Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2020
10:00 AM
Scott Price
Scott Price
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

'Look for the Helpers' to Securely Enable the Remote Workforce

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your confidence is our confidence.

Folks in the security industry like to talk about which risks are keeping CISOs awake at night. But these days, CISOs don't even get to sleep. COVID-19 has thrust us into a new reality, and even the most-prepared business continuity plans probably did not account for a worldwide pandemic that would simultaneously shutter all of its offices.

Cybersecurity professionals are risk averse, and the threat of coronavirus began to bubble up through their social networks well before it reached mainstream media. But even with the benefit of extra days or weeks of preparation, CISOs are still playing catch-up to securely enable home offices. More heavily regulated industries, such as those subject to HIPAA or PCI, are even more unsettled. In addition, we are already witnessing cyberattacks that exploit our fears of the unknown.

Let's take solace in the guidance of Mr. Fred Rogers, who said: "When I was a boy and I would see scary things in the news, my mother would say to me 'Look for the helpers. You will always find people who are helping.'"

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your colleagues, and your board of directors by securely enabling a productive home office, your confidence is our confidence.

However, our paragons of cybersecurity might be concerned that amid all of their action, they are overlooking something important. As recent events have compelled organizations to extend work-from-home policies, many are realizing they have opened themselves up to a whole new threat landscape, putting their corporate systems, their employees, and their compliance initiatives at risk.

The Risk to Corporate Systems Posed by Home Networks
Some threats include using legacy or unprotected wireless networks, insecure passwords, or non-company-owned assets that are not protected by a company mobile device management (MDM) solution. Although there is no way to completely remove the risk, there are ways to minimize the attackable surface area for employees working from home.

Employees should be using a company-provided laptop that is managed to ensure virus protection and other security patches are installed, or if a company has a bring-your-own-device policy, then personal devices should be enrolled in an organization's MDM solution to ensure it is compliant with company policies.

Many companies use a VPN or data loss prevention (DLP) software that is meant to restrict and monitor access. All data is sent back to a "home base" and rules are in place to allow or disallow applications and other data. But not all companies use this architecture, which can be challenging for companies that operate in a diverse global environment. However, VPN and DLP infrastructure is also costly and difficult to maintain, so it isn't an option for every company.

The Risk to Remote Employees
It has always been gauche to suggest that humans are the weakest link, and now it seems downright ghoulish, but the unfortunate reality is that in this period of social distancing, our adversaries will be seeking to take advantage of our isolation. On a more uplifting note, the human element is our greatest strength — we will only overcome these challenges by working together. Security awareness, communication, and collaboration are key to ensuring our success.

Here are a few security awareness reminders that you can share directly with your organization:

  • Do not open email from unknown recipients. If something looks suspicious, such as an attachment or URL, don't open it. Pick up the phone if you need to verify the sender, and contact your internal security group to notify them. Maintain a list of up-to-date contact numbers for your colleagues.

  • Be especially vigilant about emails taking advantage of concerns about COVID-19.

  • Only use approved messaging platforms, and do not share sensitive corporate data (such as passwords or customer information) on an unapproved messaging platform.

  • Avoid storing corporate data on personally owned devices. (If your organization does not already have a file-sharing capability, there are various commercial solutions available for your company to consider).

  • Ensure your home network and Wi-Fi connection is secured with a strong cipher/protocol for encryption such as WPA2 or above. Wired connections are more secure but encrypted network communication is still recommended.

The Risk to Compliance
Maintaining compliance has never been easy, especially if multiple regulations are involved. But with a remote workforce connecting through home networks, CISOs are now facing an unprecedented level of complexity. Understandably, CISOs are focused on the immediate tactics to enable their remote workforce to remain safely productive, but they should not lose sight of their strategic compliance initiatives. These initiatives will not only help ensure security during this transition but will also demonstrate trust to business partners and customers during these uncertain times.

Compliance management platforms can streamline and automate this process to minimize the time-consuming manual processes. Just as your organization is using technology to safely enable the productivity of remote workers, it can leverage technology to make compliance as efficient as possible.

Even more so, working with an experienced partner can accelerate compliance because well-defined processes minimize the time required for an audit. Select a provider with the capability to complete testing remotely, as allowed per standards. With the rising popularity of Zoom, video conferencing is an acceptable proxy for in-person meetings.

Ultimately, now is a time for partnerships. For every new digital collaboration, communication, and productivity tool available to the CIO, it is incumbent upon the CISO to enable its compliance with minimal disruption. Remember to look for the helpers.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

A-LIGN's Chief Executive Officer, Scott Price, has provided clients with security, assurance, and compliance solutions for nearly 20 years. In this time, he has completed over 2,000 SAS 70/SOC audits and has supported many Global 1000, Fortune 500, and regional companies. In ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22879
PUBLISHED: 2021-04-14
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
CVE-2021-27989
PUBLISHED: 2021-04-14
Appspace 6.2.4 is vulnerable to stored cross-site scripting (XSS) in multiple parameters within /medianet/sgcontentset.aspx.
CVE-2021-25316
PUBLISHED: 2021-04-14
A Insecure Temporary File vulnerability in s390-tools of SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-SP2 allows local attackers to prevent VM live migrations This issue affects: SUSE Linux Enterprise Server 12-SP5 s390-tools versions prior to 2.1.0-18.29.1. SUSE Linux Enterp...
CVE-2021-28797
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station 5.1.5.4.3 (an...
CVE-2020-36323
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.