When the COVID-19 pandemic was in week #1 we sent a general announcement about the technologies and services TechBento was able to offer clients that were most useful. While communication and collaboration were hot topics, so were the means to secure the remote workforce. We also had an experienced perspective on the circumstances: our team is de-centralized and remote. In fact, our executive team has collectively spent 50+ years working from home. With majority of our clients allowing remote work and already equipped with necessary infrastructure to enable business operations during the crisis, most just had to make minor adjustments. As a general reminder we shared this statement which forced some of our clients to re-think their approach to remote work:
There is another pandemic alongside COVID-19: phishing, fraud, and malicious activities have erupted in this time of chaos. Do not share credentials, act on unexpected requests (email, telephone, messenger pigeon, etc) and exercise extreme care and scrutiny with calls, attachments, links, and email.
As employees use personal devices to access company resources the potential risks for ransomware, data leaks, breaches, and compromise grows exponentially. Mobile device management and employee monitoring along with strong infrastructure mitigate these risks.
Lastly, file sharing was already popular, but today’s circumstances are pushing causal and formal use of services like DropBox, Google Drive, and Microsoft OneDrive to new levels. Data loss protections, behavior monitoring, and breach protections are essential tools for safeguarding these systems.
The Problem
TechBento clients span a spectrum that ranges from “data is only accessible from company owned devices” to “employees use BYOD (Bring Your Own Devices) freely.” Between those two points is a substantial amount of grey area. Employees might use their home desktops to access remote servers, use personal phones for MFA tokens, read email on their personal devices, or do none of that unless it is a certified and managed corporate device. Free use of any device is convenient while the opposite is true for corporate hardware (in many cases). In general, the more convenience a site has in the system the less security.
Our methods are typically scenario-based, so let’s consider a few scenarios that are relevant to remote workforce. Each one is a tangent for a conversation to have with your executive team and your information technology manager:
- Confidentiality: An employee synchronizes company data with a personal device and the device is lost/stolen. Suddenly all files are out there. What’s worse, without data loss protections the data contained social security numbers, account numbers, and financials.
- Integrity: An employee’s home computer has been breached by a trojan and is sending keystrokes and screen shots to a criminal enterprise. With little effort the operation realizes the employee is using VPN (or remote desktop) to connect to network infrastructure and deploys ransomware which spreads form the home computer to the corporate network.
- Availability: Employees work from a home that is now littered with kids and family eager to deal with the quarantine. XBOX Live, Netflix, social media, etc dominate internet services to a point where doing work remotely slows to a crawl. Voice quality and video quality are poor and the employee is left unable to do anything productive. To add insult to injury, there is less computers than people needing them so the family has to share.
The Solution(s)
There is no one-size-fits-all approach and the risk appetites of our clients vary wildly. However, each organization should have a firm grasp on methods available to reduce risks and the impacts those methods have on the overall approach to remote workforce security. Nearly all of the scenarios could be avoided if the organization offered company owned devices. To cover the gamut of scenarios above the list would have to be fairly extensive and look something like this:
- Equipped remote office with a teleworker gateway to load balance and secure traffic to the corporate networks.
- Company owned laptop that is part of a mobile device management system, with remote automation, trustworthy antivirus software with centralized reporting, security tools including monitoring tools which can detect insider threats. Alternatively, the company has a written (and signed) BYOD Bring Your Own Device) policy and supplies each employee with MDM and Anti-Virus & AntiMalware for their devices.
- Data storage scanned using a data loss prevention system and ideally offer behavior analytics.
- Centralized and implemented secure credential storage.
- Corporate email configured with DomainKeys identified mail (http://www.dkim.org/) for outbound message validation, domain-based message authentication, reporting, and conformance (https://dmarc.org/), and sender policy framework (https://support.google.com/a/
answer/33786?hl=en). - Inbound mail filtered by a security scanner.
- Completed security awareness training to understand risky behaviors, detect phishing scams,
- Practices credential hygiene and knows how to secure their company credentials.
To be very clear, we have clients that do all of this and more. Despite the value of such investments, some choose to accept more risks and deviate from some of these recommendations. The companies that fit a “none of the above” type description came to us for help to recover from a major security incident – they have since improved their practices.
What can you do today?
Realistically a crisis is not the time to change things – especially one as major as COVID-19. The planning should start now but implementation of many of these systems requires substantial effort and resources. There are, however, a few things an organization can do to help protect their remote teams that can be done quickly and offer an exponential gain in security:
- Block SMB traffic on firewalls from VPNs. While this is one of the main reasons customers choose VPN, the risk is not worth it unless the use-case warrants it. It is typically enabled.
- Give each employee a commercially licensed copy of anti-malware. Through partnerships, TechBento offers usage-model licensing for anti-malware solutions; you pay for what you use.
- Deploy a cloud app security solution
- Deploy employee monitoring tools for office desktops and any machine used in remote access.
- Train your staff and that reinforce training by testing them with white-hat phishing and scam campaigns.