Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/8/2020
10:00 AM
Kurt John
Kurt John
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Key Considerations & Best Practices for Establishing a Secure Remote Workforce

Cybersecurity is challenging but not paralyzing, and now is the moment to educate our employees to overcome these challenges.

As is well known by now, the COVID-19 pandemic forced companies to reposition their workforces nearly overnight. And with roughly 40% of Americans shifting to remote work, it didn't take long for the sophistication and frequency of cyberattacks to increase. With flexible work environments here to stay and bad actors provided with new opportunities for preying on a vulnerable workforce, enterprises must educate employees to effectively manage evolving cybersecurity threats without sacrificing business agility.

Related Content:

Since Remote Work Isn't Going Away, Security Should Be the Focus

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: RASP 101: Staying Safe With Runtime Application Self-Protection

Below are considerations derived from several key principles highlighted by the global alliance known as "The Charter of Trust," of which Siemens is a founding member. These steps are aimed at protecting businesses of varying sizes and include considerations ranging from employee best practices to basic criteria for hardware selection.

Where to Begin
A robust cybersecurity strategy relies on three pillars focused on establishing digital resiliency:

  1. Comprehensive, yet flexible, foundational policies that support the intersection of business objectives and information protection.

  2. An informed and vigilant workforce that can identify risks and react accordingly.

  3. Risk management solutions that address the evolving threat landscape.

Beginning with foundational cybersecurity hygiene, critical factors to drive digital resiliency include:

  1. Ensuring that employees, the first line of defense, are aware of all available information security resources. Workforce education and empowerment is critical, as it provides employees with the capacity not only to protect their own data but also to serve as the "Human Sensor Network" capable of helping spot suspicious activities.

  2. In the era of remote work, companies need to be more intentional about facilitating employees' understanding of — and engagement with — cybersecurity. Company communication channels are effective tools that should be leveraged frequently to activate on this.

    Ensuring that all company devices are enabled to automatically receive and apply critical software updates/patches without needing to be on the corporate network, empowering remote employees to minimize steps when maintaining digital integrity.
     
  3. Leveraging multifactor authentication (MFA) for all user accounts to provide an added layer of data protection.

"Work from Anywhere" Security
As employees choose to continue to work remotely, security vulnerabilities will persist. To better secure their workforces, enterprises must ensure that employees engage in good cyber-hygiene practices, such as the utilization of strong Wi-Fi encryption and complex passwords. Beyond this, organizations must also consider enacting significant changes to the way they approach data security.

For example, while corporate-issued virtual private networks (VPNs) are useful for securing company data in transit, they can sometimes lock an organization into a rigid configuration that doesn't always lend itself to the ever-evolving technology landscape. And with the pandemic accelerating digitization, we know that technology landscapes will continue to shift. Due to this, organizations should invest in flexible architecture, like zero trust — a broad term denoting a collection of technologies that facilitate the confirmation of users' identities as they traverse corporate resources.

Organizations should consider multiple solutions for authentication so that employees have flexibility based on a variety of scenarios they may experience in their day-to-day, such as second-factor authentication mechanisms, which include text messaging, hardware-issued cards, and mobile applications.  

Organizations should also think carefully about their policies pertaining to employees' personal devices — something that used to be off limits. Now that corporate devices are sharing private networks with potentially insecure devices, it is imperative that employees are provided with guidance and, where necessary, tools to help better bolster security.

In the age of the Internet of Things and connected devices, this is even more relevant than ever before. For example, an unpatched connected washing machine, stove, or thermostat can provide entry points for hackers. Similarly, voice-controlled smart speakers and other connected devices that have the capability to record audio and/or video may pose an eavesdropping risk.

Employees should be encouraged to remove or turn off smart devices and cover webcams when possible to ensure sensitive recordings do not fall into the wrong hands.

The Human Sensor Network
A constant priority for businesses should be continuing to empower employees to be deputized security team members, who can help to proactively identify potential threats and vulnerabilities in real time.

To empower this "Human Sensor Network," employees should be provided with an overview of best practices in confirming email addresses and legitimizing email requests for sensitive information. For example, a reporting protocol can be created for employees to help them report such potentially dangerous requests to create a security ecosystem amongst staff.

Lastly, employees should be consistently encouraged to always be on the defensive — this will help with mitigating unnecessary risks.

Future Opportunities
While these new challenges have arisen unexpectedly and almost instantaneously, if addressed correctly, we can all work together to protect ourselves moving forward. Cybersecurity is challenging but not paralyzing, and it's the right moment to educate our employees while facing these challenges. As cybersecurity remains a critical issue for both the private and public sectors, open lines of communications internally and externally will help improve our collective digital resilience, yielding a safer digital environment for all.

Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company's largest market -- ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.