7 Ways to Keep Your Remote Workforce Safe
These tips will help you chart a course for a security strategy that just may become part of the normal way organizations will function over the next several years.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt44c277af4c702167/64f0d3fa4ff3b0f0d7426fd8/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Working from home is not going away anytime soon. Cases in point: Amazon's staff will work from home until after the first of the year, while Google's team will stay home until July 2021.
Whether your company takes its lead from the big tech companies or plans a gradual return, it's clear that security pros have to accept their jobs are now to run a workable security model at a time when the traditional network perimeter has been all but obliterated.
In talking to a series of industry experts, it became clear that new approaches are needed given that security teams have for years run their remote access operations over a limited amount of VPN connections. Now they have to find better ways to segment networks and lock down applications. Security teams also need to set up "virtual water coolers" where their remote staffs can report incidents and discuss technology issues.
Here are seven tips to chart a course for a security strategy that just may become part of the normal way organizations will function over the next several years. Face it: We're not going back to the way it was.
Dan Petro, a lead researcher at Bishop Fox, says it's unrealistic for companies with 1,000 or more remote workers to run VPN connections out to all those employees. Rather, security teams need to reassess how they manage virtual private networks, he says. For example, only five or 10 HR people need access to the HR data, and only another slice may need financial or access to source code. Petro says the pandemic has forced security teams to more effectively organize their VPN connections, which in the long run will make their networks more efficient and, thus, more secure.
Matt Gayford, principal consultant at the Crypsis Group, says while Remote Desk Protocol (RDP) sessions let employees rapidly access their organizations' resources, they are not without risk. There's no silver bullet to prevent RDP attacks, but businesses can employ defense-in-depth strategies to deliver the best security posture possible. Companies should implement controls at each step in the remote work process, starting from the connection. They should use VPNs that use multifactor authentication (MFA) to protect the point of access. MFA, used in combination with a VPN, can help protect the account from a brute-force or credential reuse attack.
As for other tips on locking down RDP sessions, Gayford advises the enforcement of strong password and lockout policies. Threat actors are known to launch automated attacks via guessing passwords in sequence, known as brute-force attacks. Adopting a strong password policy can reduce the risk of a successful brute-force attack. Also, only allow RDP connections on devices that require them. Many organizations choose to enable RDP on all devices, but doing so exponentially increases the attack surface. Finally, attackers are constantly sweeping the Internet for devices where the standard RDP port (3389) remains open. Changing to a different port prevents your organization from showing up on default port sweeps.
Bishop Fox's Petro says it's also unrealistic to expect that network managers and security pros will have the bandwidth to configure and segment network routers for companies with thousands of employees. That is why employees should understand the basics of network segmentation, he advises.
Essentially, most network routers allow for at least two or three SSIDs, or primary names assigned to a wireless network. So work-from-home staff should set up a guest network for any friends or family who need to use the network and a second segment for personal devices. This includes iPads, smartphones, game systems, televisions, and any other IP-enabled devices. Finally, employees need to set up a third segment for their work devices.
In most situations, Petro adds, workers will want to set up their printers on the work segment. For a deep dive into network segmentation, Bishop Fox posted this blog last month.
With employees working from their homes, data egress via email, cloud, and USB was 80% higher in the first month following WHO's COVID-19 pandemic declaration, says Tim Bandos, vice president of cybersecurity at Digital Guardian. On top of that, more than 50% of observed data egress was classified data.
Top executives who believe returning to the office and its security protections will return their companies to an acceptable risk level need to rethink their positions, Bandos adds. Many global healthcare and government leaders now accept that because of the continued pace of infections from COVID-19, work-from-home will be with us for the foreseeable future. This should increase the urgency for executives and security teams who oversee a remote workforce to prioritize data protection vs. waiting to get back to the office and simply hoping to avoid data loss until that time.
For decades, IT and security teams focused on network security around the perimeter. While that has been changing for a while now due to more workers using mobile devices, the speed of change has gone into hyperdrive now that most people at companies are working from home, says Andy Ellis, chief security officer at Akamai. By focusing on applications, in the event one gets compromised, only that application gets exposed, not the full corporate network.
"Security pros have to wonder how many open microphones are in the home and what are spouses and kids exposed to," he says. "That's why we have to focus more on authenticating the applications themselves. If an app gets compromised, it doesn't open up the entire corporate network to the attacker."
Security pros need to consider a more application-centric approach to security, Ellis advises. By using X.509 certificates and integrating with a passwordless solution, security teams make it possible for users to authenticate almost automatically when accessing applications. All they have to do is click "Yes" when asked if they requested access to the application; the authentication was already done behind the scenes. By authenticating at the application, the company's dependency on VPNs to get work done remotely is reduced. This, in turn, reduces VPN costs and removes the inherent vulnerabilities of users logging on to the full corporate network.
Picking up on the point Akamai's Ellis made on application security, Rob McDonald, executive vice president of platform at Virtru, says security pros also need to protect the data inside the application. They should consider tightly integrating their applications with the Trusted Data Format (TDF), which operates as a protective wrapper around the specified content, he says.
The TDF, an open standard first developed by Virtru, allows fine-grained access control for files and attachments, including emails, PDFs, Office files, photos, and videos. Originally invented to protect the most sensitive data shared between federal intelligence agencies, anyone can use the TDF today to protect the privacy of their emails and other stored data.
Beyond Identity CTO Jasson Casey says security pros need to confront the work-from-home period by accepting three principles: The Internet is the network. Cloud providers are the new data centers. And any device can now be used as a work device.
What does all that mean? In a nutshell, at a time when people are working from home and using mobile cloud applications more than ever, the old system of user names and passwords just doesn't cut it, Casey says. Organizations need the ability to have people doing work from home on any device without worrying that the network has been compromised and without overloading the company's VPN.
Companies can achieve this through tight integration between a single sign-on tool, an identity management provider, and a security device posture that assesses the security of the device's software/versions, patches, and passcodes, Casey says. From a user perspective, it means they can sign on from any device and authenticate without passwords and leveraging biometrics. For workers, it means they can use any device to get work done. For the help desk, it means they don't spend their days resetting passwords. For the higher-level engineers, it means they can focus more on deploying more cloud apps that will help the business. And for security pros, it means having the visibility on the security posture of the device, which lets security teams marry the impact of application access against the current risk of a device.
In-house security teams were taxed well before the onset of a global pandemic, but COVID-19 has exacerbated the talent shortage even further, says Digital Guardian's Bandos, adding that the company's customers have noticed a 62% increase in malicious activity. Today, companies need to enlist every employee to become a part of the security effort. Organizations should continue to offer security awareness training to keep their first line of defense strong. Companies won't catch every phishing email, but training can reduce the number of phishing attacks that can potentially put sensitive data at risk.
In-house security teams were taxed well before the onset of a global pandemic, but COVID-19 has exacerbated the talent shortage even further, says Digital Guardian's Bandos, adding that the company's customers have noticed a 62% increase in malicious activity. Today, companies need to enlist every employee to become a part of the security effort. Organizations should continue to offer security awareness training to keep their first line of defense strong. Companies won't catch every phishing email, but training can reduce the number of phishing attacks that can potentially put sensitive data at risk.
Working from home is not going away anytime soon. Cases in point: Amazon's staff will work from home until after the first of the year, while Google's team will stay home until July 2021.
Whether your company takes its lead from the big tech companies or plans a gradual return, it's clear that security pros have to accept their jobs are now to run a workable security model at a time when the traditional network perimeter has been all but obliterated.
In talking to a series of industry experts, it became clear that new approaches are needed given that security teams have for years run their remote access operations over a limited amount of VPN connections. Now they have to find better ways to segment networks and lock down applications. Security teams also need to set up "virtual water coolers" where their remote staffs can report incidents and discuss technology issues.
Here are seven tips to chart a course for a security strategy that just may become part of the normal way organizations will function over the next several years. Face it: We're not going back to the way it was.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024