Ryan Weeks, CISO at Datto, provides guidance and best practices for CIOs to help ensure a seamless and secure migration of in-office workers to remote workers.
In the wake of the Coronavirus pandemic, those organisations that can are letting most of their staff work from home.
For CIOs, this shift in working practices brings a wide array of new challenges, not least when it comes to cyber security. Now is not the time for a false sense of safety, now is the time to revisit what we think we know.
Companies will have to prepare in various ways to avoid cyber security risks or interruptions to their business. When supporting a remote workforce, security controls shift: firewalls, DNS security and intrusion detection or prevention systems could suddenly be ineffective.
The good news is that most environments that support virtual private networks (VPNs) should be able to protect remote users as long as they account for the extra bandwidth used and a higher number of remote desktop sessions.
Below are a few steps that organisations should consider now.
It may seem obvious but, first of all, review what devices your employees are using. When moving to a work-from-home scenario, you need to consider the secure state of every single computing asset that will be used by remote staff.
In some cases, employers may already have issued work laptops that are correctly configured and managed. In other cases, they may not have the necessary infrastructure and are now relying on employees using their own, personal devices to connect to the company network.
IT teams should therefore go back to their infrastructure and use the data generated within it to answer the following questions: Can we be certain only company issued devices or sanctioned devices are connecting to our VPNs? Are we sure employees are not using out-of-compliance systems to remotely access software services in the cloud, or storing information on unmanaged devices? Are all employees using adequately secured private WiFi networks?
A full audit is advisable as security teams need to think carefully about the endpoint security posture of all devices that may be connecting. This also includes reviewing software patching practices, understanding how to manage updates to anti-malware protection, and identifying any additional security controls that can be added to these devices.
Following the device audit, organisations should then look carefully at the data logs from all key systems used by employees to understand their current security operating posture. This will help them make data driven decisions on how to improve their posture while at the same time balancing user impact and usability of those services.
Understand emerging threats
It is a good idea to pull in threat intelligence to identify any possible security risks, such as employees accessing insecure websites or opening malicious emails.
New threats are emerging all the time in relation to the pandemic. One example is a COVID-19 interactive map that showed the global spread of the virus over time – as it turned out, this map was laced with malware.
There are numerous similar malicious COVID-19 sites being launched daily, and these may seek persistent access to a personal computer or to a business workstation within the same network.
To respond to such emerging threats and keep employees informed and protected, companies should leverage their existing security processes and continuously monitor for new risks and malware indicators. They then need to push out appropriate defences that are native to the users’ workstations or VPNs.
IT teams may, however, need to revisit exactly how they apply those protective measures to remote workstations, as they are now likely also accounting for devices that are not subject to their standard network security controls – such as employee’s own laptops and tablets.
A good process in the face of a new threat is to orient yourself, identify the gaps in your infrastructure, prioritise and then close them.
Make employees security aware
As part of all this, businesses must not neglect employee training – if anything, what users need now is a heightened awareness of cyber security. All companies should carefully communicate to their employees the particular risks they, or their families, may face as they’re quarantining and continuing to go online for the latest updates on COVID-19.
For example, there have been phishing emails pretending to originate from the World Health Organisation, as well as new mobile phone apps intended to deliver ransomware to a large number of users. The ransoms are low because the attackers are aiming for mass infection, but the risk of data loss and system downtime across the organisation is high.
Employers should consider their remote workforce’s exposure to these types of threats. After all, users remain the first line of defence when it comes to fending off attackers, so it’s vital that organisations continue to train staff on a regular basis to ensure they can identify potential phishing scams or suspicious links in their inbox before it’s too late.
Beyond that, reinforce the message that users must follow good password hygiene at all times, and be clear about where and how employees can report suspicious activity.
Support communication and collaboration
With the shift to remote working, working practices will have changed too. While accessing the company network from their own homes, it’s crucially important that employees also have the right tools to collaborate in teams, communicate with colleagues and suppliers and be productive.
Rather than allowing users to connect on platforms of their own choice, businesses should think about what tools they can put in place to facilitate secure collaboration.
These tools will likely be adopted very quickly and used by a large number of employees, so it’s essential to consider how they will scale, and have a contingency plan in case they fail. Otherwise, users will find solutions themselves that may or may not be secure to create their own lanes of productivity.
To avoid this, businesses must ensure that all employees understand the tools and resources available to them – or that are coming soon – and encourage them not to fall back onto untrusted IT systems and applications.
Finally, taking an entire workforce out of the company building and moving them to a work-from-home scenario will inevitably have a huge cultural impact.
Organisations should always keep their employees well informed on why changes are being made and what the downsides, risks and benefits are. Effective programmes to manage these changes have a direct line of sight, providing feedback to the implementation team in real time and then fixing any issues in minutes rather than hours or days.