecurity score rating.

 

What are IT teams facing as we start working from home more?

IT departments will have to issue laptops to staff, configure VPNs and other remote access solutions, and perform capacity planning for increased utilisation of resources. They may even allow staff to connect to the corporate VPN from personal, uncontrolled devices. All of this increases the risks of exposure or compromise.

 

The well-known risks of employees working from home

Some more obvious risks in allowing more staff to connect remotely are the possible loss of corporate information and the increased chance of malware infection. If staff are accessing information from laptops and are not used to working in this way, they may be storing information locally, where it will probably be uncontrolled. Loss or theft of these devices would compromise the information stored on them. While increasingly organisations are using full-disk encryption on their laptops, this is unlikely to be the case for personal devices. Suppose staff access corporate resources from their own personal devices and store them locally. In that case, critical information would be accessible to any family or friends who may also use a shared computer, as well as in the event of theft.

 

Corporate devices are also typically kept up to date and should run anti-malware software. But again, this cannot be guaranteed for personal devices. These may never have been updated and could be infected with botnet software or other malware. Allowing these to connect to the corporate network could allow any infection to spread from these personal devices onto corporate resources or allow an attacker with remote access to the device to access the corporate resources through it.

Risks you may have missed  

What other possible exposures occur from allowing staff to work remotely?

 

As staff work outside their typical office environments, the temptation to ignore corporate policies will intensify. Away from the tight controls that may be in place when not working remotely (such as web filtering proxies), users might be tempted to browse unauthorised websites, install unauthorised (and possibly illegal) software, or maybe download pirated films or music. But aside from the possibility of introducing malware, what are the risks of this?

Compromised cybersecurity score rating

More and more, large organisations such as banks and insurance companies are turning to services which track a company’s “cybersecurity rating” in a similar manner to an individual’s credit score, using providers such as BitSight. They use this information to judge the trustworthiness and security of the companies they are dealing with. Poor scores could cause a company to lose out when bidding for work or be declined access to services.

 

The companies that provide these ratings use a variety of sources for their scoring, such as directly checking for vulnerable or out-of-date services hosted by a company. They also use indirect measures, such as tracking the IP addresses which download illegal content or visit untrustworthy websites. Much of this information comes from services that perform real-time tracking and correlation of online threats.

Infiltration of unknown botnets 

As more users work remotely, tripping one of the flags these organisations monitor becomes more likely. Users might not even be doing anything deliberate or malicious. If a user connects their own computer to the corporate VPN while infected by a botnet, the traffic from that botnet will now appear to come from a corporate IP address; this would suggest that the company is infected when, in actuality, the issue is with a non-corporate resource.

Personal device users must disconnect the VPN when clocking off 

A user might visit a website which could be considered inappropriate for business use, but relatively innocuous for personal use, if they forget to disconnect from the VPN at the end of the workday before doing their private browsing. This traffic will seem to originate from a corporate IP address. If a user decides to download illegal content to watch a film or television series in the evening, this will likely also be detected. Given that many of these staff members won’t be used to operating this way, the likelihood of these transgressions, either deliberate or accidental, is increased.

Technical actions to take 

Knowing the risks, what steps can organisations take to try and prevent or at least minimise the impact?

 

The controls are a mixture of technical and administrative.

 

  • From a technical perspective, we recommend that all staff’s internet access, even when remote, is monitored and restricted to prevent access to unauthorised or unapproved websites; this is especially important when connected to the VPN. A corporate web proxy should monitor and control all outbound Internet access from the VPN.
  • Additionally, all systems should have anti-virus software updated from a central server, even remotely. While it’s impossible to control Internet access from staff personal devices when not connected to a VPN, a corporate license for anti-virus software could be temporarily extended to allow installation on these devices. Some VPN software also validates that systems meet certain requirements, such as checking for up-to-date anti-virus, before allowing connections. 

 

Another option that probably offers the most control is to use a remote desktop solution such as RDS or Citrix. With these, users connect to a server and are presented with a full Windows desktop environment. The environment they are connected to is managed by the organisation and runs entirely under the organisation’s control. All internet access and software could be governed by the same controls as though the user were on site. These solutions can offer some additional benefits; for example, a user can disconnect at some point and then reconnect back into the same session to continue working uninterrupted. 

Administrative controls to implement 

Lastly, it is vital to ensure that all administrative controls, such as Acceptable Use and Information Security policies, cover remote working and that all staff are fully aware of these and the implications of failing to follow their obligations. If policies do not cover remote working, now is the time to add it.

 

My colleague Matt Watson covers this topic in more detail in his blog Migrating to Home Working with Controls to Put in Place’. 

 

If you have questions or concerns, please email services@surecloud.comm and we will be happy to assist you.