SECURING REMOTE WORKERS:
TIPS FOR CORPORATE DEFENDERS
Securing your workforce outside of the office can sound like an intimidating task, but it doesn't have to be. Now that most organizations have initiated a remote work policy in response to the COVID-19 pandemic, it’s time to think about your policies, procedures, and tooling for the massive increase in remote workers.
Now that most organizations have initiated a remote work policy in response to the COVID-19 pandemic, it’s time to think about your policies, procedures, and tooling for the massive increase in remote workers. As a former FBI Cyber Agent and former Director of enterprise cybersecurity products deployed to Fortune 500 companies globally, I’ve highlighted some tips for mitigating risk to your enterprise during these difficult times.
1. Implement multi factor authentication for ALL users.
If you check in with your IT team, you will probably find that your admins access your network remotely all the time. If they are following good practices, they will incorporate multi-factor authentication (MFA) options such as biometrics, hardware tokens, or software-based one-time-passwords, along with providing their credentials. You should consider requiring the same for ALL of your workers who are now remote. Combine MFA with a single sign-on (SSO) solution and you will reduce a lot of the friction of authenticating to the many cloud-based and internal applications your workers are accessing daily.
2. Enable always-on VPN for remote devices.
VPN should be required for all remote devices connecting to corporate resources, or accessing corporate data. If you have VPN infrastructure in place, it will probably be pushed to its limits and will likely not have the capacity for the increase in remote workers. Deploy a host-based VPN to protect against infected home networks and other man-in-the-middle attacks—preferably a host-based VPN that includes a robust console for administration, policy compliance, and granular access controls.
3. Deploy host-based security tools for visibility and rapid incident response.
You may not have the capacity to support new hardware, or even remote workers on your corporate VPNs, so many new and unmanaged devices will be connecting to your network and using corporate resources outside of your standard network security controls. If you haven’t already, it’s time to deploy next-gen host-based security tools such as anti-malware, intrusion detection, and endpoint detection and response (EDR). Many of these tools can detect and respond to threats in near-real time and will give you excellent visibility on devices that are not protected by your traditional corporate security enclaves.
4. Audit your privileged access.
For users that require business critical access, this may be the first time they will be accessing some corporate infrastructure remotely. Review your current access controls for admins in place. It’s likely you will have to expand the scope of access for many new and existing users. The goal is to enforce the least privileged access for the specific job that needs to be performed. Check with your critical business unit leaders to identify specific requirements for each privileged user and give them appropriate access. Be sure to roll back any changes you made once business operations are back to normal.
5. Deploy a Secure Desktop as a Service (SDaaS) platform for access to corporate resources.
Many organizations are scrambling to find devices to buy, install software on, and give to remote workers. There are other options besides purchasing expensive hardware, or deploying complicated virtual desktop infrastructure (VDI). There are services that offer secure desktops for a monthly fee, that include pre-hardened operating systems that your employees can run through a web browser or other client software from their personal devices. These can run even from a “dirty” home device, but still maintain the corporate security standards for data access and internal application usage. The desktops are isolated from the home network so you can securely access corporate resources such as email, internal applications, and secure browsing, keeping sensitive corporate data off of potentially unsecure, private devices.
6. Deploy a Mobile Device Manager.
If you have been considering deploying a mobile device manager (MDM) or Enterprise Mobility Manager (EMM) solution for your enterprise, but haven’t pulled the trigger, now is the time. Mobile device tools come with a variety of capabilities and device support. Find one that covers the operating systems in your asset inventory (Windows, MAC, Linux, Android, and/or iOS). Make sure you enable device encryption when storing corporate data, password/passcode policies to mitigate device compromises, as well as tracking, wiping, and/or disabling in the event of a lost, stolen, or compromised asset. Also, it might be time to review and modify your employee handbook and acceptable use policies (See Policy Audits) to cover monitoring, access, and privacy of the devices connecting to your MDM solution so all parties are aware of the change.
7. Increase remote access alerting.
Audit your cloud (SaaS application) configurations and remote user access points. More and more applications are moving to the cloud, making endpoint management easier. But this can also complicate configuration and access management. IT and security teams struggle to find consistent secure configurations across cloud applications due to inconsistent implementation, complicated APIs, and limited feature parity. Configure each cloud application to alert your security team to the best of its capabilities. Even if that is only through a centralized email. Additionally, audit and adjust your network remote access alerting to add any additional logging and alerting for remote desktop protocols and secure shell access, which will certainly be on the rise.
8. Review resilience and disaster planning.
If you haven’t prepared for a disaster like COVID-19 as an organization, odds are you are scrambling now. Business continuity (BC) and disaster recovery (DR) plans have higher importance today than ever before. All organizations, from small operations to the largest enterprises, are increasingly dependent on digital technologies to generate revenue, provide services, and support customers who expect applications and data to always be available. Your plans should have clear lines of succession for leadership, low friction communications procedures, appropriately assigned resources, coverage of both physical and environmental incidents, and several levels of approved service regressions. Be sure to also take notes for what went well and what went wrong during recent events and perform an after action review. BC/DR is a constantly evolving process that requires constant testing and iteration to perfect.
9. Perform additional cybersecurity training.
Most of you have already trained your employees on basic cybersecurity best practices, but because working from home puts them far away from your protected corporate network, you are opening them up to more risk than normal. Additional training regarding security while working from home is imperative. Ramping up phishing training, security reporting procedures, and acceptable use of equipment will be key to mitigating incidents and reducing tickets.
10. Conduct policy audits.
Now that your busy travel schedule has lightened, there is no better time to dust off some of those old corporate policies for remote or tele-workers. Your corporate employee handbooks and privacy policies need to reflect privacy considerations, acceptable use for remote workers, remote access to resources, and monitoring of devices. Additionally, policies need to define the conduct of corporate business on personal devices.
11. Take care of your security team.
During times like these, the organization will look to your team to help support this dramatic change. Your teams will have an increase in support tickets and be asked to work long hours. Make sure you establish a good rotation schedule and maintain open communication so your team doesn’t burn out.
Contact the ShiftState Team.