Now that staying productive is forcing the working world to adopt a new approach with the emergence of coronavirus COVID-19, organisations of all size are adjusting to “Business As Unusual”. Traditional office workers are suddenly facing the prospect of working from home, and their employers are in a predicament to facilitate it. The challenges in securely managing systems and data have suddenly increased ten-fold, leaving managers and employees alike scrambling to adapt.
For me, it comes down to assessing four key areas. These include external cybersecurity, internal cybersecurity, capacity, and governance.
External Cybersecurity: Now that your workforce essentially becomes a remote workforce, you must be sure your perimeter defences are resilient and adequately secured. Undertaking Vulnerability Assessments and Penetration Tests against your perimeter defences is crucial in securing the sudden surge of data traversing a typically insecure network, accessed from “insecure” home and remote locations. Cybercriminals know this, and your infrastructure suddenly becomes an attractive target for DDOS attacks and other disruptions. With an increase in remote connections, secure connectivity is a must-have. Be on the lookout for an increase in scams and phishing emails seeking to exploit your remote workforce!
Oh yes. Even if you are cloud-based, take external cybersecurity very seriously because now, more than ever, it just has to work. And be secure!
Bonus Points: If your remote access doesn’t currently use Multi-Factor Authentication, this is a must going forward.
Internal Cybersecurity: This can be rather complex, but start with what is accessible remotely. If only used for system administrators, you must be able to control what is available when connected from afar. Network segmentation, access control roles, privileged access management, and all kinds of security must be applied to ensure people have access to what they need, but not access to what they don’t. Also, with the office unoccupied by all but the essential staff, ensure your facilities are secure along with the systems they house.
Now that you have secured your network inside and out, what is next?
Capacity: If you usually don’t have a lot of people working from home, you need to be sure your systems can handle the load. Are your links big enough? Is the infrastructure capable of handling the increase in connections and traffic and do you have enough remote access licenses to allow everyone simultaneous connectivity? Do the internal links and systems have the ability to handle a sudden surge in remote access? It’s time to make sure you have enough horsepower to manage the rush, and you must also consider this could be for an extended time and not just short-term pain.
Finally, with all of the technology in order, you need to make sure it’s managed correctly.
Governance: Do you have policies and procedures in place that covers remote access and work? Is there a minimum set of standards for what users can and can’t do and from where? What is the policy on accessing sensitive customer or corporate intellectual property from a “non-work” location? With significant penalties at stake for mishandling private data or potential losses arising from industrial espionage, the safe and secure access and use of data is paramount.
Businesses suddenly find themselves in the unenviable position of dealing with a largely-remote workforce and having more threat vectors to secure. The attack surface has increased dramatically, but there is a way forward.
For external security concerns, consider vulnerability assessments and penetration tests to ensure the outside of your enterprise is adequately secured — and this includes cloud-based and hybrid on/off-premise installations. If you don’t have Multi-factor authentication, now is the time to demonstrate its value and implement it.
For internal security concerns, a vulnerability assessment can go a long way to helping you secure your environmental, physical, and technical controls.
On the same token as the internal concerns, address capacity by reviewing the specs on all interconnected systems. Speak with your ISP and service providers about your ability to scale up and have sufficient bandwidth. If you need to upgrade your hardware, speak with your vendors to explore solutions that can handle the workload or your ability to improve existing systems. Review your licenses to make sure your systems can facilitate your remote staff.
Finally, review your policies and procedures to ensure that workers can access what they need without being unduly hindered, but also aware of their obligations in managing the confidentiality of intellectual property and private data from customers.
Thankfully, there is a lot of option in place to step up your security. Cloud Access Security Brokers (CASB) can help safeguard those cloud apps and connections. Data Loss Prevention (DLP) can protect your data from leakage, accidental or deliberate, and monitor where it goes and who is using it. Using modern mobile devices like laptops and tablets protected by Endpoint Detection and Response (EDR) systems is crucial in safeguarding users and systems while they connect to your business.
It’s a situation that few of us thought we’d find ourselves in, but here we are. Even if your workforce is mostly remote, revisit your remote work capabilities. This review ensures it will hold up to being moved from optional to mandatory as more people shift to working in dynamic environments. These ad-hoc workplaces range from proper home offices to kitchen tables and living rooms full of insecure technology like consumer-grade Wi-Fi and IoT. There are also factors of the analogue kind like pets, curious children, friends, and relatives providing distractions.
As this situation will pass, we’ll wonder why there was so much fuss. Still, you can rest assured the effort to secure your workforce and systems will be worth the effort and demonstrate the ability of your business to adapt and even thrive. Perhaps you may also move more towards a remote work model to save money and give people a few more intangible benefits.
We’re all in this together. Reach out to me any time if you need further guidance.
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through Shutterstock.