Many more millions of employees have been working remotely as a result of the devastating COVID-19 virus than ever before. There is likely no going back. Employers have been relying on a remote workforce by necessity in the short term and are realizing that in the long term they can operate efficiently and productively with their staff largely out of the office. The public health risks will, for the foreseeable future, be the driver both on employers’ need for a remote workforce to achieve continuity of operations and employees’ demand for a safer work location. The increased numbers of remote workers will no doubt be lasting. But with this anticipated restructuring of work must come a comprehensive evaluation of the corresponding cybersecurity risks over the long term and how best to address them. As employers look forward to the future of securing remote work in their organizations, they should review the following top ten considerations as part of their defense in depth.
No. 1. Think in terms of people, information and machines. They are inseparable elements to accomplishing remote tasks and so are the associated cyber risks. Remote employees can only communicate through their machines (e.g., computers and mobile devices) and associated software and protocols (e.g., browsers). To be more secure, employers should think in terms of how information flows over the Internet from employee to employee, employee to customer, machine to machine, system to system throughout the communications process. The information needs to be secured from the time of the employee’s keyboard strokes, up the information stack, to the applications and browser. An employer must have confidence that the information will be securely exchanged between the remote workstations/mobile devices and servers and other computers, using different protocols and systems, over the Internet. Unless you have comprehensively considered the particular job responsibilities of each remote job title, the types and sensitivity of information handled, the methods of remotely accomplishing tasks and the connected hardware and systems, and how they all interact and will be protected on a daily basis, you are missing something. And if you are missing something, you are missing everything because one hole in your defenses is all that a hacker needs to deploy a devastating exploit.
No. 2. Develop a written risk assessment and information security plan for remote workers. If your organization has not conducted a thorough risk assessment and adopted a formalized information security program containing reasonable safeguards that has considered the threats to its remote workforce, depending on your industry, you are not in regulatory compliance with the applicable standards for safeguarding protected information (e.g., PII, PHI, financial information). Only by writing down and addressing the likely threats and circulating the risk considerations among stakeholders for input and decision, does an organization achieve regulatory compliance and improved cybersecurity. See, e.g., New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). Likewise, in order to effectively protect sensitive business information and trade secrets, the same planning tools should be used. Ad hoc meetings and crisis management will simply not suffice over the long term to address remote worker cyber risks.
No. 3. Implement multi-factor authentication as the default authentication method for remote user access from the home. Like Dorothy’s repeating “There’s No Place Like Home” in the Wizard of Oz, keep repeating “There’s Nothing Like Multifactor in the Home,” when it comes to the authentication of any user that remotely accesses sensitive information, or has remote administrative or privileged access. It should come as no surprise that phishing is rampant, including COVID-19 scams to compromise credentials. Personnel training is a preventative measure, but is not foolproof. Consequently, multi-factor authentication (MFA) should be the default method for authentication for remote home-based roles with access to sensitive or protected information. The same holds true for remote system or server maintenance. If your system administrators will be routinely performing remote maintenance using Remote Desktop Protocol (RDP) or have remote access to other privileged accounts, multi-factor authentication should be the default authentication method. Similarly, if more devices in your organization are now opening RDP to the Internet because of the increase in remote work, secure your RDP. Shodan reports, for example, that of 70,000 devices it recently scanned using RDP, 8% remain exploitable by the BlueKeep vulnerability present on older Windows versions.
No. 4. Consider and address the risks of allowing employees to access organizational resources using company computers/devices v. personal (BYOD) computers/devices. Organizations should limit access to its systems to only authorized devices. For example, are remote employees permitted to connect to organizational resources using their personal computers or by company computers or both? There are vastly different cyber risks with each mode of device access. Have you fully considered the risks of an employee who routinely handles sensitive information connecting to your network though a personal computer, if you lack the ability to scan the security posture of his or her computer? If an employee can use an unknown personal device to connect to the organization’s network, you may lack visibility into the device’s security unless you institute technical measures to authenticate the device and address those risks before network access is permitted. Organizations may want to consider implementing a mobile device management solution, network access control appliance or other technical tools to mitigate these risks.
No. 5. Consider and address the risk to permitting direct remote access to web based organizational resources. Nothing new here, but the frequency and volume of this direct out of network connectivity will certainly increase with more employees working from home. Employees may access web-based resources through credentials that do not require a connection through the organization’s network, but rather by directly accessing the hosting website. Have you addressed the risks of permitting employees to connect directly to cloud based resources outside of your network from their homes? If so, have you considered the sensitivity of the information they have access to and how to effectively monitor this access? What logging configuration does the hosted services permit, and have you implemented a logging and monitoring plan that is supported by rigorous personnel policies that provide notice to employees of the monitoring? Effective monitoring is critically important to be able to detect and respond to a breach of security involving a remote user with direct web based access. Given the risks, employers may want to consider regulating, screening and protecting this traffic, using a Secure Internet Gateway or other technical tools.
No. 6. Consider and plan for the most likely threats. Well, we have to admit this is currently a challenge because of the proliferation of the threat landscape during a pandemic: e.g., phishing; Advanced Persistent Threat (APT) attacks on healthcare and pharmaceutical companies, education and research institutions, and organizations that handle PII; cyber threats posed by North Korea.; and the ubiquitous ransomware. All the more reason to roll up your sleeves now and engage on this topic head on with a focus on those threats and threat groups relevant to your particular industry. The continued viability of your business and the health and safety of others may depend on it.
No. 7. If you use a VPN, make sure it is secure, properly configured and offers a sufficient number of connections for your business needs. Make sure your VPN is and remains patched, updated, and configured using secure baselines. Vulnerabilities in common VPN services recently have been highlighted. As with any patching and secure configuration process, there should be a written policy and procedure that is enforced and audited. Also, consider eliminating “split tunneling” – where employees can access their home printers and other resources, which may create a greater risk of compromise.
No. 8. Plan for the remote worker security incident. Plan and train for the inevitability of a remote cybersecurity incident and effective response. For example, does your organization have a breach response plan that considers how to handle a remote incident? How will the organization manage a security incident remotely where the employee and the company devices are not in the office? Frequently, by planning for the incident, an organization will institute changes that greatly improve preventative controls.
No. 9. Have employees sign strong confidentiality and acceptable use agreements and plan for the termination of remote workers. When an employee is in the office for an employment termination, it is much easier to collect credentials and company resources/devices at the time of termination than it is for a remote employee. To address the insider threat of remote workers stealing or keeping sensitive data after they learn of their employment termination, an organization should have written procedures that ensure that system access is cut off at or before the time of termination as a default. Remote workers should be signing strong confidentiality and acceptable use agreements that provide for the preservation, safeguarding and return of company material, and sanctions for failure to do so. A formalized insider threat program to include remote worker security issues should be a part of any effective information security management program.
No. 10. Encrypt laptops and mobile devices containing protected information or sensitive information. With full disc encryption, an organization can protect sensitive or protected information against loss or other physical compromise of the device. Indeed, statutes like New York’s SHIELD Act (N.Y. General Business Law §§899-aa, 899-bb) exclude encrypted information from the definition of protected “private information,” providing that the cryptographic keys are securely managed and have not been accessed or acquired. Thus, breach notification may be avoided in certain circumstances where the loss involves encrypted information. At the end of the day, an organization needs to consider whether a burglary, car theft, or accidental loss of the physical device are risks that should be protected against by encrypting protected or sensitive data in the hands of remote workers. Best practices strongly support these actions.