Top Cybersecurity Measures to take in 2021 as Your Teams Work Remote
By Justin Beals, CEO and cofounder of Strike Graph
Many organizations had to quickly adapt to a work from home model as a result of the COVID-19 pandemic. Even though some employers are beginning to lay plans for a return to the office, it is undeniable that working remotely is here to stay. Also here to stay are the bad actors and scammers, who will continue to take advantage of the new infiltration points presented by home networks.
If you have not already done so, it’s time to consider the new security (and even operational) risks that have emerged in response to this new remote work reality. A risk based approach when adopting security measures for the remote workforce will ensure that you are headed down the most efficient path to compliance. If you apply solutions haphazardly, you may end up with a fancy and expensive tool that you didn’t need. Or you might end up with a solution that was painful to employ, or that hinders employee efficiency. With newly identified risks, come newly identified measures to address them.
Start By Assessing New Risks
First consider your industry, or the industry you serve. Are you dealing with healthcare records, corporate secrets, or regulated data? If there were a breach or security incident, how bad would it be for your organization? A less risky data environment may mean that you can apply fewer or less costly controls, solutions, and practices that are appropriate for your environment.
Next, brainstorm risk scenarios that may apply to your remote workforce. Consider the various ways that data flows in and out of your network from your remote worker endpoints and how the data could be compromised. Then consider how a bad actor could infiltrate your network and what the consequences could be. Think about the ways that an employee may be susceptible to an attack, and how that might lead to a network compromise. Get creative! From this list, estimate how likely each scenario is, and then what the impact would be if it were to happen. For risks with both a high likelihood of occurring, and that will have a major impact (for example, financial, reputational or legal), identify and apply reasonable measures.
There are a few measures that cut across industry and address typical remote working risks:
1. Security Training, Training and More Training
Employees are a leading entry point for a cyber attack. Therefore you should arm them with tools to identify, prevent, and respond to attacks or accidents accordingly. Whether your business is remote or on site, it is always a good idea to refresh your security awareness training. The training should include threats to look out for, such as phishing, smishing, whaling, and other social engineering attacks. It should also include corporate guidance on what is considered acceptable use of company assets, tips on good security hygiene, and how to report incidents. The training should also empower employees to be diligent and cautious.
2. Test Your Incident Response Plan
Dust off your incident response plan. You should update it based on the new risks that have emerged in this remote landscape. Test a brand new scenario that came from your risk-brainstorm session. Roll out any new revisions, and communicate to employees that they will not be held accountable if they realize they have fallen into a phishing trap (for example). Empower them to report the incident without ramification, and communicate that you support them.
3. Mobile Device Management (MDM)
MDM tools are a good investment – they allow you to centrally manage a variety of security measures on your company-owned mobile devices. Examples of these measures are screen lockouts, inability to download non-approved software, remote wiping, and disabling USB drives. You don’t necessarily need to turn on every bell and whistle, but it isn’t a bad idea. If you are not yet ready to invest in a MDM solution, then address data loss related risks with both an Acceptable Use Policy and with training.
4. BYOD AND BYO-SW Policies
If you do not offer corporate laptops and employees can access your network with their own devices, then you will need a Bring Your Own Device Policy. Your employees must formally acknowledge that they will adhere to this Policy. The contents of this policy should align with your risk landscape. For example, if you are either in a high risk industry or you service a high risk industry, you may require that a certain antivirus/malware solution be installed on your employee’s device. You could also include a clause that no other individuals in a household may access the computer, that it is locked in a cabinet or room when not in use, and that it is backed up on a set schedule.
You may also want to incorporate a Bring Your Own Software Policy. This is especially useful in the startup world, or for organizations that utilize third-party contractors. You may want to discourage (or disallow) the use of applications or tools that are not centrally managed or approved, depending on the risks that you have identified.
5. IT ‘Hygiene’ at Home
Offering your remote staff the tools, guidance, and solutions to secure their home network will pay off. A plethora of tips abound on the internet. In my organization, for example, we encourage all employees to disable automatic network connections on our home Wifis, and to use WPA3 if devices are compatible, or “WPA2/WPA3 Transitional” if we have both older and newer devices at home. Consider what would be reasonable for your employees and communicate it via training, a newsletter, a companywide guidance email, or all three.
6. Revisit Logical Access Policy and Procedures
Another policy to dust off is your Logical Access or User Access Policy. Review it through the lense of a remote workforce to see if it needs revision. Ensure that it covers the concept of least privilege (users only have the access they require and no more), that passwords shall not be shared, and that privileged access is restricted. Then perform a user access review on all critical (and even not so critical) assets. Ensure that there are no shared accounts and that the level of access is appropriate for each user.
If you have not already, immediately increase the password setting to 10 or 12 characters in all possible places. The current advice from the Federal Trade Commission and from Microsoft (to name a few) is that passwords should be long rather than frequently changed. Requiring folks to change their password too often can lead to the sticky note under the keyboard. If you can enable MFA, do so. Encourage pass-phrases rather than passwords. Include any new advice in your Security Training.
7. Antivirus/Malware Tools
Whether or not you can centrally manage this, activate an antivirus and malware solution on all devices that can access your network. Because an infection on an end user device can lead to an infiltration of your network, consider requiring its installation on employee-owned devices in your BYOD Policy.
8. Segment Your Network
Only provide access to the areas of your network that are necessary based on risk profile and user need-to-know. Your finance team does not need to access the same area of your network as your VP of Engineering. Know where the sensitive data or processes live and secure them more stringently than other areas. When a remote user logs in, they should only be able to see and access what they need in order to do their job. Reduce the potential damage that a bad actor could do if they were to get into your network.
9. Secure Your Communications
Depending on your risk profile, consider implementing VPN or even a secure messaging app. Note that some commonly used solutions, like O365, already offer a layer of encryption and may be sufficient for your risk profile. Before spending more money, determine whether the tools you currently use are sufficient to address your risks.
As you consider the risks inherent in this new remote work environment, you may identify additional security measures that make sense to implement. Taking a risk based approach will ensure that you are implementing or bolstering meaningful and right-sized measures.