Two Things for Securing a Remote Workforce You Don’t Want to Overlook
The world of IT and information security has been sent sideways recently with the COVID-19 situation. It seems that there’s hardly any IT shop that hasn’t gotten caught off-guard in terms of rolling out remote workforce technologies and ensuring that business systems are made available to those who need them. With all the distraction, if information security and overall business resilience are to be maintained, there are some common oversights taking place that you want to make sure you address both now and over the long haul.
The first and most obvious one is ensuring that the computers that your remote workforce is using are reasonably secure. It’s one thing to have antivirus software and web content filtering enabled but quite another for these endpoints to meet – or at least come close to meeting – your corporate security standards. Many employees are using personal devices to get work done. That’s not necessarily a bad thing. However, with most of the focus being on basic connectivity involving VPNs and virtual desktop infrastructures, I can assure you that personal devices, including old systems that are being are pulled out closets, are going to increase your attack surface in some way. Likely areas of exposure will include:
- outdated operating systems and third-party software that’s running with no proactive patching taking place
- systems that likely fall out of the scope of system monitoring, logging, and alerting
- no data backups for files that are being saved locally on these remote systems
- computer accounts that are being shared among family members and who knows who else
- screens remaining unlocked and users not being properly logged off
- corporate passwords being cached locally and shared among websites and other software
- employees buying used computers and phones that may not be properly setup/configured and, thus, loaded with malware and other questionable software that can create business risks
You must step back and determine whether remote user behaviors and systems are being kept in check or if basic connectivity is still the goal at this point. I’m seeing and hearing about a lot of the latter – people just having to make do with what they’ve got to keep the business running. That’s understandable and obviously the first phase in all of this. Still, there’s the challenge of being able to audit and prove that all the right things are being done on your remote systems. I certainly don’t envy that situation. It is unsustainable in terms of security risks. Only you will know what’s right for your business. Connectivity is critical but secure connectivity should be your goal. The important thing is that you’re taking appropriate steps to achieve and maintain a reasonable state of security so that remote systems largely out of your control don’t facilitate your next incident or breach.
The next area you can’t afford to miss focuses more on the people side of things. Just because things are in a bit of disarray, that doesn’t mean that you can or should let up on your ongoing security awareness and training initiatives. Now, more than ever, your users must be a part of your security team. So, you must ensure the proper messages are getting out to everyone. It’s one thing for users to make bad choices and slip-up in a more controlled office network or cloud environment but quite another to do so on remote systems that are probably more vulnerable. If you’re like many organizations, you’ve halted existing phishing campaigns and training initiatives in order to focus on the basics of remote connectivity. I think now, more than ever, you need to be pushing out reminders of what to do – and not do – as well as messages of positivity to keep people aimed in the right direction for the greater good of the business. Companies such as Lucy Security and SANS have free content you can use in this regard right now so take advantage of that!
A common disconnection that I see in businesses of all sizes is that of IT and security staff not being on the same page with management in terms of employee messaging. Working with HR is a great way to get employees on board with best practices around policies and acceptable usage. The same goes for legal and what to look out for. Any time you can get someone outside of IT or security to push security objectives, it’s a great thing. Not unlike how we tend to ignore the advice of family members or friends, but we’ll listen to outsiders, it’s the same for employees getting security messaging from other departments. Do what you can to bolster your relationship with HR, legal, and other areas of management and do it quickly. You’ll achieve not only short-term benefits but long-term payoffs for your security program as well.
If you’re so inclined, there are additional quick wins for building security resilience include fleshing out existing security policies, including policies around acceptable usage, remote access, passwords and the like. Now is also a good time to revise your incident response plan using information you’ve learned from the COVID-19 situation. One last thing worth mentioning: by all means, don’t stop performing your vulnerability and penetration testing. If anything, you should be doing more of it now. This is especially true for your remote systems and your network perimeter, particularly as it relates to Windows Remote Desktop Protocol, FTP and telnet, and database access that may have been put in place to maintain connectivity without your knowledge.
In information security, oversight and accountability are everything. Just because the world is distracted now doesn’t mean that you should let your guard down. Learn the lessons that are before you and let this be a time to get even better at what you’re doing with security.
