Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2020
10:00 AM
Scott Price
Scott Price
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'Look for the Helpers' to Securely Enable the Remote Workforce

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your confidence is our confidence.

Folks in the security industry like to talk about which risks are keeping CISOs awake at night. But these days, CISOs don't even get to sleep. COVID-19 has thrust us into a new reality, and even the most-prepared business continuity plans probably did not account for a worldwide pandemic that would simultaneously shutter all of its offices.

Cybersecurity professionals are risk averse, and the threat of coronavirus began to bubble up through their social networks well before it reached mainstream media. But even with the benefit of extra days or weeks of preparation, CISOs are still playing catch-up to securely enable home offices. More heavily regulated industries, such as those subject to HIPAA or PCI, are even more unsettled. In addition, we are already witnessing cyberattacks that exploit our fears of the unknown.

Let's take solace in the guidance of Mr. Fred Rogers, who said: "When I was a boy and I would see scary things in the news, my mother would say to me 'Look for the helpers. You will always find people who are helping.'"

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your colleagues, and your board of directors by securely enabling a productive home office, your confidence is our confidence.

However, our paragons of cybersecurity might be concerned that amid all of their action, they are overlooking something important. As recent events have compelled organizations to extend work-from-home policies, many are realizing they have opened themselves up to a whole new threat landscape, putting their corporate systems, their employees, and their compliance initiatives at risk.

The Risk to Corporate Systems Posed by Home Networks
Some threats include using legacy or unprotected wireless networks, insecure passwords, or non-company-owned assets that are not protected by a company mobile device management (MDM) solution. Although there is no way to completely remove the risk, there are ways to minimize the attackable surface area for employees working from home.

Employees should be using a company-provided laptop that is managed to ensure virus protection and other security patches are installed, or if a company has a bring-your-own-device policy, then personal devices should be enrolled in an organization's MDM solution to ensure it is compliant with company policies.

Many companies use a VPN or data loss prevention (DLP) software that is meant to restrict and monitor access. All data is sent back to a "home base" and rules are in place to allow or disallow applications and other data. But not all companies use this architecture, which can be challenging for companies that operate in a diverse global environment. However, VPN and DLP infrastructure is also costly and difficult to maintain, so it isn't an option for every company.

The Risk to Remote Employees
It has always been gauche to suggest that humans are the weakest link, and now it seems downright ghoulish, but the unfortunate reality is that in this period of social distancing, our adversaries will be seeking to take advantage of our isolation. On a more uplifting note, the human element is our greatest strength — we will only overcome these challenges by working together. Security awareness, communication, and collaboration are key to ensuring our success.

Here are a few security awareness reminders that you can share directly with your organization:

  • Do not open email from unknown recipients. If something looks suspicious, such as an attachment or URL, don't open it. Pick up the phone if you need to verify the sender, and contact your internal security group to notify them. Maintain a list of up-to-date contact numbers for your colleagues.

  • Be especially vigilant about emails taking advantage of concerns about COVID-19.

  • Only use approved messaging platforms, and do not share sensitive corporate data (such as passwords or customer information) on an unapproved messaging platform.

  • Avoid storing corporate data on personally owned devices. (If your organization does not already have a file-sharing capability, there are various commercial solutions available for your company to consider).

  • Ensure your home network and Wi-Fi connection is secured with a strong cipher/protocol for encryption such as WPA2 or above. Wired connections are more secure but encrypted network communication is still recommended.

The Risk to Compliance
Maintaining compliance has never been easy, especially if multiple regulations are involved. But with a remote workforce connecting through home networks, CISOs are now facing an unprecedented level of complexity. Understandably, CISOs are focused on the immediate tactics to enable their remote workforce to remain safely productive, but they should not lose sight of their strategic compliance initiatives. These initiatives will not only help ensure security during this transition but will also demonstrate trust to business partners and customers during these uncertain times.

Compliance management platforms can streamline and automate this process to minimize the time-consuming manual processes. Just as your organization is using technology to safely enable the productivity of remote workers, it can leverage technology to make compliance as efficient as possible.

Even more so, working with an experienced partner can accelerate compliance because well-defined processes minimize the time required for an audit. Select a provider with the capability to complete testing remotely, as allowed per standards. With the rising popularity of Zoom, video conferencing is an acceptable proxy for in-person meetings.

Ultimately, now is a time for partnerships. For every new digital collaboration, communication, and productivity tool available to the CIO, it is incumbent upon the CISO to enable its compliance with minimal disruption. Remember to look for the helpers.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

A-LIGN's Chief Executive Officer, Scott Price, has provided clients with security, assurance, and compliance solutions for nearly 20 years. In this time, he has completed over 2,000 SAS 70/SOC audits and has supported many Global 1000, Fortune 500, and regional companies. In ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.