Remote Working – A Reflection and Projection
MGM Resorts and Estee Lauder were the latest in a series of high profile organisations to suffer from a security attack with millions of data files, which included personal details, leaked. Then a pandemic happened which impacted all of our lives. In response, the majority of organisations responded as required; some enacted their existing operational resilience plans and continued as they had prepared for.
In almost all circumstances employees who were retained had to adapt to a new way of working. With communal spaces now mostly prohibited, operations had to continue remotely, and with that the threat from serious data breach and infrastructure failure increased significantly.
Working from home – the new normal?
It would be fair to say that working from home has become a new reality for many, both in response to the pandemic requirements and as an evolutionary step in the way in which we operate. The enablers needed to conduct virtual work practices have proven to be effective and moving forward beyond the current pandemic it may well be the case that a return to the early 2020 model is no longer palatable for many organisations. Major tech organisations like Twitter, Linkedin et al have even enacted policies that mandate all employees to work remotely. This is no longer just an initiative to harvest talent and demonstrate flexibility.
Increased risks & new attack vectors
A direct consequence of this new way of working is the huge increase in the number of assets connecting from remote locations. This also includes personal devices connecting to business infrastructure directly. Both of these things represent a significant security threat. It will increase exposure to organisations from threats such as malware, identity theft and ransomware. This is not just scaremongering. One only has to conduct a rudimentary search from any search engine to discover how this has affected organisations.
Further, almost 40% of decision makers polled in a Censuswide (on behalf of Centrify) survey in Aug 2020 showed that employee dismissal due to breach of cybersecurity policies have been necessary since Mar 2020. This includes personnel attempting to circumvent security protocols including password chance and use of personal devices. The same pool of decision makers polled also responded that over half 55% would now make it policy to ban personal devices in order to conduct normal operations.
NQA compiled a webinar during the early months of the pandemic to outline some of these risks in more detail and give an initial look at some of the response mechanisms to be considered. That webinar can be found HERE.
ISO 27001 and by extension ISO 27701 mandates organisations to consider, understand, control, test and review these risks against the context of their business. Further, the risk framework outlined within these standards ensures that appropriate ownership and management oversite is afforded to the whole process; quite simply, if effective the management systems should provide visibility of potential issues across an organization.
Security at home
Organisations with ISO 27001 certification already have a mandate to ensure that personnel are aware of policies and practices. However, remote working brings unique challenges in extending their meaning to a domestic or non-traditional environment. Organisations must give their employees the tools to counter the threats which stem from remote work. I’ve noticed this take shape during the past year. All organisations rely heavily on emails and the web to be operationally effective, raising awareness of threat indicators is a new mandatory activity against the outcome realisation of those threats.
From this point, employees can then identify issues and have a clear understanding on how to report them to the most appropriate entity. By sharing this responsibility and encouragement of self-empowerment to participate in security operations more organisations have been effective in preventing issues rather than having to respond to them. This has required something of a culture shift in some circumstances; quite simply the more open and honest an organisation is, the better the overall security picture is and the less likely another high profile or damaging attack will occur.
How to stay safe working remotelyVPN
This is not just a domestic setting problem. Outside of a pandemic, ordinarily many of us would connect via public Wi-Fi channels from coffee shops, hotels, airports and restaurants. However, by using these connections unsecurely personnel are creating an easy target for hackers to access personal data.
The use of a Virtual Private Network (VPN) should be considered almost mandatory to ensure any operational information is secured. Further, the VPN solution should be appropriate for the number of anticipated users; one learning point from the last year has been the lack of anticipation of the entirety of an organisations employee base attempting to use a VPN at one time. Ensure the infrastructure is in place, to make this effective.
Two-factor authentication (2FA) is a more secure way to access productivity tools and applications. In addition to a username and password, personnel will also be asked to verify themselves with a second device which is unique to the user, this can be a mobile phone or tablet. This simple but highly effective second step will prove to be difficult to beat for criminals and hackers who won’t have direct access to both devices required.
In the event that an account is compromised the use of more complex passwords, which is unique to that particular account or application (not replicated across multiple passwords in use) is considered best practice. It is also considered in many circles to be best practice to update these regularly. Keeping on top of all of this can be tricky, so many organisations have introduced mandated password manager (or vault) to simplify the process.
Phishing, Spear-phishing, Whaling & Smishing
Hopefully by now this message is widely understood, but leave nothing to chance. There has been a tangible increase in attempts to exploit the new working model examined within this blog by criminal elements. This includes exploitation of fears about Covid testing, attempts to sell face masks and other Covid-associated fear mongering.
Add this to the already busy backdrop of attempting to illicit response from unsuspecting employees and top management and you have a dangerous, emotive and ultimately profitable endeavour the criminals and hackers are attempting to hit you with. Your organisation must raise awareness and conduct necessary training to be fully effective and realise preparedness.
This includes conduct of mock phishing attacks to understand how employees may respond – this practice is certainly revealing and can highlight fully the extent to which a problem might exist.
Enforce patches and software updates
Some of the high profile cases we’ve briefly discussed in this and other blogs have their seminal moment in the lack of update to existing software solutions. When working at home, or browsing normally on our personal devices I would guess that a number of us click off the “update browser now” box which periodically appears.
This shouldn’t be the case when using assets provided to use by organisations. Patches to identified security problems in addition to updates to defence mechanisms should not be delayed. Organisations must ensure they have both visibility and ownership of this process and ensure that nothing is left to chance from their user groups.
Don’t forget the paper!
Whilst electronic data can fall in to the wrong hands, one significant area of security breach is still posed by hard copy paper documentation. Consider the amount of paper that you use day-to-day and the information it contains which would be useful to criminals and hackers. Make shredding and secure disposal a feature of your home office if you have the resources to do so. If not, ensure that any hard copy information is kept to a minimum and secured at all times.
In all of the things we have explored within this blog, technology provides a partial solution. The use of appropriate asset control, access management, encryption, secure messaging solutions, review of network arrangements and backup/restore functions are perhaps the most commonly encountered technical controls. However, read deeper in to some of the more recent breach instances and take a view of statistics from all breach activity and you will discover that human error still has a significant role.
Training and awareness cannot be overlooked and should be a foundation on which to build the overall security picture. Security is not the sole responsibility of the CEO, IT Management or Facilities Manager; rather it is something each person has a responsibility for. Nobody wants to be put under the spotlight in these challenging circumstances because of a security breach, not least organisations which inevitably lose customer confidence when breaches are reported. Take the steps necessary to review what you have in place right now and ask yourself – could this be improved? More often than not; there is more you can do.
Authored by: Barri-Jon Graham, NQA Regional Assessor