How to secure your remote workforce
New security challenges
Since the outbreak of Covid-19, many organisations have had to make a swift transition to remote working to ensure business continuity. What would typically take months of planning and preparation was implemented in a matter of days. The chaos that this created, combined with the already uncertain nature of life during a pandemic, had created the ideal environment for cybercriminals.
On the whole, bad actors are not employing novel techniques. Rather, they’re leveraging people’s confusion and inattention to run familiar attacks such as phishing. According to Barracuda Networks, there has been a 667% increase in malicious phishing emails since the coronavirus outbreak. Moreover, Google has shared that it is blocking an average of 18 million coronavirus scam emails every day. With the workforce now being more susceptible to attack, the risks are ever higher for organisations. As the saying goes, you’re only as strong as your weakest link.
To make things worse, remote working is new territory for many businesses, calling for a completely different security strategy and significant adjustment. While IT teams are distracted with implementation, they may not have the resources to thoroughly monitor suspicious activity or apply security patches to newly administered technologies. This could leave an organisation’s internal infrastructure and network vulnerable to an employee’s compromised device. You’re also reliant on the security of something you have no control over, namely the employee’s home network. This will likely be riddled with IoT devices, tablets, laptops, phones and poorly secured home routers.
Bulletproof recently ran a webinar all about securing remote working environments, which is free to view here:
In order to help you navigate through this challenging landscape, here are answers to the most common questions we get asked.
Best practice advice on secure remote access
Our users only need to access cloud services – is there anything else we should consider to protect us?
Cloud services enable employees to work from all over the world and from any setting, but the downside of this is that attackers see this as an opportunity to target cloud services themselves.
In order to protect yourself further, it’s worth setting up a VPN. This reduces the risk of an attacker brute-forcing access to your systems. Another option is to activate conditional login settings. In this current climate, it’s likely that your workforce will be static, allowing you to restrict access to users within a specific geolocation.
Another risk to bear in mind with cloud services is the shared responsibility model. The flexibility afforded by these services leads to high complexity, which in turn causes security risks from misconfigurations as it’s not always clear who is responsible for what. This shared responsibility can lead to a serious breach if you don’t implement good cloud security practices and consider what each configuration could expose.
What should we use to protect the employee’s local devices?
Your main focus should be sticking to basic best practices. As simple as it sounds, it’s actually a really effective cyber security control. This includes things like ensuring that systems are patched and using up-to-date antivirus, plus a process to manage the patching and updating.
It also means using additional layers of security (defence in depth), such as firewalls, as employees may have to share their internet connection with others (e.g. flatmates). While your employee’s devices might be more or less ‘secure’, their flatmates may not enforce the same level of security. As a result, if their device were to be compromised, the malware could potentially jump to the employee’s device through the network.
We cannot issue laptops and are considering BYOD. Are there any tips on how we can do that securely?
Again, the key is to follow best practices and assess devices before allowing them onto the network. It is also useful to define a minimum standard for your BYOD devices (e.g. verifying they are patched and run an antivirus software). Ideally, if the user is unable to meet this standard, you should impose a number of restrictions. For example, limiting what documents or webpages they can access.
Regardless, IT teams should be diligent about monitoring these devices, knowing what is being accessed and when. This will allow you to identify any abnormal activity and shut down access to systems for review, before it’s too late.
Is there anything we can do to make administrator access more secure?
Remote administration software can open up the business to significant risk, as a hacker could gain the same high privileges as an admin user. To guard against this, we recommend using a VPN, plus turning on two-factor authentication (2FA) everywhere that supports it.
Other best practices:
- Administrators should also be sure to use dedicated admin accounts rather than defaults. This way, if a cybercriminal manages to breach the 2FA, you can pinpoint specifically which account has been compromised and address the problem.
- Ensure that your IT teams are regularly testing systems and supporting technologies (e.g. Zoom, VPN technologies, Microsoft Teams etc.) for vulnerabilities.
- If possible, add IP restrictions through the VPN.
- Segment the network, so that no one has unvetted access to all your data once through the VPN.
Migration to cloud-based platforms: Office 365 and G-Suite
What are the potential risks of cloud-based platforms?
The impact of an O365 (or other cloud service) compromise, can vary in severity depending on the bad actor’s objectives and intentions. Once a hacker has obtained the credentials to a cloud account, they almost always gain unfettered access to the company’s whole network. This provides cybercriminals with other avenues of attack. For example, they might impersonate an employee for monetary gain (like emailing a CFO for payment on an invoice), or they might just grab all your data to sell on the darkweb. Their tactics for doing this can often be very sneaky, such as setting up email forwarding rules, which covertly forwards an employee’s emails to their own address.
What do we need to consider if we are in a hybrid deployment?
Typically, a hybrid platform’s native security controls do not allow for an organisation to have both cloud and on-premises data in a central place. This results in duplicate processes and requires you to harden, configure, test, monitor and manage two environments for potential attacks.
One of the biggest challenges of working in a hybrid deployment is synchronising accounts and how to do that in a secure way. The NCSC guidelines say that you should synchronise your on-premises Active Directory services and credentials with a cloud service which serves as the primary authentication source. This will lower your risks compared to running your own Active Directory system.
What are the benefits of using Office 365 Enterprise over the standard licenses?
The good thing about standard licenses is that it offers all the basic tools you need. However, with the Office 365 Enterprise model, you also get access to a suite of threat protection tools and phishing tests. This also allows you to run brute force attacks against your accounts to test for weak points, and alerts users about any suspicious activity. Of course, the effectiveness of any security review is limited to what you choose to do, or not to do, with the findings.
Should I pen test Office 365/generally on cloud services?
Often, the provider of these cloud services has high levels of compliance and are aligned with security best practices, including completing penetration testing on their systems. If you wanted to validate this with your own pen test, third-party providers may impede you doing so.
In-line with the shared responsibility model, you can however audit your configuration to ensure that it has been done correctly and that you are using all the features available to you to secure both your employees and customers. In other words, where you cannot conduct a pen test, carry out a health check.
Get your Office 365 Security Health Check
Bulletproof offers an Office 365 Security Health Check, which covers 91 best practice guidelines, checking areas such as authentication and accounts, data management, email security, auditing, storage as well as mobile device management.
Remote penetration testing and patch management
What are the limitations of testing when you don’t have workers in the office?
As we’ve all been finding out, physical location of employees matters less and less. So if your remote workforce is connected to internal systems through a VPN, it’s still important to conduct an internal penetration test, even if employees are not physically in the office. If you have put restrictions on cloud services, it is also a good opportunity to test their effectiveness. Similarly, make sure your VPNs themselves are not vulnerable to attack.
We are worried about how to effectively test patches, prior to applying them. Is there a general best practice to limit outage?
Ideally, IT teams would have a few local devices, configured the same as the employee devices, on which to test the patches prior to roll-out. Failing that, you can spread the patching out to one or two people per team. In this way, if the patch doesn’t work as expected, the whole team will not face disruptions. If all else fails, test core apps and patches on a virtual machine prior to deployment.
Maintaining compliance standards
Does anything change regarding GDPR?
GDPR is GDPR. Employees are required to continue adhering to the policies and procedures your organisation has (hopefully) put in place, no matter where they’re working from. In fact, it might be worth having your employees undergo a refresher security training session, as it is easy to become complacent about data protection duties and responsibilities when working from home. The ICO has recognised that companies may be delayed in responding to data subject requests, but other than that, it’s GDPR business as usual.
How would you deal with documents being printed whilst remote working?
Printing documents, especially documents containing sensitive information, should be kept to a minimum. It is also important to consider how the data destruction policy might affect what you do with documents whilst remote working. All documents should be shredded and securely destroyed in-line with your policy. If employees are unable to do this at home, it would be better for them to keep the documents locked in a cupboard and brought to the office upon return, for destruction.
How do I maintain ISO 27001 whilst remote working?
It may be necessary to implement temporary changes to your processes in order to accommodate the change to remote working. The first thing you’ll need to do is a thorough assessment of the possible risks that a business might face. Then, measures should be put in place to mitigate those risks. If not, there needs to be sign-off from management to ensure that they are prepared to accept the risks
How do I assess the risks of remote working?
You need to take a look at all the areas that might be different from an employee working in the normal office environment, including the systems they now work with and the information they access. It is vital that employees are then given the necessary training, and your existing policies and procedures are adapted to address this. Furthermore, you’ll also need to take into account:
- Whether you have provided enough technical support to your employees.
- How data is being stored – is it on their personal devices, or a company-owned device? What about paper-based data?
- If data is kept on a private device, what controls do you have in place?
- How teams are sharing data – is it over a secure network?
Summary
When transitioning to an unfamiliar environment of mass remote working, the first step for any organisation is to evaluate your current security posture. It is important to understand where the risks lie, what policies and procedures might need adjusting, and what technologies exist that could be of use.
Additionally, organisations should question whether their employees are prepared to identify threats, and know how to manage or prevent them. The next steps require you to actively address any vulnerable areas:
- Securing your cloud platform with the use of VPNs, conditional login settings as well as segmenting the network.
- Auditing your workforce, including monitoring how they use their systems and what they do. This will identify suspicious activity both on the server as well as the cloud.
- Defining a minimum standard of security for the devices your employees use and ensure best practices are adhered to. For example, that all laptops employ an updated antivirus software.
- Continuing to test systems as usual for vulnerabilities and apply any necessary patches.
- Frequent refresher training sessions, covering both security essentials as well as data protection responsibilities.
10 Steps to Cyber Security
Find out how to secure your business in 10 steps with our free best practice infographic.
Download nowRelated resources
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.