Remote working look's like it will continue to play a big part in our immediate future. With the PM's latest advisement on working from home, possibly in place for another 6 months, remote working looks like it's here to stay.
What does that mean for your technology? Back in the early part of Spring ensuring users could access the necessary applications securely from home was the priority. Now as we face the prospect of another 6 months of remote working there are different priorities you should focus on.
Here's your IT to-do list for the next 6 months and beyond. Follow this 10 step plan to make sure you're doing everything you can to protect your business as you continue to work from home.
Before we cover the plan there are 3 questions your business needs to answer.
- What are the changes in usage patterns and structure in our IT environment?
- How do these changes affect risk?
- What changes do I need to make to my cybersecurity posture and control environment?
Changes in technology usage
For many, remote working was uncommon, especially for the traditional office workers in industries like finance, human resources, marketing, and so on. Also, they are used to going to someone's desk when they need something. This affects usage in two ways: remote access is now critical for many employees, and communication and collaboration solutions are essential for many employees' effectiveness at work.
An area of importance is the most sensitive applications your business uses, that will often run on-premises on separate networks. This poses a problem not only for protection needs but also for compliance with global and industry regulations.
How the risks change
In cybersecurity, your risk is affected by the activities of the attackers and the vulnerability of the IT environment. The impact involves the extent to which an attack affects confidentiality, integrity, availability, productivity, and/or propriety. To understand the effect of COVID-19 use and architecture changes, we have to understand the threats, vulnerabilities, and impact that come with these changes.
As with any widespread event like holidays or sporting events, during the pandemic, we've seen increased hacker activity, with spam and phishing attacks on the rise. Also, new methods are sometimes employed to commit fraud or otherwise harm businesses. For example, once Zoom became widely used for meetings, "Zoom bombing" became a foregone conclusion.
Of higher risk would be a renewed focus on home networks as remote working becomes a new reality for many. While laptops are often hardened well for these scenarios, home networks have not been significant targets in the past and may need more attention.
On the vulnerability side, server and application resources are likely to have an increased attack surface, simply due to IT environments extending network connectivity into homes. Companies that are already used to remote working should know how to deal with these environments, but the new usage patterns are significant changes for others.
Finally, COVID-19 brings along with it a whole new level of reliance on communication and collaboration applications that may not have existed previously. This is perhaps the most challenging notion to remember about risk. The impact is also felt on technical support due to the distributed nature of the resources. Any sort of triage or malware infection etc. will have an increased impact simply due to the additional logistics efforts required to address the problem.
Effect on the cybersecurity control environment
Historically, IT environments have been protected from the "bottom-up" by addressing the physical location (usually a data centre), the network, and the servers/hosts.
Economies of scale could be gained in physical security through putting all computing equipment into the same room (data centres, wiring closets, etc.), and in network security by putting all the equipment on the same physical network and using firewalls for separation.
These economies of scale have been extended through the use of site-to-site VPNs, web security gateways, and other solutions.
Endpoint security has been augmented through the years, and enterprise-owned laptops nowadays have fairly strong security. Smartphones, tablets, and employee-owned laptops are another story, however.
Some businesses have built out a security program that is all-inclusive while others are still based on an expectation of full asset ownership, on-premises. Of course, many other factors have changed through the years, with distributed computing, the internet, virtualization, cloud, and software-defined everything. Yet many of the same principles have applied. COVID-19 will change all that.
Within a day after the first stay-at-home order, the effect of COVID-19 was obvious. The first big hurdle for many was ensuring users could access the necessary applications securely from home. VPNs are the first line of defence and are extremely common, but the need to address performance and administration became paramount. Changing network security access restrictions and rules has been a huge burden for some.
Cybersecurity professionals have long been aware of the need for more robust controls to protect increasingly complex computing environments. For some programs where the engineering and integration work have already been done, this may be a good time to consider a slow rollout to a new architecture.
Your 10-point long-term remote working to-do list
In the next six months
- Automate, automate, automate – look for ways to ensure patching, password resets, change control, incident management, and other manual processes are automated wherever and whenever possible.
- Deploy multi-factor authentication everywhere – one lesson that should be apparent to anyone is that you can't rely on passwords for anything, even inside a business. Though not a silver bullet, multifactor may be the closest thing to a magical elixir cure-all that can reduce risk everywhere.
- Develop a BYOD plan (even if you normally don't allow BYOD) – ensure you have a way for unmanaged devices to access organization resources without compromising on protection. This includes paying attention to home network security.
- Review your data governance policy and program – ensure that owners are identified and any policy issues associated with the content are addressed, such as jurisdictional issues with cloud environments.
- Upgrade the 3rd/4th-party compliance program – create a program of continuous compliance that does not require site visits. Rely on 3rd party audits, continuous reporting of activity and controls, and robust architecture for protection.
- Assess the need for location (or asset-oriented controls) – work to eliminate the need for applications to run on a certain device or be in a certain location or on a certain network to provide protection.
Within 18 months
- Create a virtual SOC – either through an MSP or leveraging SaaS solutions, build out a SOC for any time, anywhere monitoring.
- Separate application and data from network and device security – ensure that applications and data are protected when accessed from any device on any network path.
- Implement a Cloud Security Gateway and/or Environment – create a cloud-based environment to route any/all network traffic through to apply applicable security protection.
- Develop a Distributed Integrity architecture – incorporate encryption and integrity into data and applications.
As we face the possibility of another 6 months of remote working it's a good time to consider how your technology has performed. Have you stayed as productive or was remote working a bandage approach, to get something in place?
This to-do list will help you keep your business secure as well as enabling your staff to maintain the same level of production they would in the office. If you have concerns about your remote working setup or need help with certain areas then please get in touch.