How to secure your remote workforce
Written by Oliver Pinson-Roxburgh on 03/07/2020
Since the outbreak of Covid-19, many organisations have had to make a swift transition to remote working to ensure business continuity. What would typically take months of planning and preparation was implemented in a matter of days. The chaos that this created, combined with the already uncertain nature of life during a pandemic, had created the ideal environment for cybercriminals.
On the whole, bad actors are not employing novel techniques. Rather, they’re leveraging people’s confusion and inattention to run familiar attacks such as phishing. According to Barracuda Networks, there has been a 667% increase in malicious phishing emails since the coronavirus outbreak. Moreover, Google has shared that it is blocking an average of 18 million coronavirus scam emails every day. With the workforce now being more susceptible to attack, the risks are ever higher for organisations. As the saying goes, you’re only as strong as your weakest link.
To make things worse, remote working is new territory for many businesses, calling for a completely different security strategy and significant adjustment. While IT teams are distracted with implementation, they may not have the resources to thoroughly monitor suspicious activity or apply security patches to newly administered technologies. This could leave an organisation’s internal infrastructure and network vulnerable to an employee’s compromised device. You’re also reliant on the security of something you have no control over, namely the employee’s home network. This will likely be riddled with IoT devices, tablets, laptops, phones and poorly secured home routers.
Bulletproof recently ran a webinar all about securing remote working environments, which is free to view here:
Best practice advice on secure remote access
Is there anything we can do to make administrator access more secure?
Remote administration software can open up the business to significant risk, as a hacker could gain the same high privileges as an admin user. To guard against this, we recommend using a VPN, plus turning on two-factor authentication (2FA) everywhere that supports it.
Other best practices:
- Administrators should also be sure to use dedicated admin accounts rather than defaults. This way, if a cybercriminal manages to breach the 2FA, you can pinpoint specifically which account has been compromised and address the problem.
- Ensure that your IT teams are regularly testing systems and supporting technologies (e.g. Zoom, VPN technologies, Microsoft Teams etc.) for vulnerabilities.
- If possible, add IP restrictions through the VPN.
- Segment the network, so that no one has unvetted access to all your data once through the VPN.
Migration to cloud-based platforms: Office 365 and G-Suite
Should I pen test Office 365/generally on cloud services?
Often, the provider of these cloud services has high levels of compliance and are aligned with security best practices, including completing penetration testing on their systems. If you wanted to validate this with your own pen test, third-party providers may impede you doing so.
In-line with the shared responsibility model, you can however audit your configuration to ensure that it has been done correctly and that you are using all the features available to you to secure both your employees and customers. In other words, where you cannot conduct a pen test, carry out a health check.
Get your Office 365 Security Health Check
Bulletproof offers an Office 365 Security Health Check, which covers 91 best practice guidelines, checking areas such as authentication and accounts, data management, email security, auditing, storage as well as mobile device management.
Remote penetration testing and patch management
We are worried about how to effectively test patches, prior to applying them. Is there a general best practice to limit outage?
Ideally, IT teams would have a few local devices, configured the same as the employee devices, on which to test the patches prior to roll-out. Failing that, you can spread the patching out to one or two people per team. In this way, if the patch doesn’t work as expected, the whole team will not face disruptions. If all else fails, test core apps and patches on a virtual machine prior to deployment.
Maintaining compliance standards
How do I assess the risks of remote working?
You need to take a look at all the areas that might be different from an employee working in the normal office environment, including the systems they now work with and the information they access. It is vital that employees are then given the necessary training, and your existing policies and procedures are adapted to address this. Furthermore, you’ll also need to take into account:
- Whether you have provided enough technical support to your employees.
- How data is being stored - is it on their personal devices, or a company-owned device? What about paper-based data?
- If data is kept on a private device, what controls do you have in place?
- How teams are sharing data – is it over a secure network?
When transitioning to an unfamiliar environment of mass remote working, the first step for any organisation is to evaluate your current security posture. It is important to understand where the risks lie, what policies and procedures might need adjusting, and what technologies exist that could be of use.
Additionally, organisations should question whether their employees are prepared to identify threats, and know how to manage or prevent them. The next steps require you to actively address any vulnerable areas:
- Securing your cloud platform with the use of VPNs, conditional login settings as well as segmenting the network.
- Auditing your workforce, including monitoring how they use their systems and what they do. This will identify suspicious activity both on the server as well as the cloud.
- Defining a minimum standard of security for the devices your employees use and ensure best practices are adhered to. For example, that all laptops employ an updated antivirus software.
- Continuing to test systems as usual for vulnerabilities and apply any necessary patches.
- Frequent refresher training sessions, covering both security essentials as well as data protection responsibilities.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.