With the COVID-19 pandemic, more businesses than ever before are having to transition to teleworking. Not only has this become a hindrance for businesses at an economic level, but now cyber threats are becoming more prevalent as more businesses continue to operate in this environment.
Now organizations are wondering how they maintain a sufficient cybersecurity posture when employees are working remotely. This can be a challenge, but it can be accomplished with minimal risk if the organization can plan ahead and choose the right options for their business. If the organization doesn’t expect someone to infiltrate their network, they won’t be protected when someone attempts to. Always prepare for the worst-case scenario.
Start by choosing the best telework option for your business needs and budget:
Virtual Private Network (VPN) Gateway:
VPN gateways create secure access from employee devices to the VPN gateway and through their internal network. Having a VPN implemented means their enterprise-level cybersecurity measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend their businesses firewall rules to the employee device no matter where the employee is working.
VPN gateways offer great telework features; however, while communication is protected through a VPN gateway, the employee’s computer could still be at risk of transmitting infected data if the computer itself is compromised. VPN’s should ONLY be utilized in conjunction with properly configured, company-owned hardware to maintain high security standards and minimize the risk to the internal network. Hardening can be done through DISA Security Technical Implementation Guides (STIGs) or CIS benchmarks for OS’s, browsers, web servers, databases, network devices, etc.
Privileges, Privileges, Privileges!
No telework operation should ignore the danger of not setting the correct privileges on employees working from home. This is an essential step to maintaining a secure, partitioned environment.
Implementing accurate and reasonable privileges provides two major benefits to organizations:
- It prevents employees from accessing data or applications that they shouldn’t have access to.
- It will decrease cyber criminals’ abilities to infiltrate their entire network through a single compromised machine or account.
There is no reason a marketing or sales rep needs the same access to your company data as a security engineer or even higher the CIO. Job-specific privileges keep company data safe from insider infiltration while providing each employee with the tools and data necessary to complete their work. When creating user privileges, keep in mind:
Never allow users admin access:
- The only people who should have admin access to your systems are the IT personnel who maintain them, and even then, they should us an admin account only when performing admin tasks like upgrading systems, patching, vulnerability scanning, creating accounts, managing payroll, etc. All users should have a standard, limited user account that cannot alter system settings or privileges, and this is especially important when teleworking. Without the security of an enterprise hardware firewall and business-grade cyber security protections, employees’ personal computers are at a higher risk of being compromised. If an employee’s device is infected and they have admin level access, cyber criminals can use that unrestricted access to infiltrate their entire environment, change permissions, and steal or encrypt for ransom.
Multi-factor authentication (MFA):
- It is not enough to just limit permissions; there are additional layers of security that need to be implemented for the organization’s identity and access management strategy. They will also need to verify that the person signing in is who they say they are, so have that extra layer of security ensuring the integrity of the user is validated. For DoD (Department of Defense), they have Public Key Infrastructure (PKI) architecture in place so individuals log in with their common access cards (CAC), but for commercial organizations, security tokens and third-party apps like Okta, DUO or Google authenticate are preferred. Any type of MFA (email, SMS text) is better than no authentication. We want to follow the IAAA workflow: Identify (username) > Authenticate (password, PIN, smartcard, token, biometric, IP, signature) > Authorize (What are they allowed to access) > Accountable (Trace an action to a subjects identity).
- Besides keeping the data secure within the organization, segmentation of privileges also means that if a computer is infected with malware or an employee account is compromised, the access cyber criminals have to their organization and its data remains limited.
Employees should know how to spot and respond to unusual computer activity, which can be an indicator that malware is present. This can be in the form of a phishing email and social engineering attempts to gain access to a user account. Train employees on who to contact and how to verify the person asking for access to their device is the correct person. Employees have always been the weakest link to an organization when it comes to cybersecurity, and now with teleworking coming into play, the risk has increased substantially in conjunction with phishing emails.
Teleworking comes with very large risks, but with strong security policies and the right security in place, it is worth the investment.