The explosion in people working from home in the last few months has been phenomenal. Research from the ONS reveals that the number of employees carrying out their jobs remotely rose from around five percent in 2019 to between 45 and 48 percent following the lockdown. That’s almost a 10-fold increase which took place in the space of a few days. In order to cope, CISOs and IT security teams had to rapidly implement processes that enabled people to remotely work while at the same time keeping corporate data safe and secure.
As we gradually move out of lockdown to a “new normal”, home working is likely to be significantly more popular than before the pandemic.
To ensure long-term network security, firms will need to create sustained strategies that address the quick fixes necessary to accommodate a dramatic overnight change in working habits. Now, as the lockdown eases and we prepare for workplaces to start re-opening, not only will these strategies have to incorporate how employees can securely work remotely on a more flexible basis, but also how to mitigate the risks so that the corporate network is not overwhelmed with new threats that may have been overlooked.
Unless businesses already had the technology and processes in place to enable employees to work from home, there would have been a rush to get these sorted in the brief time between being notified of lockdowns and the enforcement taking effect. This would have undoubtedly either led to gaps in security or restrictions on what employees could do remotely, which would hamper productivity. Neither of which are desirable for business that are already struggling with the new realities of the world.
One issue is that employees forced to use their own devices, which would most likely have lacked the security measures of their corporate managed devices, could have left sensitive data exposed when they access, share and download folders and files.
Those that are using company issued devices can still be at risk, maybe even more so. In the rush to get systems set up, many risk assessments and best practices, such as not using default settings, might have been overlooked, leaving an organisation exposed. For instance, many businesses run Windows 7, which is no longer supported by Microsoft and presents a serious security risk. If employees take those devices running Windows 7 out of the work security perimeter that was offering at least some protection, that creates a huge risk. If they’ve not already done so, businesses need to urgently look at the risks these exposed systems present and mitigate them at their earliest opportunity. This entails going through the same rigorous checks that they would do for any remote worker in more usual circumstances.
Another concern is that cyber criminals could be “sowing the seeds” of a future cyber attack against an organisation. They achieve this by implanting malware into an unprotected device, which will activate and spread once it is reconnected to the corporate network. To deal with this, organisations should put any returning devices into temporary quarantine, so that they can be checked before they are allowed back onto the corporate environment.
Longer term strategies
CISOs and IT security teams now need to look to securing their corporate networks for the long term without adversely impacting on the productivity of workers.
The first thing to do is to make decisions about who can access which systems, applications, files and folders. This is no longer just about their job role, but also how secure their access is. Those who have been identified as having access to sensitive information might be required to satisfy more security controls to maintain access to the sensitive data, applications or systems.
Businesses also need to implement and enforce acceptable use policies about what employees can and can’t do on their work devices. For instance, not using the device for personal reasons or letting others in the household use it while logged on with a corporate identity. To ensure employees are following these policies the IT security team will need to look at service usage.
Further, if employees want to use new collaboration tools they need to check with IT security that they won’t pose a risk to the organisation. This enables the IT admins to do their due diligence, such as risk assessments and data impact assessments to verify whether or not an application is safe to use. It’s about finding a happy medium where security can be maximised as much as possible without causing friction.
To overcome the issue of variable device security, business must look at identity access control. This starts with verifying the identity of users before they access sensitive information. Hand in hand with this, firms need to implement a policy of least privilege where employees can only access the files and folders they need to do their jobs and nothing else.
As a “quick fix” to the sudden increase in homeworking, many CISOs would have either deployed or are planning to deploy VPN and MFA to help to protect their corporate network, but these are only part of the solution.
IT security teams should also consider Privileged Access Management (PAM) to control who can access and use privileged accounts, which generates complex passwords, automatically rotates them and uses proxies to connect systems. By removing the human element, there is no need for home workers to remember passwords or share them with colleagues to get the job done.
We live in extraordinary times. CISOs and IT security teams have done an amazing job in securing their corporate networks in the face of the most rapid and dramatic change to their IT environments. Now that things have settled down and homeworking looks like it is here to stay, it is time to think about how this can be made a success in the long term to make sure productivity and security are as effective as possible.
Author: Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic