Vector
Vector

Choose your topics

Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Cybersecurity Considerations for Remote Working | SureCloud

Written by

Matt Watson

Published on

20 Mar 2020

Cybersecurity Considerations for Remote Working | SureCloud

 

During this unique and uncertain time as we face the COVID-19 pandemic, organisations have had to set up employees to work remotely where they can and ensure that workers can connect securely to their company systems is of paramount importance, by making sure they have the correct cybersecurity controls to protect their data.

Consequently, IT Departments are facing unprecedented challenges around providing remote working access solutions that are both fit for purpose, and more crucially, secure.

 

Used to Remote Working?

For organisations with a mature remote working model already in place, the challenge is to keep everyone connected, with enough bandwidth to support the increased demand for communications, such as videoconferencing or VOIP calls.

 

Remote working newbie? 

However, for organisations that don’t have a formalised remote working policy, or those where remote working was only practised by a small subset of employees, there are additional challenges to face. For example, there may not be enough organisation owned devices for all employees, meaning that some could be asked to use their own personal devices, usually referred to as ‘BYOD’ (Bring Your Own Device). 

So, with this in mind, what are the critical areas that remote working policies, processes and technical solutions need to cover?

Key Considerations for Remote Working 

1. User Accounts 

If new user accounts are needed for remote working, then ensure that they are protected by a strong and unique, password (with the user prompted to change their password at first login)Also, if multi-factor authentication is not currently enforced for all users, now would be a good time to roll it out. 

Additionally, make sure that an account lockout policy is configured in order to protect against brute force attacks. This should also be applied to the multi-factor authentication solution if possible. 

2. Accessing Corporate Resources 

Organisations need to ensure that only authorised users can access their systems and data.  Usually, this is achieved through the use of a Virtual Private Network (VPN); this creates an encrypted tunnel from the end user device to the corporate network, allowing them the same access to corporate systems that they would receive when working from the office. 

With an increased remote workforce comes additional considerations relating to remote workers.  

 

Things to consider adding to your organisation’s remote working could be:

  • Additional VPN licenses.  
  • VPN client software pushed to end user devices (or in organisations where BYOD usage is prevalent).
  • ‘How To’ guides to be produced and circulated. 
  • New user accounts.
  • Multi-factor authentication integrated with the VPN solution.

 

All of these considerations could have an impact on the security posture of the organisation if not addressed. For example:

  • Not having enough VPN licenses would impact the availability of corporate resources for affected users.  
  • Users might download and install an outdated version of the VPN client software or may already be running an outdated version. Outdated software often contains security vulnerabilities that can threaten the integrity of the application itself, or the data it contains. 
  • A VPN solution protected solely by password-based authentication is a prime target for automated, bruteforce password guessing attacks. 

 

Furthermore, there could even be employees accessing non internet facing corporate systems via methods not approved by, or potentially known about, by the organisation. This is commonly known as ‘Shadow IT’ and could arise when a resourceful department takes it upon themselves to broker their own remote access solution, such as installing a remote assistance tool onto a desktop or server within the corporate office, thus giving them access and circumventing the organisations security controls and usage policies. 

 

3. Out of Date  

Keeping end user devices, such as laptops, smartphones, and tablets, up to date with the latest security updates can be a challenge for any organisation 

When (some or all) of the workforce suddenly becomes remote, and the organisation has permitted BYOD, keeping on top of device patching immediately becomes an even more complex process. IT departments can advise and inform their staff about the dangers of using outdated operating systems and software packages, but software updates cannot easily be pushed out to devices not under the business’ direct control. In this situation, a level of implicit trust towards personal devices is implied, and therefore any security weaknesses such as outdated software can directly threaten the organisations securitdevices posture. 

4. Device Encryption 

Devices such as laptops, mobile phones and tablets are often an attractive proposition for the opportunistic thief and are more likely to be stolen or lost when outside of the work office environment. Therefore, all devices should be encrypted, using a full disk encryption technology such as Microsoft’s BitLocker, to protect the integrity of data at rest. 

For employees using personal devices for business purposes, this represents a challenge that would be best addressed through clear communications, staff awareness training, and ‘security best practice’ guidance aimed at helping users to secure their personal devices and home networks as much as possible. 

5. End-User Guidance 

With a large proportion of employees potentially still getting to grips with home working, and potentially encountering more problems than usual due to changes in their working habits, ensuring that clear, step by step guidance and advice is easily accessible for all users is crucial in assuring compliance with corporate security policies. 

‘How To Guides’ covering common questions 

You might have these already within the organisation. If not, now is the perfect time to put something together! 

 

For example:

  1. How do I connect to the VPN? 
  2. Picking a Perfect Password/Passphrase  
  3. Enabling BitLocker Full Disk Encryption 

 

Make sure to include clear headings, step by step instructions and screenshots where you can.  

 

What to do if there is a problem? 

In a work office environment, it’s easy to ask a colleague what to do or call the IT helpdesk extension. However, when an employee is working from home and encounters an issue, they may be distracted by other events in the home (such as young children requiring attention), and may not recall company procedures, such as what to do if you think you might have clicked a link within a phishing email.  

 

To make sure that employees are aware of the businesses’ requirements relating to reporting security related incidents regular reminders of the policy, along with contact details of the relevant departments/people (telephone numbers, email addresses) should be circulated to ensure continued compliance. Any changes or updates made must be notified to staff. 

 

Be aware of your surroundings 

Consider publishing guidance relating to company policy on hardcopy document disposal for home workers. In the work office environment bins or shredders for secure document disposal are usually clearly marked and available in abundance, but in a home working environment are unlikely to be present. Users should be made aware of what to do with any confidential waste such as this, and also of the need to ensure that they are not inadvertently allowing others to view their screens (for example, working on a laptop with your back to a window when you live in a ground floor apartment). 

Importance of physical security 

Users should be reminded that physical security takes on a greater importance outside of the confines of the work officecontrols that users take for granted such as physical barriers, access control systems and CCTV cameras are less common within the home office environment. They should take the same precautions as they would in an office to ensure the security of company assets and information. 

 

These tips are here to help you rather than scare. If you have questions or concerns, please email services@surecloud.com and we will do our best to assist you.  

 

Or check out our Q&A with our Principal Cybersecurity Consultant as he discusses COVID-19 risks, including the exposure consumer-grade video conferencing could bring.