Matt Watson I Managing Cybersecurity Consultant I SureCloud
During this unique and uncertain time as we face the COVID-19 pandemic, organisations have had to set up employees to work remotely where they can and ensure that workers can connect securely to their company systems is of paramount importance, by making sure they have the correct cybersecurity controls to protect their data.
Consequently, IT Departments are facing unprecedented challenges around providing remote working access solutions that are both fit for purpose, and more crucially, secure.
Used to Remote Working?
For organisations with a mature remote working model already in place, the challenge is to keep everyone connected, with enough bandwidth to support the increased demand for communications, such as videoconferencing or VOIP calls.
Remote working newbie?
However, for organisations that don’t have a formalised remote working policy, or those where remote working was only practised by a small subset of employees, there are additional challenges to face. For example, there may not be enough organisation owned devices for all employees, meaning that some could be asked to use their own personal devices, usually referred to as ‘BYOD’ (Bring Your Own Device).
So, with this in mind, what are the critical areas that remote working policies, processes and technical solutions need to cover?
Key Considerations for Remote Working
1. User Accounts
If new user accounts are needed for remote working, then ensure that they are protected by a strong and unique, password (with the user prompted to change their password at first login). Also, if multi-factor authentication is not currently enforced for all users, now would be a good time to roll it out.
Additionally, make sure that an account lockout policy is configured in order to protect against brute force attacks. This should also be applied to the multi-factor authentication solution if possible.
2. Accessing Corporate Resources
Organisations need to ensure that only authorised users can access their systems and data. Usually, this is achieved through the use of a Virtual Private Network (VPN); this creates an encrypted tunnel from the end– user device to the corporate network, allowing them the same access to corporate systems that they would receive when working from the office.
With an increased remote workforce comes additional considerations relating to remote workers.
Things to consider adding to your organisation’s remote working could be:
- Additional VPN licenses.
- VPN client software pushed to end– user devices (or in organisations where BYOD usage is prevalent).
- ‘How To’ guides to be produced and circulated.
- New user accounts.
- Multi-factor authentication integrated with the VPN solution.
All of these considerations could have an impact on the security posture of the organisation if not addressed. For example:
- Not having enough VPN licenses would impact the availability of corporate resources for affected users.
- Users might download and install an outdated version of the VPN client software or may already be running an outdated version. Outdated software often contains security vulnerabilities that can threaten the integrity of the application itself, or the data it contains.
- A VPN solution protected solely by password-based authentication is a prime target for automated, brute–force password guessing attacks.
Furthermore, there could even be employees accessing non –internet facing corporate systems via methods not approved by, or potentially known about, by the organisation. This is commonly known as ‘Shadow IT’ and could arise when a resourceful department takes it upon themselves to broker their own remote access solution, such as installing a remote assistance tool onto a desktop or server within the corporate office, thus giving them access and circumventing the organisations security controls and usage policies.
3. Out of Date
Keeping end– user devices, such as laptops, smartphones, and tablets, up to date with the latest security updates can be a challenge for any organisation.
When (some or all) of the workforce suddenly becomes remote, and the organisation has permitted BYOD, keeping on top of device patching immediately becomes an even more complex process. IT departments can advise and inform their staff about the dangers of using outdated operating systems and software packages, but software updates cannot easily be pushed out to devices, not under the business’ direct control. In this situation, a level of implicit trust towards personal devices is implied, and therefore any security weaknesses such as outdated software can directly threaten the organisations security devices posture.
4. Device Encryption
Devices such as laptops, mobile phones and tablets are often an attractive proposition for the opportunistic thief and are more likely to be stolen or lost when outside of the work office environment. Therefore, all devices should be encrypted, using a full disk encryption technology such as Microsoft’s BitLocker, to protect the integrity of data at rest.
For employees using personal devices for business purposes, this represents a challenge that would be best addressed through clear communications, staff awareness training, and ‘security best practice’ guidance aimed at helping users to secure their personal devices and home networks as much as possible.
5. End-User Guidance
With a large proportion of employees potentially still getting to grips with home working, and potentially encountering more problems than usual due to changes in their working habits, ensuring that clear, step by step guidance and advice is easily accessible for all users is crucial in assuring compliance with corporate security policies.
‘How To Guides’ covering common questions
You might have these already within the organisation. If not, now is the perfect time to put something together!
- How do I connect to the VPN?
- Picking a Perfect Password/Passphrase
- Enabling BitLocker Full Disk Encryption
Make sure to include clear headings, step by step instructions and screenshots where you can.
What to do if there is a problem?
In a work office environment, it’s easy to ask a colleague what to do or call the IT helpdesk extension. However, when an employee is working from home and encounters an issue, they may be distracted by other events in the home (such as young children requiring attention), and may not recall company procedures, such as what to do if you think you might have clicked a link within a phishing email.
To make sure that employees are aware of the businesses’ requirements relating to reporting security– related incidents regular reminders of the policy, along with contact details of the relevant departments/people (telephone numbers, email addresses) should be circulated to ensure continued compliance. Any changes or updates made must be notified to staff.
Be aware of your surroundings
Consider publishing guidance relating to company policy on hard–copy document disposal for home workers. In the work office environment bins or shredders for secure document disposal are usually clearly marked and available in abundance, but in a home working environment are unlikely to be present. Users should be made aware of what to do with any confidential waste such as this, and also of the need to ensure that they are not inadvertently allowing others to view their screens (for example, working on a laptop with your back to a window when you live in a ground floor apartment).
Importance of physical security
Users should be reminded that physical security takes on a greater importance outside of the confines of the work office; controls that users take for granted such as physical barriers, access control systems and CCTV cameras are less common within the home office environment. They should take the same precautions as they would in an office to ensure the security of company assets and information.
These tips are here to help you rather than scare. If you have questions or concerns, please email firstname.lastname@example.org and we will do our best to assist you.
Or check out our Q&A with our Principal Cybersecurity Consultant as he discusses COVID-19 risks, including the exposure consumer-grade video conferencing could bring.
Webinar with CREST President to discuss the New Normal and Beyond…
Check out our fireside virtual conversation on how to ‘Secure Your Cyber Baseline For The New Normal’ with Ian Glover (CREST) and our Risk Advisory Practice Director.
- ‘Top ten’ return to work tips including establishing new ways of working
- Advice on how to secure a new cyber baseline following a crisis
- Guidance for defining a resilient cyber strategy