The coronavirus pandemic has created an unparalleled and urgent challenge for those entrusted with the responsibility for securing digital assets in companies of all sizes.
The new mandates for remote working promulgated virtually overnight have exacerbated the need to secure data traffic and do it at scale.
Zoom is close to becoming a verb. So many people are using it and frankly, like it because of its simplicity of use. However, the security problems of Zoom are now manifest in many companies, school districts and even congress mandating that the product is not used. “Zoombombing” is now commonplace. Until Zoom can reengineer parts of its problem components, it remains a big problem and it should be used with caution.
In the meantime, there are many other video conferencing products that are secure, have been used in business for a long time, and remain viable alternatives.
Simply put, zero trust means never trust, always verify. This model inherently assumes that trust is a vulnerability. As such, the effort is to try and create a behavioral profile of users and the way they should interact with key company assets. Thereafter, constant monitoring and remediation is used to identify and isolate abnormalities against that benchmark.
Zero trust can be achieved in a myriad of ways, including with the use of established frameworks e.g. ISO, NIST etc. In an age where brand image can be seriously damaged, and may never recover from breaches and hacks, making sure that the remote environment does not become an avenue for compromise, is critical. Various solutions for this model are discussed below.
Multi-factor authentication (MFA)
MFA adds security to critical applications and can be easy to enable on the backend systems. Most users today carry smart phones and between SMS and authenticators from Google, Microsoft etc., implementing the frontend piece for the MFA, is also not complex. Even so, a small pilot to iron out any kinks is recommended before a companywide rollout. Prioritizing those that may have access to sensitive information should be a key focus.
Virtual private networks (VPN)
VPNs can be used to protect and encrypt traffic from users to datacenters and cloud-based assets. There are any number of reasonably priced commercial VPNs that can be procured with bulk licensing and when used together with MFA, they provide a robust foundation to secure all data traffic.
Mobile device management (MDM)
MDM becomes a must have to manage and control the plethora of devices that remote employees use. These include phones, iPads, laptops etc. An MDM platform can limit connections to only devices that are either owned by the company, or at the very least have been checked to make sure that they have the latest security patches. Additionally, if the device is lost, remote wipe capability allows for securing sensitive information that would otherwise be compromised. Some MDM platforms will also allow company applications to be delivered to the device, while at the same time, limiting the users’ ability to add unapproved applications to the device.
Some companies, particularly those that operate in areas like finance or healthcare, where sensitive information needs to be controlled, may prefer to have pre-approved images installed on company devices. This allows the environment to be tightly controlled for security vulnerabilities. It also enables IT departments to be able to provide replacement devices at short notice, should there be a catastrophic failure or loss of a device.
Staff security enablement
When staff are remote, it is helpful to create self-service portals where employees can reset passwords etc. This also helps take pressure off the increased demands on the helpdesk staff.
Having some training materials for staff on the same portal to help them with security related questions, or guidance on the use of MFA or VPN etc. is also recommended. When remote work is thrust upon a workforce in an instant – as has happened recently – having an online resource that can provide ongoing clarity on the use of technology, can be reassuring for both employees and cybersecurity staff.
When staff are asked to work from home, the perimeter that now must be secured and supported, also scales. It is common to have employees ask for help with their home internet connections, configurations, troubleshooting and security. It would be reasonable to make accommodations for such calls.
Another factor is the staff security awareness regimen. Bad actors are still looking at common vectors like phishing to exploit employee behavior and making sure that the employees are aware of how they can protect themselves and company assets, is well worth the investment. There are many third-party tools that make security awareness easier to deploy, manage and monitor.
Disaster recovery and business continuity take on a renewed emphasis in a remote workforce culture. Making sure that there is a clear and articulated policy around BCP, and testing is done to validate and simulate failure, is always a good idea. Making sure that asset owners and users are aware of the response and restore time objectives is recommended.
Enhanced resiliency and monitoring
It is imperative that thought be given to enhancing the monitoring and remediation of internet facing systems. Today, some or all of this, can be outsourced to companies that specialize in this kind of work.
The task of securing a dispersed workforce is not insurmountable. Over the years, there has been a movement towards architecting and deploying flexible and secure work environments, including for remote work.
Those companies that reacted to these market changes early, now find themselves in an advantageous position as they respond to the current circumstances.