David Taylor
Mike Ortlieb
Trevor LeachThis two-part blog is one of a series of posts we’ve published to help organizations adjust to the new realities of work under COVID-19-related guidelines. You may also be interested in reading Leading Remote Teams in Times of Uncertainty, Coronavirus Forces a New Approach to Crisis Management, Securing Your Organization’s Assets in Times of Crisis and Working Remotely? Microsoft Teams Can Help.
With the COVID-19 pandemic engulfing the world, it’s no surprise that the business landscape has changed, forcing organizations around the globe to adapt on several fronts in order to maintain operations during this time of crisis. One of these fronts is the task of enabling employees to exclusively work remotely, and this can be a challenging task for certain organizations, especially if they did not have a capability setup for remote work and administration prior to this event. Regardless of preparedness, companies moving to a remote workforce face increased risk through an enlarged attack surface and a potential reduction in the effectiveness of existing controls, which malicious actors are likely to take advantage of. The changes encompassing the move to remote employment should be looked at from a risk management perspective. As a result of the changed business landscape, operational and security risk should be reassessed and the following points should be kept in mind when considering the ongoing operations and security of your organization. Such changes include, but are not limited to:
- Increased reliance on virtualized private network (VPN) connectivity
- Remote access security
- Usage of cloud technologies
- Sensitive data management
- Remote systems administration
- Dependence on third party teleconference software
- Changes to security monitoring
- User awareness training updates
Almost all traffic into the corporate network will be through a VPN, and this creates a single point of failure for an organization. If the VPN is unavailable, whether from deliberate attack or simply via overuse, employees will not be able to access the corporate network, resulting in business interruptions for the entire organization. It is extremely important that redundancy is set up for critical infrastructure, as it provides a target for any attacker looking to execute a Denial of Service attack against an organization. VPNs are an important piece of equipment, and while most companies will recognize the importance of securing them, they may overlook attacks aimed at simply flooding the server with traffic. While VPNs have always been a point of concern in a network, the move to a remote workforce has only caused this component of infrastructure to become more important.
Configuring Your VPN for Optimal Security and Reduced Risk
Companies looking to move to remote work who do not have a VPN setup should certainly take the time to do so, as the alternative would be to expose internal services to the internet. In exposing internal machines, may be exposing more than you intend to in the form of open ports or other services, which may not be properly secured. When setting up a VPN, it is also important to make sure this exposed server is both configured properly and up to date on security patches. Concerning proper configuration, the provider of the VPN your company deploys should be contacted for current and correct information. However, a good rule of thumb is to only expose the ports and the VPN features that are required for use, and to block everything else. Where possible, whitelisting IPs or IP ranges will also go a long way in preventing malicious attackers from connecting to the server(s). For user configuration, multifactor authentication is essential for remote access. A single password can be guessed or brute forced by an attacker, and additional measures must be put in place to prevent the compromise of critical accounts.
Engaging with a New Cloud Provider
Further, there will be an increased reliance on cloud applications and connectivity. Organizations may find themselves pressed to rapidly engage with new cloud providers in order to accommodate user demand. If possible, consider the potential impacts to data security and privacy when engaging with new cloud providers to ensure that the organization can be knowledgeable about what information is being shared with third parties, how it is being stored and if there are any regulatory implications (e.g. GDPR, CCPA).
Use Company-Issued Laptops to Protect Data
Another consideration is where data is being sent. With a remote workforce, the employees working from home will be connecting to the corporate network to access files and resources. The data from these will have to be transmitted to the employee machine and stored in some form to be used. Depending on the nature of the work, this data may be sensitive, and this creates a headache for security and privacy professionals who are trying to protect the data. With a remote workforce, the attack surface is expanded and the door for data theft is widened. Now, instead of a malicious actor being required to hack into the company network to obtain data, instead they may be able to target the home networks of employees, stealing this data while it is traversing the home network or stored on employee machines. It is therefore very important that the distribution of any sensitive data is kept as minimal as possible. The best course of action to solve this problem is to provide employees with company-issued laptops. These machines should always be kept up to date with the latest security patches, and preferably they should be encrypted to protect the data that is sitting on disk. It should be a policy that any and all corporate data is kept solely on the company distributed device and not moved to a personal machine. A VPN, as mentioned in earlier, goes hand in hand with this kind of data protection as it makes sure that all communications between the employee and corporate assets are encrypted, preventing an attacker from plucking information off of the wire. Where the distribution of company devices is not possible, a similar strategy should be used. An employee should designate one device as to be used for work, and the employee should be urged to practice caution if/when they are operating that computer for personal use. They should be wary of websites they visit, emails they read, and files they download, just as if they were in office. If possible, an encryption scheme should be used for any files containing sensitive data, such that they must unlock a file or folder to access the information. This encryption would protect the data if it was stolen without the encryption key.
Protiviti offers a wide range of security and privacy solutions, tailored to meet the unique needs of each organization. With our ability to function at both the strategic and tactical levels, we combine deep technical security competence with executive-level communication and management. Our holistic approach starts by understanding what is most important to organizations, then structuring and supporting programs so your business is engineered to grow securely. To learn more, contact us.
In Part II, we continue this detailed look at what corporate IT security teams should be doing to prevent cyberattacks when a majority of the workforce is temporarily working remotely.
Want to learn more about maximizing your organization’s capabilities during the COVID-19 pandemic? Check out our Enterprise Resilience Webinar Series. Also, check out these Work from Home Cybersecurity Practices.
Varun Ravi
Jody Casey
Brandon Wardlaw
Sameer Ansari
