Control on the edge – How can IT security managers cope with the sudden explosion of home working?
With much of the world in lockdown, companies are suddenly having to ramp up their home-working capabilities. This presents a host of issues for those responsible for IT security.
In an ideal world, you’d already have issued all employees with corporate-owned/managed laptops and/or mobile devices. You’d already have all the necessary tools and policies in place to ensure people can access the systems and data they need to perform their roles safely and securely. These would include, for instance:
- Multi-factor authentication to ensure the people and devices logging on are who they say they are;
- VPNs to ensure network traffic between central systems and remote devices is securely encrypted at all times;
- The ability to manage employees’ devices remotely – MDM, VNC, etc;
- Tools to ensure you can detect and respond remotely to any anomalies on the network, monitor activity on remote devices, and deal with any threats remotely – i.e. EDR, MDR, EPP, remote logging and the like.
- A clear, well-communicated security posture with strong procedures to assure employees’ adherence.
Of course, we don’t live in an ideal world. Some companies allowed little or no home working prior to the crisis, with employees only permitted to use their office desktops to access corporate applications and data. Others were already enthusiastically embracing remote working (for example, many already routinely use well-secured cloud-based collaboration applications like Office365). Others still sit somewhere in between – for example, permitting remote access to corporate email but not to sensitive systems and data.
But the unprecedented and sudden need for so many employees to work remotely presents unique challenges for all IT security managers. For many, business continuity is the most pressing issue, so in the immediate term they may have no option but to live with a higher level of risk than usual. If users don’t all have corporate-managed devices, for instance, you may have no choice but to permit them to use their own.
Nonetheless, you can still bring down your organisation’s risk levels considerably. First, you should identify how you work as a company, what systems and data your users need to access from their home devices. Try to map out what additional tools and policies you need in place to maximise security – but without putting in place barriers that unnecessarily hinder people’s ability to perform their roles effectively. This can be done with the right tools and plans in place to ensure visibility, detection and response, but the sorts of tools we’re talking about here – EDR and MDR – work best in tandem with a strong plan and a network that already has a good basic level of security.
You should of course be ring-fencing and protecting access to your most sensitive systems and data – not just in terms of security tooling but, crucially, through effective company policies and guidelines. For example, the increased demand on network bandwidth due to widespread remote working means use of the company VPN for unnecessary, bandwidth-hogging activities like using Spotify or Netflix will probably need to be blocked.
That can all be done centrally, but how can you secure users’ personal devices, and ensure your data isn’t able to leak onto their invariably insecure home networks, over which you have no control? The instinct of many will be to insist that those accessing corporate systems and resources must install software that lets you remotely monitor and manage their personal devices, but you should be aware there may be significant legal and privacy barriers to this approach. It may, however, be wise to get them to install some kind of remote device management software at least temporarily – so you can ensure their home devices have effective firewalling, encryption and malware protection, or set it up for them if they don’t. Equally, you might want to stipulate what consumer apps and tools they can and can’t use for work collaboration.
Your biggest risk factor, though, is human behaviour. Clear, timely, effective and regular communication about security policies, procedures and best practice is vital. One idea here might be to stipulate that all home workers have to undergo some form of online training about effective security hygiene, with a test at the end. Make sure everyone understands the dangers of phishing, social engineering, telephone scams, etc and what they need to look out for – and that includes the help desk, which may be a particular target. Attackers will be ramping up their activities to exploit the current confusion, so ensuring your users are as well-prepared as possible will bring down your risk levels considerably.
All this must be an ongoing effort. As everyone continues to get into the stride of homeworking, new issues will inevitably arise. You need to be able to deal with the unexpected as and when it occurs. If there’s a particular threat doing the rounds, for example, make sure you have the ability to warn all your home workers about it quickly, and ensure they’ve heard and understood.
IT security professionals have historically – and often unfairly – been characterised as the company’s control freaks. But now, more than ever, the ability to flexibly evolve your practices, policies and communication as circumstances demand are going to be crucial to staying as secure as you can. We’ll be deep-diving into some of the issues raised in this blog over the coming weeks, so do check in regularly. Stay safe!