An unprecedented number of organizations around the world are now making the abrupt shift to a remote workforce. CIOs, CISOs, Compliance Leaders and IT teams are working around the clock to ensure both business continuity and continued support for their internal users.
As an IT leader, how do you continue to protect your organization’s confidential information and assets while also enabling staff to work remotely during this health crisis? This shift presents some key security challenges for organizations.
Our team here at Emtec has been on the front lines working with our internal divisions as well as our clients to enable their staff while also adjusting security protocols to stay secure and compliant with all our standards (PII/PCI/GDPR/ISO etc.).
Even if you had a small portion of employees who regularly work from the road, it's likely that moving to an almost entirely remote workforce, over a short period, will cause some disruption. Here are a few security best practices as you make the transition to enable and support a remote workforce – potentially to be the new norm for quite some time.
Securing your Network
- Prepare your Service Desk/Help Desk: Ensure your help desk team is prepared to field additional questions and end-user support issues as teams move to a remote posture. Educate and remind your IT team that there will be a rise in social engineering attacks to get employee credentials. Ensure they have a proper way to authenticate employees to prevent this.
- VPN Security: Have you reviewed your VPN and RDP configurations to check for any issues caused by the rush to bring on new VPN concentrators or newly open remote connections? A large increase in VPN traffic will add the following security considerations:
- Load balancing and rate limiting on connections: Can you support peak VPN traffic? Do you have enough session licenses? Can you use multiple VPN access points for geographical links to reduce hops? Staggering VPN use is an option.
- Set shorter timeouts: If load and licenses are an issue, timeout those who leave connections up and have walked away from actual work.
- Restrict services: Some workers like to stream audio or video while they work, and maybe your policies allow that. But forcing that traffic both in and out of your perimeter monopolizes bandwidth and VPN/Firewall cycles. Consider restricting VPN access or filter traffic by application type rather than URL destination for better performance.
- Monitor usage: Periodically review steps taken to evaluate their effectiveness. Look at load times to evaluate if staggering usage is needed for high-intensity tasks. Ensure VPN activity is logged so that abuse can be identified either in real time using analytic tools or historically if an issue arises.
- RDP Security: If you are using RDP for remote access, be sure to secure it to prevent unauthorized access or misuse. An excellent introductory guide for securing RDP is available.
- Multi-factor authentication (MFA): If feasible, enable multi-factor authentication (MFA) for access to email or shared drives. If your organization utilizes G Suite or O365 and have not yet enabled this, now is an excellent time to do so. The extra security offered can make this worth the extra effort, especially with compliance concerns. When enabling, ensure your users are trained and comfortable using the authenticator before making it mandatory.
- End Point Discovery: Your network architecture has just been altered substantially. Do you have full visibility into every asset or device now connected to your network? We recommend periodic discovery of end points on your network to ensure all devices connected are approved and protected. BMC Helix Discovery is a tool that Emtec recommends.
- Systematic Vulnerability Scans: Your security posture is shifting – by the minute – as new remote endpoints are activated. Consider activating vulnerability scans of your enterprise network including endpoints, server operating systems and applications to reveal any changes, guard against active threats, and remediate potential risks. There are quite a few toolsets available, Emtec recommends Digital Defense’s Frontline Vulnerability Manager™. More on this and other tools we recommend in a future blog post.
- AI Driven Security: Cyber criminals are exploiting COVID-19 media coverage to launch Coronavirus-themed ransomware attacks. There are AI and ML driven toolsets that can help you detect external attacks as well as any internal threats by monitoring logs for abnormal system, application and employee behaviors. It may be a good time to evaluate some of these tools. Emtec recommends Cybraics nLighten™.
- Monitor Cyber Security Alerts: I encourage you to sign up for and monitor government cyber security alerts. A few resources include the FBI, CIA, DOD, State and local agencies as well as the Division of Homeland Security.
Enabling your Employees
- Security Training and Communications: Does your organization provide regular security training to your employees? Annual security training can go a long way to reducing your risk. During this transition, consider increasing regular communications around security do’s and don’ts. We are seeing a rise in phishing, social engineering and other cyber-criminal activities around the COVID-19 health crisis, so it is important to keep your employees informed and diligent. Consider utilizing a single messaging channel for that employees can subscribe to. As an example, MS Teams has rolled out a Crisis Communication Tool. Our recent blog: Cyber Security Tips for Employees Working Remote is a good resource to send to your teams.
- BYOD Devices: If you are unable to supply company-owned laptops to your employees and they need to utilize their own devices to complete work related activities, require them to enroll in your BYOD program so that proper security tools are deployed (antivirus, intrusion detection, encryption), and VPN access is granted. Your BYOD policy, which has been reviewed by your legal department and approved by your executive team, will aid in reducing your risk.
- End User Device Updates: In an extended Work from Home situation, consider how to push updates to laptops and other devices which do not connect to a corporate network for extended periods. Can your VPN handle the traffic of pushing updates to remote machines that do connect? There are tools like MacAfee Endpoint Security Suite, Malware Bytes, ManageEngine and 0365 MDM, which can make the transition easier.
- Data Security: Ensure that staff understands they need to keep their work on their work devices only. There can be a temptation to download documents to personal computers or sharing sites when working late at night and then forget about the material. Ensure they are reminded of and understand your policies. For BYOD devices- consider restrictive policies to allow basic connectivity and reverify access needs/rights to reduce the potential for unauthorized access to sensitive internal company information or, even worse, client data on employee's personal devices.
- Home Network Security: Encourage employees to review their home network security and offer to have your IT staff consult with them to update Wi-Fi passwords and configure networks as needed. If wired connections are not possible for them, remind your employees of good password practices to keep their home Wi-Fi secure.
- Video Conferencing: Do you have a video conferencing solution in place for your remote teams? Video conferencing tools may become essential to your operations in the coming months. If they are situated with the tools needed (including conferencing software, headphones, microphones, and video cameras), consider these video conferencing security tips:
- Limit use of long-lived meeting URLs for highly sensitive meetings and instead use one-off event URLs or meeting IDs. Especially in larger more significant calls, you may not notice late joiners who weren’t invited.
- Encourage employees to identify themselves when they join, especially for teleconferences or meetings conducted primarily through voice. Pause the session and encourage the late joiner to announce themselves.
- Consider the use of waiting rooms or meeting passcodes, to further protect confidentiality of highly sensitive information.
- When screen sharing, share only application windows and not entire desktops. Similarly, suppress notifications (i.e. email notifications) on computers that support that functionality to protect against sensitive information being shown to attendees.
- How to turn off on MacBook: https://support.apple.com/en-us/HT204079
- How to turn off on Windows 10: https://support.microsoft.com/en-us/help/4028678/windows-10-change-notification-settings
- Ensure you monitor security alerts for the conferencing tools you have in place. For example, Zoom has had security challenges with online meetings being hijacked.
Changes to Policies and Procedures
- Update Important Company Policies: It is a good time to review your organization’s Business Continuity plans (BCP) and other policies including BYOD, mobile device management (MDM), remote work policies as well as your IT security policy and for any updates required. Remind employees of your corporate policies around remote work, frequent password changes, mobile device usage, data security and backup. Ensuring your employees continue to follow these key policies will reduce your risk of a breach or disruption.
- Identify Potential Single Points of Failure: While we hope it won't happen, you may have employees who become ill and are unable to perform critical business functions for a time. Do you have enough coverage for your IT help desk if a team member falls ill? Would your payroll be held up if your payroll administrator was out sick? Can you still onboard or off-board employees if the HR team is out? Cross-training is always a good idea, but particularly now, ensure that you have a backup plan for critical business functions.
- Onboarding/Offboarding Employees (remotely): Identification of a new employee is usually handled in person. If you're sending out credentials or shipping a laptop, work with your HR team to firmly establish and verify new end users before proceeding and watch out for social engineering attempts. Similar activities should be completed for offboarding – ensuring access is terminated and all company hardware and data is returned. Work with your HR and legal teams to define and enforce these policies.
The bottom line: A Surge in Remote Workforce = An Altered Cyber Security Posture
The current events require rapid responses, flexibility, and adaptability, including potential short-term changes to policies. So, as the DPO, CIO, CISO, or IT leader, remember the confidentiality-integrity-availability triangle core information security concept. The past few weeks have required many of us to tweak the availability leg in new and unprecedented ways. This shouldn't be at the expense or abandonment of confidentiality and integrity. Think carefully about the unique risks you take on and ensure that your business leadership stays informed.
Once this crisis passes, take a hard look at the lessons learned from the almost immediate transformation that was required to better position your firm and IT team to respond to similar urgencies in the future. This could include:
- Updating Business Continuity plans
- Review disaster recovery plans
- Review of legacy architecture and tools for potential upgrades once budgets release
- Extended Employee training around cyber security and keeping data safe
- Upgrading your cyber security measures
- Evaluate potential areas where automating business processes could make good business and financial sense
Our team is here, fully operational, and ready to support you. Please reach out to us for support in any of the areas discussed in this post. All the best to you and your teams.