Lockdown measures and remote working requirements have forced all business owners to confront the same remote working security challenges enterprises have been trying to solve since the 90`s. Luckily, a lot of these basics are well documented and defined, which makes it easier for adoption in your business without having to go through the pain of trial and error. Remote access has shifted the logical security perimeter from your offices, right into the homes of your employees, which reduces your span of control, and increases the risk to your sensitive data and ultimately your business.
It is important to note that your level of control should match the potential risk your business will be exposed to should your systems be compromised, or data be rendered unavailable. The idea is not to flood you with a bunch of technical controls, but rather, pose a couple of questions and propose some suggestions toprovide some insight into how you should be addressing the issue of protecting your employees, infrastructure and your data.
InternalThe lock down home office is a very unique place, with parents conducting business meetings while kids are printing their homework and downloading the latest TV series from nefarious websites, sharing devices and competing with a vast array of internet connected devices. Couple that with the fact that majority of employees are using their own devices to access sensitive company resources, and you have a high risk profile that will make any security professional jittery.
Here are a list of basic questions and considerations you should keep in mind from an IT Security perspective when dealing with working from home.
Do you have Security Governance in place?
It is important for a business to be transparent and clear about the expectations of employees working from home. The expected behaviors, clear policies and guidelines need to be documented and communicated to all employees, supported by an awareness campaign to make sure everyone understand the role they have to play in protecting the business.
How do you ensure a reasonable level of security for employee devices and communication infrastructure not owned and managed by your IT department/service provider?
The following is a generic list of the main issues you need to consider when dealing with remote access.
- Latest anti-virus and malware protection should be installed on all relevantdevices.
- Operating systems and applications should all be kept up to date with the latest software patches and fixes. If possible, devices should be configuredto do the updates automatically.
- Adequate password protection must be implemented (minimum 8 characters, alpha numeric, non-dictionary). It is important to note that passwords should not be shared across different devices and platforms. Adequate password protection is a key element to preventing unauthorized access.
- Employees should be strongly discouraged from using public Internet access, like coffee shops and restaurants. There are a myriad of attack vectors associated with public access WiFi, like Man in the Middle attacks and malware distribution, and sometimes the risk outweighs the need for Internet access.
- Use a Virtual Private Network (VPN) to secure the connection and encrypt your data. There are various providers on the market offering this service (eg ExpressVPN and NordVPN). Incorporating a VPN in the remote access strategy, increases your level of protection significantly.
- Home routers used to connect to the Internet should have encryption enabled, and the default passwords changed to ensure attackers cannot breach and access the home network. This can prevent hackers from gaining unauthorized access to the home network, effectively taking control of the network, the devices connected and sensitive data stored and sent on this network.
- Standardize on communication software. Various technologies facilitate communications, like WhatsApp, Skype, Zoom, Microsoft Teams to name aview. Standardizing the communication mediums will allow for specific guidelines around secure set up and configurations employees can implement to protect and secure communication.
- Logical split between personal and work. Avoid same device for work and personal issues, example kids using the same computer the parent is working on, to access their homework, or worse, downloading the latest movies from various untrusted sites.
How do you ensure confidentiality, integrity and availability of your sensitive data?
It is strongly recommended that data is stored in the Cloud and not on local devices like notebooks, external hard drives and memory sticks. Cloud storage products, like Dropbox, Google Drive and OneDrive, facilitate secure online storage and sharing of data, which means you don’t have to worry about backups and data leakage on stolen notebooks and physical storage devices. Youhave the added benefit that your data can be accessed securely as long as your employees have access to the Internet. If there is a business requirement to store data locally on devices, enable “Find my device” / “remote wipe” where possible. In the event of theft of these devices, employees can initiate tracking and more importantly, remote data wipe on the stolen devices.
Third party suppliers, vendors and contractors?
Businesses have become increasingly reliant on third parties, and this is an area often overlooked by businesses when dealing with Cyber risk. Do you know what access these role players have to your network and how do they manage Cyber risk as it relates to your network and data? What recourse do you have in case your systems and/or data is compromised by attacks originating from these networks? Supply chain attacks are on the increase, and it is now more important than ever to ensure your business remains resilient. You cannot protect and manage what you don’t know about, thus you need to assess and understand your supplier network, and know the risks associated with your third-party partners and suppliers.
And lastly, are your employees aware of the risk of Covid 19 phishing campaigns? There has been a significant rise on these type of scams globally, and its importantto stay alert to avoid falling for these sophisticated schemes.
These scams range from investment schemes to impersonating government agencies sharing health advice and alerts. Large enterprises can afford to deploy dedicated solutions to manage the risk, but small to medium companies may find it more cost-effective to simply focus onemployee education and best-practices. Here are some generic guidelines to follow:
- Beware of online requests for personal and login information.A coronavirus-themed email soliciting this type of information is generally a phishing scam. Employees should never respond to these types of email with personal and login data.
- Check the email address or link. Sometimes, it’s obvious the web address is not legitimate, but there are sophisticated scammers out there that can craft links that closely resemble legitimate addresses. If unsure, just delete the email.
- Watch for grammar and spelling mistakes.If an email includes spelling, punctuation, and grammar errors, it’s likely to be a phishing email. Delete the email.
- Generic greetings.Phishing emails are unlikely to use the target employees name in the opening greeting, as scammers often adopt a spray and pray approach to ensureas bigger target audience as possible to increase their chances of success. Greetings like “Dear Sir” or “Dear Madam”, is a clear signal that the email might not be legitimate.
- Avoid “act now” emails.Scammers often try to create a false sense of urgency, demanding immediate action to avoid impending doom. The main goal is to get the target to click on a link and provide personal information or download malicious code.
As more and more employees continue to work from home for at least the foreseeable future, balancing the demand between employee productivity and information security will be of utmost importance. We hope that the questions raised will stimulate conversation and enable you to better manage your Cyber risks. Keep safe and stay healthy.
Author
Carel Krogh
This article was published with the permission of Carel Krogh
