COVID-19 Cyber Risk: Things to consider in a remote environment
As businesses continue to navigate these uncertain times and adapt to this unique work environment, a remote workforce is being deployed to ensure the continuation of core business activities. In the “new normal”, organizations need to ensure they have tools in place to remain productive without increasing cyber security risk. With today’s technology, it’s extremely easy to apply all the tools and applications utilized at the physical workplace to employees’ homes and even to their smartphones. And while these tools, services, and options allow for flexibility in the work environment, they don’t come without their own risks and challenges. This is especially true right now, as the threat environment associated with a centralized organization has shifted to a distributed organization overnight.
When looking at the organization’s remote capability, employers need to consider a secure means of connection into the corporate environment. While for most this means a VPN type of connection, security around those connections must be considered.
Things to consider:
- Use of personal devices: The use of personal devices, such as a home computer, exposes the company to a multitude of risks. For example, personal devices are not under the control or direction of the company’s security policies and there is no telling what software or malware is present on the personal device - or if it is supported or running an unsupported operating system. It is key to remember that just about any device that connects remotely into the company’s network is now an extension of the overall operating environment. When at all possible, a company issued device should be used. While a personal device might be the only option during times like these, companies should look to tools such as a GoToMyPC, LogMeIn or others where the end user is only seeing a visual image of the corporate device and actual data is not transmitted to the personal device.
- Multi-factor authentication: No matter what type of remote access tools are being deployed, enhanced security measures are key. Distributed workforces pose several elevated risks and attack vectors, which are actively being exploited by the bad actors. At a minimum, any remote connection into an organization should require some version of multi-factor authentication. The most common type is the out of band code, which is commonly accessed via a token or SMS message.
- Systems health & usage monitoring / management: The management and monitoring of the Company’s systems poses its own set of unique challenges from maintaining and supporting systems to the simple fixes of a keyboard or mouse malfunction. While most system and infrastructure can be accessed remotely, managing them is critically important. For example, while demand might be high for a VPN access to be accessible 24/7 normal patching and updates to security vulnerabilities should be occurring (both on the appliances and devices.) As many businesses are now relying on VPN connections, the increased number of connections can greatly increase the risk exposure. Additionally, the management of equipment and system limitations can have an impact on operations. Employers may have a limited number of VPN connection licenses or their networking devices can only support a limited number of connections. If inadequate availability of licenses or infrastructure to support a remote environment, businesses can see a decreased availability and critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks. Take inventory of your licenses and reach out to vendors to purchase enough licenses to meet your anticipated needs.
- Collaboration tools: The technical and security components are not the only factors that come into play with a remote workforce. As many are adjusting to the remote workforce, some of the basic needs of a business meeting or stopping by someone’s desk for a question make the situation even more difficult. Utilizing collaboration tools, such as Microsoft Teams, Zoom, or Webex, allow for the in-person experience that would otherwise make remote collaboration a challenge. While conference calls can achieve a lot, the ability to use those collaboration tools to perform video conferences or share a desktop allows employees to interact as if they were together. Many of the tools are offering free 3 to 6-month trials to assist employers to navigate this uncharted territory.
- Social engineering training: With more tools - and a decentralized work environment – come elevated threats. Over the past month, researchers and other security bodies have been reporting and highlighting the increased social engineering attacks which have been occurring across the board. These social engineering attacks are targeting employees more than ever to take advantage of the current situation and the employee as they navigate these uncertain times. Education is the key to combat social engineering attacks and employers need to ensure that they are deploying tools to detect such treats and ensure employees are properly trained to detect such events. Warn your employees to expect an increase in social engineering attacks, including targeted attacks to obtain login credentials. The bad actors are smart, they know most employees are in a remote work environment and this allows for easy access into an organization. See our blog – Phishing: Is your Business Prepared? for additional details and tips to protect and detect against such an attack.
- Human interaction and communication: As you continue to navigate through the increased adaptation of a remote work environment, building transparency with your employees will help build the trust needed to be successful. Establishing a clear communications channel to help employees recognize official messages is key. Building that trust and providing clear, basic, timely, and pertinent information will help you and your employees stay ahead of threats and help them understand why certain controls are in place.
For additional information contact us at firstname.lastname@example.org. Article compiled by Jeff Johns.
Coronavirus Resource Center: Have questions about the impact of COVID-19 on your business? Visit Herbein's Resource Center for up-to-date information.