In 2020, the COVID-19 situation forces many businesses to go remote. These businesses had to implement new services within weeks of what would have been otherwise a fully planned project. It was the mandatory step to maintain their business services and employee productivity.
This change brought in lots of changes to the attack surface of organisations whether it’s on-premises services or cloud or in hybrid mode. With COVID19 leaving a permanent mark on our working styles, your business does not want to be caught with surprises of data leakage, theft or any security implications.
This change brought in lots of changes to the attack surface of organisations whether it’s on-premises services or cloud or in hybrid mode. With COVID19 leaving a permanent mark on our working styles, your business does not want to be caught with surprises of data leakage, theft or any security implications. It is important to assess your attack surface on a continued basis.
Table of Contents
What is the security risk for individuals?
With remote working, more sensitive data resides on users computers whether that’s personal or company provided. It presents the following main risks:
- Device theft or loss of mobile devices.
- When someone watches you spying over your shoulder to gain sensitive information while using your devices.
- Unattended devices get tampered within no time with hardware keyloggers or USB drives with malicious software.
Business security risks
For businesses, the risks are even large in numbers given rising phishing attacks, large attack surfaces to name a few.
- With increased cloud infrastructure and BYOD (Bring your own device) culture, overall attack surfaceincrease is on the rise. It is likely due to organisations failing to perform attack surface analysis periodically.
- Perimeter-less boundariesare leaving traditional security controls ineffective. This is due to the mix and multi-layered complexities offered by mobile devices, personal devices, remote staff and cloud services in use.
- Lack of strict Bring Your Own Device (BYOD) policyenforcement adds to gaps in the security strategy leaving organisations unable to separate trusted and untrusted users, services and networks.
- Error situations arise where security teams are not aware of changes. This challenge is likely due to top leadership giving go ahead with new service rollout for e.g. a file-sharing cloud service, a new collaboration tool or software required on their laptops.
- Insecure Identity and Access Managementin relation to user access authorisations, new policies, violations and non-compliance.
- Added pressures of digital transformation, speed and financial stress on companies are leaving security as a lower priority. This is likely where companies lack cyber security maturity and cannot balance security and usability correctly. This leads to weakened security controlswhere changes are taking place without much thought and adhere to security concepts such as defence-in-depth, the principle of least privilege (PoLP).
Cybersecurity is most effective when it is proactive.
Remote Working – Checklist for Individuals
- Where possible, use separate devices for work and personal use.
- Create a passphrase for important accounts, and then add a modifier to be used for different accounts.
- While subscribing to a whole lot of new websites that you aren’t sure about, use throwaway accounts.
- Review your audio and webcam settings for laptops and devices.
- Use a password manager to randomly generate passwords, store passwords, PIN and other sensitive information.
- Invest in a reputed VPN software to be used on personal devices while connected to free/public Wi-Fi places when travelling. You can set up your own such as OpenVPN, or buy one that has an international setup such as F-secure Freedome, Proton VPN, etc (do your own search, this is not an endorsement).
- If you use public Wi-Fi, make it a thumb rule to use VPN before doing any online tasks (email, browsing, other access).
- Ensure that your home wireless router is updated and the default password is changed.
- You do not need to make time for updates. Modern devices can be configured to receive and install updates while you are sleeping. Do not ignore these.
- Update smart devices in your house.
- Always be careful about what you post on social media. Do not post your business itineraries, plans or travel details.
- Keep up with remote work awareness training.
- Last but not the least, remember this rule:
“trust, but verify”.
Remote Working Checklist for your business
- Produce user guides on new software or service roll-outs to make it easy for users. Schedule periodic webinars and on-demand content related to IT help or troubleshooting your systems while working remotely.
- Review the security features of newly implemented services and software/applications. Where inherent security is not provided by the vendor, consider adding compensatory controls.
- Use file transfer and content streaming solutions like Aspera and Signiant that allow businesses who are streaming and sharing media content to add forensic watermarks so that content leaks can be traced.
- Use security courier deliveries for shipping devices to users.
- Do not expose RDP services to the internet.
- Continued penetration testing and vulnerability scanning should be part of the security team plan to ensure 24×7 visibility of the attack surface. The year 2020 had the highest number of high impact vulnerabilities identified and patched by various vendors.
- Secure your VPN and other entry points in line with strict authentication and authorisation mechanisms.
- Use DMARC, SPF, DKIM to identify and thwart phishing attacks.
- Ensure that backup processes are configured and working correctly. Test backup restores.
- Use MDM (Mobile Device Management) solution to administer, manage and secure your mobile devices. This is very useful for over the air updates, remote device wiping in case of device theft and implement and monitor security features and violation.
- Gain visibility into your attack surface with exposed services and threats affecting your infrastructure using techniques such as digital attack surface analysis.
The above listicle is just a good basic ground to help you shape your environment. It is in no way meant as an extensive list. However, this would be very helpful to ensure your systems and organisation is ready for common cyber attacks.
As a word of caution, think before buying as more products may only add to chaos without making informed choices. Do not complicate your environment and review your existing infrastructure to get the most of your people, technology and processes. Perform a gap review, take help and ensure you are making the most of the current setup.
While advising customers at work, I often find people getting swayed with new technologies without checking the compatibility and after-effects in their environment. What works at a friend’s house may not work in yours.
Remember, cyber security does not need to be complex. It should be an enabler to business growth.