Flexible working arrangements have been a growing trend in recent years, allowing staff to balance office life and the daily commute with working from home. In some cases, organisations have developed a fully remote workforce. This has been possible because the technology and tools that enable these ways of working have evolved in recent years and are now at a point where team collaboration, video conferencing, remote file access and productivity tools are easily accessible.
Putting in place a remote working infrastructure in normal times takes careful consideration to meet security objectives. The global pandemic of COVID-19 has meant that these are not normal times, and organisations that did not already have robust remote working arrangements in place have had to adapt quickly. This has resulted in many businesses scrambling to quickly scale up existing remote-working capabilities or indeed establish the capacity for remote-working. Both entail inherent risks. Organisations faced with the sudden need for most staff to work from home may resort to returning out of date devices into service or relying on employees’ personal devices.
Unsanctioned use of tools or services by staff aiming to plug gaps in their ability to complete tasks is often referred to as ‘shadow IT’. The COVID-19 crisis risks the use of shadow IT becoming more pervasive as staff respond to new remote collaboration challenges by finding their own solutions. As a result, many businesses face the increasing challenge of maintaining the confidentiality and integrity of the data that they process, relying on organisational policies that place staff as the first and last line of defence.
The following are considerations for small and medium businesses with a view towards hardening their security posture in these challenging times.
Having the confidence that devices connecting to company assets meet the minimum security criteria set by the organisation is an important assurance metric. Establishing endpoint security (also known as ‘endpoint protection’), allows an organisation to ensure that connected devices have the latest security patches, anti-virus and malware protection in place and are optimally configured to protect the data that they process. Advanced endpoint protection also offers data loss prevention, threat detection and device management features for company assets including laptops, desktops, mobile devices, tablets and printers.
This enables IT teams to have visibility of evolving threats to the organisation, facilitates incident response management and better protects the organisation’s assets.
Mobile Device Management (MDM)
Mobile device management is an aspect of endpoint security, but worth mentioning as a standalone item as it is often a serious vulnerability for organisations. Many organisations will have mixed approaches to MDM, ranging from “bring your own device” (BYOD) to a fully corporate-owned device model. If employees have access to company data via their mobile devices, this is a threat vector that needs to be considered. You can read more about MDM in a previous article we have written on the subject.
Desktop-as-a-service (DaaS) is a fast-growing cloud computing offering, enabling organisations to provide fully managed desktops and applications to their staff. With strict policy enforcement, full control can be maintained over cloud-hosted virtual desktops and the data that they process, facilitating enhanced security. Solutions such as Microsoft’s Windows Virtual Desktop and Amazon Workspaces are competing offerings in this space.
Virtual Private Network (VPN)
Virtual Private Network connections enable staff to connect to the corporate network, extending an organisation’s private network across a public network, allowing access to company assets as if staff were present in the office. VPN’s are not inherently secure and need to be configured as such, so special consideration needs to be given to meeting the goals of confidentiality and integrity, implementing strong identity and access management procedures for those using VPNs.
There are many VPN solutions on the market. Some are not focused on bridging the company’s private network with remote workers, but rather on ensuring that network communications are routed elsewhere, acting as a proxy for internet communications. These products are useful where there may be a reason to distrust an internet service provider or the network that is being connected from (e.g. hotel or conference Wi-Fi). However, if the goal is to build a private communications bridge between staff and the corporate network, other solutions should be considered. Open source solutions like OpenVPN can be worth considering for these purposes.
Phishing attacks are on the rise during the current crisis and with the recent increase in staff working from home, cybercriminals have spotted an opportunity to target individuals that may otherwise have been better protected within the confines of their corporate networks. You can read more about how to protect your organisation against phishing attacks in this article where we explore the topic.
Addressing the human factors of cybersecurity, by fostering an informed, proactive and enabled workforce (related reading: Password Management Best Practices) is an essential element of an effective cybersecurity strategy. Organisations that invest in this, as well as implementing appropriate technical measures to raise their cybersecurity posture, will be better placed to face an evolving threat landscape and cope with unexpected challenges to business continuity, such as that which we face today.
Recognising the challenges for organisations presented by the COVID-19 situation, the Irish National Cybersecurity Centre (NCSC) has released guidance on working from home, as have the Irish Data Protection Commission (DPC) with regards to protecting personal data while working remotely. Previous guidance issued by the DPC covering controllers and data security is also relevant reading.
Trilateral’s Data Governance and Cyber Risk Team have experience helping organisations evolve their cybersecurity strategy, addressing the technical, organisational and human factors necessary to enable effective business continuity in challenging times. For more information please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.