With more people than ever working from home during the COVID-19 pandemic – many for the first time – organisations are being exposed to increased cybersecurity risks.
Every time an employee connects to their organisation’s network from home or remotely, they could be creating possible access points for cybercriminals to exploit. This can have devastating operational and financial consequences.
Even with organisation-issued devices, there could be vulnerabilities in the employee’s home network configuration. These risks are amplified where employees are using personal devices that aren’t subject to security monitoring, and which could already be infected.
So how can organisations protect their critical cyber assets against these threats?
Recommendations for Organisations
Plan your remote working & access security policies and controls assuming that external environments contain hostile threats.
This means you should plan from the perspective that cybercriminals will gain control of remote working devices and attempt to recover sensitive data from them or attempt to use them to access to the organisation’s networks. Some options for mitigating these types of threats include:
- Next generation endpoint protection. Security software that analyses user and system behaviour in real-time, including endpoint detection and response (EDR) capabilities protecting against more advanced threats.
- Two-Factor Authentication. 2FA should be implemented for access to devices, applications and the organisation’s network. Read why 2FA is crucial for security.
As to communications to or from external networks, the use of encryption technologies is recommended to protect the confidentiality and integrity of communications, as well as authenticating each of the endpoints to each other to verify their identities.
We also strongly recommend the use of anti-malware technologies and network access control solutions that verify the security posture of remote devices before granting access.
Develop a remote working & access security policy that clearly defines your access and BYOD requirements.
Your security policy should define what forms of remote access are permitted, what types of devices are permitted to be used for each form of access, and the applicable levels of access.
Tiered levels of remote access are recommended so that the most controlled remote devices can have the most access and the least controlled devices have minimal access.
Ensure that remote access servers are secured effectively and configured to enforce your security policies.
A compromised server could be used to eavesdrop on communications, manipulate them, and provide unauthorised access to an organisation’s data, resources and devices. Remote access servers should be kept fully patched and only able to be managed from trusted hosts by authorised administrators.
Consider also the network placement of remote access servers. In most cases, a server should be placed at an organisation’s network perimeter so that it acts as a single point of entry to the network and enforces the remote access security policy before access is permitted.
Secure organisation-controlled remote work devices against common threats, and maintain their security regularly.
Compared to technologies that are only accessed from inside an organisation, remote work devices are by their nature generally at higher exposure to external threats such as malware, device loss and theft. Additional security controls are therefore recommended, such as next generation endpoint protection and 2FA as mentioned above.
Organisations should ensure that all types of remote work devices are secured, including desktop and laptop computers, smartphones, and tablets, bearing in mind that security capabilities and the appropriate security actions vary widely by device type and specific products.
Implement and maintain up-to-date general data security and related policies.
We recommend all organisations maintain up-to-date policies tailored to their specific requirements and circumstances. To assist any customers who may have policy gaps, we have previously posted the following template policies, which may serve as a useful starting point:
- Cybersecurity and Social Media Policy Template
- Employee Password Policy Template
- Physical Security Policy Template
- Employee Mobile Phone Policy Template
Our team can also assist with purpose-built comprehensive policies for your organisation.
Recommendations for Employees
In addition to the measures that should be taken at an organisational level, there are some simple things you can do as employees working from home for better cybersecurity, not only to protect the organisation’s data and resources but also your personal data and your home network.
These recommendations, which are in line with the relevant guidelines from NIST, apply to almost all situations and are relevant whether you are using organisation-issued devices or your personal computer, smartphone or tablet.
You should find out if your organisation has rules or policies for remote working & access and make sure you read them and comply.
For example, it may be permitted for you to use your personal computer for reading and sending work emails, but it may not be permitted for accessing sensitive customer data. Additionally, you may be subject to software and/or hardware security requirements that you need to implement.
Protect your computer communications from eavesdropping.
If you use Wi-Fi at home, you should make sure your network is set up securely. In particular, check if your WiFi network is using “WPA2” or “WPA3” security, and make sure your password is difficult to guess and complies with any relevant organisation policy.
If your organisation has a VPN (virtual private network), use it.
A VPN provides stronger protection with a secure communications tunnel through which information can be transmitted between networks. If this is not available you could consider using your own VPN, for which we can provide recommendations.
If you’re using your own computer or mobile device for remote working, make sure you’ve enabled basic security features.
Even just enabling the PIN, fingerprint, or facial ID feature can prevent malicious parties from getting onto your device should it be stolen or lost, or when you temporarily walk away from it. Any PIN or password you use should be hard to guess.
Keep your remote work devices patched and updated.
Most operating systems provide an option to check for updates and install them automatically. Enabling this is a good idea if you don’t manually check for updates regularly.
If you see unusual activity or a suspected scam, report it.
Already, COVID-19 scams have cost Australians over $14M. If you see any suspicious activity or communications on any device, contact your organisation’s help desk or security team.
We’re Here to Help
Forsythes Technology can assist with all your cybersecurity needs relating to remote working or otherwise. Our team includes certified security specialists who assist with APRA, PCI and HIPAA requirements and implementation of the NIST Cybersecurity Framework.
For assistance or for an assessment of your current cybersecurity practices, request a consultation below.