With over 11 million confirmed COVID-19 cases and almost 530,000 deaths as of the 4th of July, 2020, the human toll of the pandemic cannot be overstated. The impact on the global business is just as profound and unprecedented in most of our lifetimes.
Information Security and Technology professionals like front line workers have a duty to ensure they enable their various organizations operate securely and safely, especially those supporting critical and essential functions such as healthcare, retail, emergency services and manufacturing.
This article discusses a number of key steps to ensure your organization continues to operate securely while working remotely.
With so many people having to work from home suddenly, most organizations have struggled to provide their workforce with appropriate hardware as global supply chains have been impacted, other organizations have had to re-use older end of life hardware as a contingency to enable businesses to continue operating. This has also led organizations to allow their workforce to work remotely using their personal devices.
All of which introduces a significant amount of risk – as traditional IT controls do not typically extend to non – corporate assets or computer assets that are not connected to the corporate domain.
Here are some cost-effective controls you can implement to help reduce and mitigate the risk.
Endpoint Protection | Protecting the endpoint has never been more important, especially with products that do not have to be constantly updated while connected to the corporate network. Most modern EPP solutions are AI based, and the base AI algorithms are trained to detect good and bad behavior, and act on it even when not connected on the network.
Device Trust | Most organizations are migrating to online Cloud Storage solution for the ease of collaboration – anytime, anywhere and any device. In the age of COVID-19 this is a delicate balance as these tools are essential for allowing remote teams work, but also introduce a significant amount of risk due to the use of personal devices, households sharing devices, and users connected from home or other unsecured networks. Setting up a dynamic policy to manage access based on pre – determined controls such as security certificates on devices, devices with up to date anti – virus software, domain enrolled devices, users with MFA configured, etc. are all practical, quick and effective means to ensure that only trusted devices are able to connect. Additional ‘attribute’ controls can offer granular controls such as allowing view / read – only access from a non – trusted devices or restricting the ability to download content locally.
User Identity | Over the last 3 – 5 years the phrase ‘Identity is the new perimeter’ has been used and referenced so many times. This has never been more evident than in the current environment where identity is fast becoming the only constant when users connect to their corporate network or resources. With the spike in remote workforce all the usual constants are now ever shifting variables – from IP addresses, computer hostnames, locations, etc. as users work across different locations, different devices and connect using multiple different home / mobile networks. Focusing on ensuring the said user is actually who they claim to be is extremely important. The use of two / multi – factor authentication (2FA / MFA) is the obvious way to go, but organizations are increasingly exploring Passwordless authentication solutions. Windows Hello offers up an exciting new range of options for authentication – embracing biometric security such as finger print, facial recognition, etc.
VPN | Or as I like to refer to it ‘oldie by goodie’, is still a good choice from most organizations. Organizations that already have a mobile workforce may prefer to use a VPN as their preferred remote work option. So long as they have the infrastructure capacity to manage the traffic, it is a viable option. To manage the traffic surge, some organizations have had to allow Split Tunneling, de-provision / de-prioritize users who do not strictly require VPN to work. Whatever the decision, it should be a risk based decision based on your unique business requirements and risk tolerance levels.
VDI | The Best of Both Worlds between traditional VPN solutions and VDI environments. VDI is preferred by most organizations as it is easier to manage in the long run once applications have been tested and appropriately setup. Ensuring appropriate isolation from your VDI pools and RDSH farms from the rest of your production network is key. Creating separate / dynamic security groups to appropriately segment your network is an effective way to managing this using your existing security stack. Unlike VPN, VDI does allow much greater flexibility and workforce mobility and is ideal for environments that support BYOD initiatives.
Humans | Your Weakest Link? The role of educating your users cannot be overstated. It is important to train users to be extra vigilant of COVID-19 related scams. COVID-19 related phishing scam emails have gone up exponentially since March, including rouge COVID-19 domains. In addition to training, security teams can take practical steps to help users navigate the desire to be kept informed and the need to keep them safe online. Blacklisting COVID-19 sites other than official sites such as WHO, CDC, John Hopkins University is a good starting point. Be careful not to block legitimate sites such as hospitals or Media outlets. Applying strict email filters and also inserting a visible warning banner for all external emails with COVID-19 references all help to keep your users alert and able to spot malicious content easily.
These are all intended to be quick, relatively easy and cost-effective ways to help secure your organizations as we walk through the changes and lessons from COVID-19.