With coronavirus and COVID-19 now officially a pandemic, more organizations will be changing the way they operate. It’s likely more people will work remotely than ever before, which leads to new and interesting challenges for information security professionals. The additional employees, many with roles never before considered for remote work, will create more cyber-risks for organizations around the world.
To come up with eight steps InfoSec pros should take now, we interviewed multiple cybersecurity experts. Taking their suggestions, organizations can control security risks for remote workers in tele-commuting environments.
For Cybersecurity Experts responding to new risks with work-from-home staff during the pandemic, CTO Mike Simon's put together this 23-minute webinar to help prioritize work-from-home office security risks.
When someone says they are “WFH” (work-from-home), that could mean a variety of things: working from a home office, working from a shared workspace, working from a coffee shop, or working from who-knows-where. Ask your employees to disclose and describe their WFH location. Once you know the location, check in on their security infrastructure: what are their router/firewall settings? Are they using WPA2 or WPA3 on their home router? Have they changed the default password? Are they using password best practices, like 2FA?
For employees who access sensitive data, you might have them take a photo of their WFH environment, so you can see it and make suggestions regarding about closing windows, doors, or otherwise changing the space. Organizations that discuss confidential issues may not have any risk tolerance for Home IoT, like Alexa, eavesdropping on audible business conversations in the home office. These might seem like unprecedented steps, but we are in unprecedented times. Over-caution is the best way to limit the emerging security risks for your team and organization.
If you already have staff out in home offices, use the * WFH Security Questionnaire * at the end of this article to go through with each employee working from home. This is a great first step to getting a handle on the remote workforce and the "new normal" everyone is facing due to the global coronavirus response. Someone on the IT or InfoSec team should be dedicated to making work-from-home security job #1 right now. Getting risky home devices and employee practices remediated fast is not necessarily difficult or prohibitively expensive, but it will likely require at least one dedicated IT/InfoSec expert to manage well.
Not every company has enough laptops to send home with employees. If you only have desktops, consider allowing employees to take their desktop towers home if they are going to WFH for more than a few days. Note that due to the configuration for enterprise desktops, this may require re-configuration of the desktop or may not work at all. For any computer that is in a remote location, check the settings with employees. Are remote laptops protected with strong passwords that get changed regularly? Are your users trained to lock them when they leave, even for a moment when outside of the workplace? Are your portable devices, including laptops, portable drives, and other media encrypted? As an example, Critical Insight uses BitLocker.
You don’t know who else might have access to that computer in a WFH location, and it’s best to err on the side of caution.
On a good day, even smart employees click on phishing emails every now and then. But, once people are working from home during a pandemic, it’s not a good day. People are on edge and they are working outside their normal environments. Criminals who send phishing emails are already trying to take advantage of the anxiety and are sending coronavirus-related emails.
You should create a targeted education campaign for employees about the uptick in coronavirus-related phishing attempts. If you already perform phishing tests of your employees, you should design one related to coronavirus, but note that the same education and awareness can be applied to any newsworthy event or anxiety inducing moment, like Tax Day.
Check out these recommended strategies to defend against phishing campaigns, as recently featured in F5 Labs 2019 Phishing and Fraud report.
Some of your employees look at sensitive documents, whether it be legal files, health information, or financial information. With employees working remotely, they may move, view, or store those sensitive files in unsecure ways. Update your policies so employees know which documents are sensitive and remind employees to only view or save those documents in secure ways and in compliance with company policies.
A priority group of staff will be any employees that may be able to transfer regulated data online, like ePHI and PII. Those employees should get specific guidance on how to manage their workflows in accordance with the company's compliance requirements and security policies. IT, InfoSec, and Operations teams should also be reviewing their own home offices and protocols to ensure alignment on best practices and immediate upgrades/replacements required to work securely from home.
Your organization likely has a SIEM or some other cyber-alerting system. Remember that your IT team will be trying to manage their day-to-day work while dealing with distracted or anxious users asking for computer help and/or take on rapid-fire projects to cope with new impacts on operations related to coronavirus. This will be especially true in healthcare environments dealing with new locations that need connectivity for medical devices and IoT. Concurrently, managers and directors should be prepared for staffing issues as the current situation affects their workers’ personal lives. CIOs and CISOs must manage for the increased risks and impacts coming while planning for teams to be potentially reduced to skeleton crews. The critical day-to-day tasks related to SIEM and network monitoring must be prioritized to protect your organization.
If the IT team watching for security alerts to work efficiently using the same, overtaxed VPN as the majority of the company, you may be taking on too much risk. Save your IT team time by investing in secure alternatives for critical security team members. A best practice is to simply remove the burden of network monitoring off their shoulders by outsourcing to a recognized MDR provider.
If your organization uses VPNs, you’ll likely need to expand the program to team members that have never before been in the VPN user base. Since that could be a big lift, you may also want to consider flexible, but effective authentication. If you use O365 or some other cloud identity provider that supports federation, you can likely use those credentials for the VPN.
Split tunneling for VPNs is where the remote laptop is able to communicate with both computers via the VPN and other computers on the Internet at the same time.
Critical Insight does not recommend split tunnels. Remote users should only be communicating using the company infrastructure while connected to company resources to avoid potential security risks.
Why? The only way to centrally monitor employee activities is while they are connected to the company network. While Microsoft has published some guidance here that essentially says the opposite, it’s primarily focused on IT operations by reducing the load on the VPN. While that’s great for the DevOps team, you want to stop the risk of an external actor using a split tunneled VPN to connect to your corporate infrastructure. Instead, now is a good time to invest in a secure network infrastructure that improves remote access security and supports long-term success.
You are going to do a lot of things out of the norm right now, and so are cross-functional teams and individual staff members. Some of those things will need to be undone quickly. Now is a great time to increase your incident response reporting within the company. If someone thinks something is wrong, set up a dedicated inbox and human to work real-time incident response. It’s better to be overcautious now before remote workers slip into bad habits or ignore red flags they normally would not in the office.
At minimum, you’ll want to do an after-action analysis for the next global event that comes around. Make business contingency plans for how your organization can run during times of pandemic, war, or a nation-state cyber-attack. Some organizations will face audits after coronavirus passes; any policy exceptions you make during this time will be inspected at some point. If you have a regulatory requirement to test your business continuity plan, actually operating the plan certainly meets the requirement as long as you document your activities. Log files, IDS events, netflow data, cloud data, SIEM reports, MSSP alerts, and incident response activities can be stored for later retrieval if needed to report security breaches and meet regulatory or audit requirements.
Today’s rapidly evolving news and global events related to the COVID19 pandemic will affect every human on the planet. Businesses and organizations and communities around the world are in unchartered waters as we grapple with the impacts of the coronavirus.
Two things are certain when it comes to information security and coronavirus. First, we know that threat actors will seize upon the ensuing disruption, as they always do—and the stakes are higher now than they have ever been before in modern-day history, specifically for healthcare and the public sector. And, with literally hundreds of thousands of remote workers heading home to continue working online, the risks of both intentional and unintentional insider threats will also rise significantly over the next year.