Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Scott Price
Scott Price
Connect Directly
E-Mail vvv

'Look for the Helpers' to Securely Enable the Remote Workforce

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your confidence is our confidence.

Folks in the security industry like to talk about which risks are keeping CISOs awake at night. But these days, CISOs don't even get to sleep. COVID-19 has thrust us into a new reality, and even the most-prepared business continuity plans probably did not account for a worldwide pandemic that would simultaneously shutter all of its offices.

Cybersecurity professionals are risk averse, and the threat of coronavirus began to bubble up through their social networks well before it reached mainstream media. But even with the benefit of extra days or weeks of preparation, CISOs are still playing catch-up to securely enable home offices. More heavily regulated industries, such as those subject to HIPAA or PCI, are even more unsettled. In addition, we are already witnessing cyberattacks that exploit our fears of the unknown.

Let's take solace in the guidance of Mr. Fred Rogers, who said: "When I was a boy and I would see scary things in the news, my mother would say to me 'Look for the helpers. You will always find people who are helping.'"

CISOs and CIOs, you are our helpers. As you take action to reassure your company, your colleagues, and your board of directors by securely enabling a productive home office, your confidence is our confidence.

However, our paragons of cybersecurity might be concerned that amid all of their action, they are overlooking something important. As recent events have compelled organizations to extend work-from-home policies, many are realizing they have opened themselves up to a whole new threat landscape, putting their corporate systems, their employees, and their compliance initiatives at risk.

The Risk to Corporate Systems Posed by Home Networks
Some threats include using legacy or unprotected wireless networks, insecure passwords, or non-company-owned assets that are not protected by a company mobile device management (MDM) solution. Although there is no way to completely remove the risk, there are ways to minimize the attackable surface area for employees working from home.

Employees should be using a company-provided laptop that is managed to ensure virus protection and other security patches are installed, or if a company has a bring-your-own-device policy, then personal devices should be enrolled in an organization's MDM solution to ensure it is compliant with company policies.

Many companies use a VPN or data loss prevention (DLP) software that is meant to restrict and monitor access. All data is sent back to a "home base" and rules are in place to allow or disallow applications and other data. But not all companies use this architecture, which can be challenging for companies that operate in a diverse global environment. However, VPN and DLP infrastructure is also costly and difficult to maintain, so it isn't an option for every company.

The Risk to Remote Employees
It has always been gauche to suggest that humans are the weakest link, and now it seems downright ghoulish, but the unfortunate reality is that in this period of social distancing, our adversaries will be seeking to take advantage of our isolation. On a more uplifting note, the human element is our greatest strength — we will only overcome these challenges by working together. Security awareness, communication, and collaboration are key to ensuring our success.

Here are a few security awareness reminders that you can share directly with your organization:

  • Do not open email from unknown recipients. If something looks suspicious, such as an attachment or URL, don't open it. Pick up the phone if you need to verify the sender, and contact your internal security group to notify them. Maintain a list of up-to-date contact numbers for your colleagues.

  • Be especially vigilant about emails taking advantage of concerns about COVID-19.

  • Only use approved messaging platforms, and do not share sensitive corporate data (such as passwords or customer information) on an unapproved messaging platform.

  • Avoid storing corporate data on personally owned devices. (If your organization does not already have a file-sharing capability, there are various commercial solutions available for your company to consider).

  • Ensure your home network and Wi-Fi connection is secured with a strong cipher/protocol for encryption such as WPA2 or above. Wired connections are more secure but encrypted network communication is still recommended.

The Risk to Compliance
Maintaining compliance has never been easy, especially if multiple regulations are involved. But with a remote workforce connecting through home networks, CISOs are now facing an unprecedented level of complexity. Understandably, CISOs are focused on the immediate tactics to enable their remote workforce to remain safely productive, but they should not lose sight of their strategic compliance initiatives. These initiatives will not only help ensure security during this transition but will also demonstrate trust to business partners and customers during these uncertain times.

Compliance management platforms can streamline and automate this process to minimize the time-consuming manual processes. Just as your organization is using technology to safely enable the productivity of remote workers, it can leverage technology to make compliance as efficient as possible.

Even more so, working with an experienced partner can accelerate compliance because well-defined processes minimize the time required for an audit. Select a provider with the capability to complete testing remotely, as allowed per standards. With the rising popularity of Zoom, video conferencing is an acceptable proxy for in-person meetings.

Ultimately, now is a time for partnerships. For every new digital collaboration, communication, and productivity tool available to the CIO, it is incumbent upon the CISO to enable its compliance with minimal disruption. Remember to look for the helpers.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

A-LIGN's Chief Executive Officer, Scott Price, has provided clients with security, assurance, and compliance solutions for nearly 20 years. In this time, he has completed over 2,000 SAS 70/SOC audits and has supported many Global 1000, Fortune 500, and regional companies. In ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...