Lockdown measures and remote working requirements have forced all business owners to confront the same remote working security challenges enterprises have been trying to solve since the 90`s. Luckily, a lot of these basics are well documented and defined, which makes it easier for adoption in your business without having to go through the pain of trial and error. Remote access has shifted the logical security perimeter from your offices, right into the homes of your employees, which reduces your span of control, and increases the risk to your sensitive data and ultimately your business.
It is important to note that your level of control should match the potential risk your business will be exposed to should your systems be compromised, or data be rendered unavailable. The idea is not to flood you with a bunch of technical controls, but rather, pose a couple of questions and propose some suggestions toprovide some insight into how you should be addressing the issue of protecting your employees, infrastructure and your data.
InternalThe lock down home office is a very unique place, with parents conducting business meetings while kids are printing their homework and downloading the latest TV series from nefarious websites, sharing devices and competing with a vast array of internet connected devices. Couple that with the fact that majority of employees are using their own devices to access sensitive company resources, and you have a high risk profile that will make any security professional jittery.
Here are a list of basic questions and considerations you should keep in mind from an IT Security perspective when dealing with working from home.
It is important for a business to be transparent and clear about the expectations of employees working from home. The expected behaviors, clear policies and guidelines need to be documented and communicated to all employees, supported by an awareness campaign to make sure everyone understand the role they have to play in protecting the business.
How do you ensure a reasonable level of security for employee devices and communication infrastructure not owned and managed by your IT department/service provider?
It is strongly recommended that data is stored in the Cloud and not on local devices like notebooks, external hard drives and memory sticks. Cloud storage products, like Dropbox, Google Drive and OneDrive, facilitate secure online storage and sharing of data, which means you don’t have to worry about backups and data leakage on stolen notebooks and physical storage devices. Youhave the added benefit that your data can be accessed securely as long as your employees have access to the Internet. If there is a business requirement to store data locally on devices, enable “Find my device” / “remote wipe” where possible. In the event of theft of these devices, employees can initiate tracking and more importantly, remote data wipe on the stolen devices.
Businesses have become increasingly reliant on third parties, and this is an area often overlooked by businesses when dealing with Cyber risk. Do you know what access these role players have to your network and how do they manage Cyber risk as it relates to your network and data? What recourse do you have in case your systems and/or data is compromised by attacks originating from these networks? Supply chain attacks are on the increase, and it is now more important than ever to ensure your business remains resilient. You cannot protect and manage what you don’t know about, thus you need to assess and understand your supplier network, and know the risks associated with your third-party partners and suppliers.
And lastly, are your employees aware of the risk of Covid 19 phishing campaigns? There has been a significant rise on these type of scams globally, and its importantto stay alert to avoid falling for these sophisticated schemes.
These scams range from investment schemes to impersonating government agencies sharing health advice and alerts. Large enterprises can afford to deploy dedicated solutions to manage the risk, but small to medium companies may find it more cost-effective to simply focus onemployee education and best-practices. Here are some generic guidelines to follow:
As more and more employees continue to work from home for at least the foreseeable future, balancing the demand between employee productivity and information security will be of utmost importance. We hope that the questions raised will stimulate conversation and enable you to better manage your Cyber risks. Keep safe and stay healthy.
Author
Carel Krogh
This article was published with the permission of Carel Krogh