The coronavirus pandemic has created an unparalleled and urgent challenge for those entrusted with the responsibility for securing digital assets in companies of all sizes.
The new mandates for remote working promulgated virtually overnight have exacerbated the need to secure data traffic and do it at scale.
Simply put, zero trust means never trust, always verify. This model inherently assumes that trust is a vulnerability. As such, the effort is to try and create a behavioral profile of users and the way they should interact with key company assets. Thereafter, constant monitoring and remediation are used to identify and isolate abnormalities against that benchmark.
Zero trust can be achieved in a myriad of ways, including the use of established frameworks e.g. ISO, NIST, etc. In an age where brand image can be seriously damaged, and may never recover from breaches and hacks, making sure that the remote environment does not become an avenue for compromise, is critical. Various solutions for this model are discussed below.
Multi-factor authentication (MFA)
MFA adds security to critical applications and can be easy to enable on the backend systems. Most users today carry smartphones and between SMS and authenticators from Google, Microsoft, etc., implementing the frontend piece for the MFA, is also not complex. Even so, a small pilot to iron out any kinks is recommended before a companywide rollout. Prioritizing those that may have access to sensitive information should be a key focus.
Virtual private networks (VPN)
VPNs can be used to protect and encrypt traffic from users to data centers and cloud-based assets. There is any number of reasonably priced commercial VPNs that can be procured with bulk licensing and when used together with MFA, they provide a robust foundation to secure all data traffic.
Mobile device management (MDM)
MDM becomes a must-have to manage and control the plethora of devices that remote employees use. These include phones, iPads, laptops, etc. An MDM platform can limit connections to only devices that are either owned by the company or at the very least have been checked to make sure that they have the latest security patches. Additionally, if the device is lost, remote wipe capability allows for securing sensitive information that would otherwise be compromised. Some MDM platforms will also allow company applications to be delivered to the device, while at the same time, limiting the users’ ability to add unapproved applications to the device.
Some companies, particularly those that operate in areas like finance or healthcare, where sensitive information needs to be controlled, may prefer to have pre-approved images installed on company devices. This allows the environment to be tightly controlled for security vulnerabilities. It also enables IT departments to be able to provide replacement devices at short notice, should there be a catastrophic failure or loss of a device.
Staff security enablement
When staff is remote, it is helpful to create self-service portals where employees can reset passwords, etc. This also helps take the pressure off the increased demands on the helpdesk staff.
Having some training materials for staff on the same portal to help them with security-related questions, or guidance on the use of MFA or VPN, etc. is also recommended. When remote work is thrust upon a workforce in an instant – as has happened recently – having an online resource that can provide ongoing clarity on the use of technology, can be reassuring for both employees and cybersecurity staff.
Guidance on the use of collaboration tools, particularly their security elements, is also a recommendation. Today, most employees are forced to use a variety of different tools (Zoom, Microsoft Teams, Skype, WebEx, etc.). Whereas one can standardize on one tool internally, invariably employees are invited to meetings with external stakeholders, where the tool being used may be different.
In recent days, there have been a lot of concerns about security and privacy while using Zoom. Guidance on the secure use of most used tools is therefore desirable.
When staff is asked to work from home, the perimeter that now must be secured and supported, also scales. It is common to have employees ask for help with their home internet connections, configurations, troubleshooting and security. It would be reasonable to make accommodations for such calls.
Another factor is the staff security awareness regimen. Bad actors are still looking at common vectors like phishing to exploit employee behavior and making sure that the employees are aware of how they can protect themselves and company assets, is well worth the investment. There are many third-party tools that make security awareness easier to deploy, manage and monitor.
Disaster recovery and business continuity take on a renewed emphasis in a remote workforce culture. Making sure that there is a clear and articulated policy around BCP, and testing is done to validate and simulate a failure, is always a good idea. Making sure that asset owners and users are aware of the response and restore time objectives is recommended.
Enhanced resiliency and monitoring
It is imperative that thought is given to enhancing the monitoring and remediation of internet-facing systems. Today, some or all of this can be outsourced to companies that specialize in this kind of work.
The task of securing a dispersed workforce is not insurmountable. Over the years, there has been a movement towards architecting and deploying flexible and secure work environments, including for remote work.
Those companies that reacted to these market changes early, now find themselves in an advantageous position as they respond to the current circumstances.
Click here to discuss your remote working strategy and to learn more about Wellforce’s remote end-user security and support programs.