How to do connectivity well during COVID while under extreme budgetary restraints.
By Kevin Hayes
CISO, Merit Network Inc.
With so many organizations facing the challenge of work-from-home scenarios, the conditions for compounding security issues are increasingly more prevalent. Whether people are using traditional VPNs, teleconference software, cloud-based services or remote desktop gateways, many internal resources expose employees to potential threats daily. In this unprecedented climate with extreme budgetary and staff restraints, institutions need to leverage proper security practices, trust in their team members and use specialized tools to remediate long term remote security and connectivity concerns.
Controlling personally owned vs. company owned computer usage is a developing issue. Many staff members lack built-in security features on their home computers that could be monitored and enforced by IT administration. When family members or children are using the same computing device, there is no guarantee of avoiding malware or viruses. Utilizing certificate authentication, which identifies a user, machine, or device before granting access to a resource, network or application, can add an additional level of protection. Many Virtual Private Network (VPN) programs check for drive encryption, antivirus and malware issues, and recent performance scans before allowing access. Connecting to a remote desktop server or other security device can filter out unwanted reconnaissance.
Additional security policies include password and identification security and employee access considerations. Two-factor authentication needs to be everywhere. Organizations must be consistent with the application; make it an enforceable standard. It should be on any system employees access. Even when adding in multi-factor login measures, when an employee connects into the VPN network they should only be given access to the applications and systems that they need. Open access to your organization’s environment is a security threat. All users should be granted the level of access they need, and nothing more.
Utilizing Cloud-based services are great! They provide a smoother and more frequent method of consistent contact with customers and clients. However, just because the tool is in the cloud does not mean security concerns disappear. Always question privacy policies, where the data is being stored and whether encryption begins at rest or in transit. Is this application generating logs? Often we rely on the core system in the cloud being closely guarded, but in reality, it’s not. Even the service itself may not be aware of this golden opportunity for attackers. All a cloud needs to exist is someone else’s computer. As data owners, we take on 100% of the responsibility, no matter where our information is being held.
Disaster Recovery (DR) planning and people management go hand-in-hand. What use is a plan for staff if they don’t understand how to implement it? While the best method to show the importance of rules is to lay out the consequences or aftermath, your company needs to properly instruct and provide sufficient resources for staff to smoothly enact your plans.
When DR planning, make sure you can restore your systems after any failure regardless of staff working from home or the office. Collaboration or communication software should be well-vetted and must withstand the stress and pressure of a potential outage or security incident. Finally, all staff should know how to contact each other and how to have impromptu meetings in which both technical, procedural and policy based information can be shared easily. The number one killer of a DR plan is changing the underlying environment but not documenting and recording all of the changes. Always get plans and edits vetted by all involved. Without their acceptance and buy-in, it won’t be worth the effort to change it.
Your organization might consider joining Merit’s Security Community of Practicing Experts (SCOPE) to collaborate and share security best practices with similar organizations. Merit’s affordable CISO Consulting Service can assess current IT policies, standards and procedures and provide gap analysis for any size institution, all without the expense of hiring a full-time security officer.
Inept security measures can be catastrophic. Develop and provide detailed guidance to staff and always garner the support and feedback of stakeholders and leadership. With proper plans in hand, create a capable and well-informed team prepared to handle any issue. I am personally astounded by the willingness of staff to bond in uncertain times. If organizations develop a proper plan for this new landscape, upheld by a positive work culture sustained by trust and camaraderie, we can all continue business operations as close to the idea of normal as we can.