While it’s estimated that over 50% of employees globally work outside of their main office for at least 2.5 days per week, the advancement of Covid-19 in recent weeks is challenging all organisations to mobilise their entire workforces, not just a select few departments. This mass mobilisation is creating huge challenges for cyber security teams.
With this challenge in mind, below are my ‘magnificent 7’ must-dos for enabling secure remote working in your business, assuming it is not something that has previously been a business focus. Whilst not exhaustive, it is offered as a check-list to ensure that the foundational elements have been considered.
1. Have a taskforce
Elect a team! If you have not got a remote working solution already established, ask yourself: “Is what you are proposing a fundamental change to the working culture?” If so, then elect a cross-functional team to plan, enact and manage the transition.
User experience will be key to effective adoption of any new solution and addressing user concerns in a timely fashion is crucial for success.
First objective for the team? Build a response strategy. Take account of what you have. For existing tools, make sure you have the required capacity and licensing available to support the anticipated increase in demand.
2. Plan based on Policy
Update or establish a Cyber Security Policy that includes remote working. Consider within this policy your support for personal (BYOD) devices and the potential increase in shadow IT that remote working might bring. Explore the affect that this will have on your Threat Landscape and cyber exposure.
Consider the level of security which you will recommend, or even mandate, on personal devices and possible mechanisms for performing posture assessments on devices connecting to your sensitive environments.
Plan how you expect system administrators and users to provision devices – will these be centrally governed or will you permit self-enrolment via self-service portals? These will be important considerations for quickly mobilising the workforce and maintaining a ‘minimum physical contact’ environment.
3. Continue to educate the workforce
Continue to educate the workforce on the status of the corona virus pandemic and continue to promote user awareness with regards to cyber security. Given the raised stress that people are under, we are all more likely to be susceptible to social engineering, which preys on our fears. Attackers have already been seen to be using this state of panic to drive phishing campaigns, masquerading as public health information updates.
Additionally, for users who are not accustomed to working from home, there is often a sense of disarmament, while surrounded by their home comforts. It is important to remind users to stay vigilant to cyber-crime, which can target them just as easily in the confines of their own home as it can in an organisations’ offices.
Lastly, continue to communicate. In the event of a sustained remote and distributed workforce, regular communication will be essential for supporting an effective working environment.
4. Adapt to the new perimeter
Provide users with secure remote connectivity, so that they can carry on business-as-usual (BAU) activities, in a similarly secure manner to when they are in the office. This should include the provision of secure remote VPN (Virtual Private Network) solutions for accessing internal company resources, as well as extending Intrusion Prevention Systems (IPS), Sandboxing, Threat Emulation and URL Filtering services, where appropriate.
Provide users with information on how to send encrypted emails for confidential communications, assuming your mail-platforms support that, and educate them on the do’s and don’ts of public WiFi.
Where remote connectivity services are being established, or scaled out, it is also important to evaluate the effect that this will have on the ‘perimeter’ of your network. Where possible implement multi-factor authentication (MFA) on all remotely accessible systems (VPNs included), in line with best-practice recommendations.
5. Practice good physical security
Not everyone will be working from home. Some will be working from public spaces like coffee shops, libraries or friends’ houses. In these cases, users should be mindful of the information they are sharing on screen, and wherever possible have privacy screens fitted to make sure company data stays company data (and not publicly broadcasted information).
Users should also be conscious of looking after their business assets, keeping them within sight and storing them securely when not in use (this rule applies for home too!). Remind users to lock their screens when not in use; this should be considered basic hygiene – much like washing your hands.
All laptops and mobile devices issued should also have full-disk encryption enabled, to guard against loss or theft of device. Should a device go missing, you may find yourself obligated to report it to the regulating authorities under GDPR; being able to confidently say that all data on the missing device was encrypted will put you in a much safer position.
6. Maintain monitoring standards
With the rapid deployment of new platforms and services to support remote working, operations and security teams must be attentive to ensure the same levels of robustness and rigor in terms of security monitoring are applied. Security monitoring of new platforms and services should be considered from the outset and not as an afterthought. For organisation who are implementing new connectivity functions / methods, care should be given to understanding how and where users will be connecting. Dependant on the services provided to these geographically diverse users, organisation may wish to consider deployment of additional tooling, such as: Cloud Proxy or Cloud Access Security Broker (CASB) solutions, to monitor and audit the use of services.
7. Engage others to drive results
Spread the load. If you haven’t got remote working plans and systems in place yet, which cover your entire organisation, then the probability is that this hasn’t historically been your focus, or an area which you are geared up to deliver today. You cannot expect to be experts on this overnight. Reach out to your security partners and engage Professional Services where needed, to help plan the appropriate course of action and then design, build and run the supporting services.
If you would like advice on any of the information contained above, please contact your account manager or email info@integrity360.com.
Related Content