Remotest threat

TACTICAL: IMPLEMENTING AND MANAGING REMOTE WORKING

The urgent requirements for remote working have seen some heroic and agile efforts undertaken by IT and security teams who have managed to respond to meet the need. However, in the absence of the right company strategy (discussed above) they have often been torn between the demands for rapidly deployed remote access to data and systems, and the requirement to keep them confidential, reliable and available. In these stressful situations, it is important to remember that organisations have ethical, contractual and regulatory obligations for protecting systems and data.

So, beyond being given the task to implement the organisations risk assessed and centralised vision of remote working; IT & Security teams must be provided with resources, authority and visible senior management support to complete the task, without which, the effectiveness of their people, process and technology measures may be constrained with potentially disastrous effects.

With processes and projects sanctioned, IT & Security teams can focus on implementing the strategic processes and technologies whilst ensuring tactical deployments are used in harmony to maximise security.

Possibly the most important implementation strategy is centralised provision. This requires security to be mandated by pushing it down to remote teams, rather than relying on users to do the right things.

The following centrally managed policies and configurations are a good starting place for managing remote devices:

• Enforce the removal of default anonymous accounts and shared passwords so attackers can’t guess possible logins.
• Enforce a strong password so that all passwords are impossible to guess, and are changed regularly.
• Centrally enforce the application of patches and security updates.
• Centrally deploy and manage anti-virus and endpoint protection.
• Centrally enforce enabling of a local firewall to block incoming connections.
• Configure devices to automatically lock after a period of no use.
• Disable external interfaces such as USB accessories.
• Implement application whitelisting that restricts the applications users are allowed to install and run on their devices.

Beyond centralised management, corporate IT and security teams should implement corporate-wide security controls to protect in-flight and at-rest data. A virtual private network (VPN) should be used to protect in-flight data and as a minimum, the VPN should be implemented by the organisation and include encryption and Multifactor Authentication (2FA), that:

• Hides the user’s IP address
• Encrypts data transfers in transit
• Masks the user’s location

Data at rest should be protected by device and server encryption technologies and by removing administrative features from all computing equipment for general users, you ensure that access to data is limited to those with a legitimate business need.

Video conferencing can also impact the security of data in flight, so the solution used should be risk assessed, provisioned by the organisation and have default security settings such as multi-factor authentication, encryption, and a lobby function to control access by guests.

PEOPLE: THE RESPONSIBILITY OF INDIVIDUAL USERS
The strategic and tactical elements discussed in the earlier sections cannot be met solely through the application of policy and technology. They also rely on employees. Employees are commonly targeted by cybercriminals who seek to leverage the reality that humans are fallible, make mistakes and at this time may be more easily distracted by unusual working conditions.

By securing your employees, your organisation has a greater chance of protecting your data and systems. To secure your employees and therefore your company, organisations should ensure that their human firewalls (first line of defence) understand their critical role in protecting data and systems and the good practices they should follow.

Important security practices that remote users should be aware of:

Public Wi-Fi – Avoid using public Wi-Fi in café’s and other public places – use a personal mobile hotspot instead.

VPNs – Do not disable the company supplied VPN that protects connections on public Wi-Fi.

Home router security – For home working over a local private Wi-Fi connection, reset the default Wi-Fi router password to something that meets the organisations password complexity policy.

Sharing devices – Never share corporate devices or access to systems and data with anyone else.

Look after devices – Never leave devices or laptops in the car or unattended and always lock them.

Reporting – Know how to report any theft, loss, or suspicious security incidents.

Video Conferencing – When using video conferencing, check your environment to ensure private information isn’t visible to observers and if screen sharing, ensure open applications and desktop files do not expose sensitive information.

You can never entirely remove the threat, but you can defend it, reduce it and demonstrate your regulatory compliance.