“May you live in interesting times.” –Unknown
This famous curse, uttered again and again over the years, including—famously—by Robert F. Kennedy, has inspired more than the occasional giggle. But in our new (virtual) reality, there is a somber acquiescence in these words. We do, indeed, live in interesting times. In the past few weeks, we have gone from a culture of human interaction, in-person transactions, and (for most) a lamentable daily commute, to virtual workers fumbling to set up a rudimentary home office, trying to figure out how to handle pets and kids and spouses stepping on one another while trying to be productive. Make no mistake, the way we conduct business will change for good as a result of the current global pandemic. As businesses, governments, and individuals all struggle to come to terms with this most unexpected development, this article turns to the very real—and very daunting—challenge of securing a new, hastily deployed remote workforce.
The Problem with Securing a Remote Workforce
For most Information Security teams, managing the workforce on the corporate network is straightforward. Not that it is easy or simple, just that there are a limited number of variables to handle. Internally, there is nearly total control of the environment from a security standpoint. Add to this the fact that there are numerous technologies in place—firewalls, IDS/IPS, logging, etc.—that aid in detection, prevention, and eradication of potential threats. Our infrastructures have become warm and fuzzy blankets for security.
Once we allow users outside of the cozy confines of a network that we fully control, things get substantially more complicated. We cannot know, let alone control, the workings of every individual employee’s personal network. There is no well-configured firewall in most people’s homes. Intrusion detection isn’t even a consideration for most users. And now we are faced, head-on, with the prospect of trying to secure each and every employee’s workspace for an indefinite period of time.
The reality is that many organizations have had a loosely documented and enforced remote work policy in place for a long time. Laptops being as portable as they are, and managers wishing to have staff stay productive, even when not in the office, has created a casual ecosystem where, occasionally, office workers can log in from the comfort of their home (or hotel, or airport…you get the idea) and get some work done. And for the ad hoc situation, some security is in place to keep both employees and the company safe. In sum, it has been a numbers game. If only X number of employees works from home on any given day, the exposure to the company is relatively low. The threat of breach seldom rises above the established risk appetite, and usually, these occasions do not involve the need to access highly sensitive or critical data or systems. A well-maintained VPN and endpoint protection software have historically been deemed sufficient to mitigate any risk, and we have all gone happily along with our lives.
Enter the global pandemic. The CDC and WHO have collectively recommended what is now termed ‘social distancing’, meaning an office full of people is a bad idea. Don’t get me wrong. I’m on board. My own office went virtual earlier this week. We are faced with this challenge as much as any organization. And from a health and human safety aspect, this is a very good thing. But it poses a conundrum for security teams. How do we ensure the safety and security of data and systems when everyone is working remotely?
Establishing a Successful Remote Workforce Policy
While there are a multitude of technical controls available (and, frankly, recommended) to help secure a remote workforce, it all starts with policy. If you don’t have a remote policy in place already, it’s high time to write one up and ratify it with leadership. Even if you already have one in place, it’s probably a good idea to revisit it. The fact is, very few, if any of us, anticipated suddenly shifting from a mostly on-site workforce to an entirely (or nearly that) remote workforce. And it is likely our policy does not take this new world order into account.
What should be included in an effective policy? Well, it does depend a little on your circumstances, but here are a few ideas that should get you started:
- Corporate Network Access. The policy should stipulate that any access must be done over VPN. Direct access to a corporate network is extremely dangerous. The chances that insecure connections are hacked is pretty close to 100%.
- Home Wi-Fi. Ensure that your staff is working on secure Wi-Fi at home. This may require a little training, and probably some support once everyone is remote, but every user should be leveraging a secure Wi-Fi connection. This means using WPA2 with a private shared key (not a lot of home networks will support anything better, and this should be sufficient). There are really no home-based Wi-Fi routers in circulation today that do not support this protocol.
- Non-work devices. If you do not currently have a BYOD or MDM program in place, then no one should be connecting over the VPN using a non-work device. This includes computers, tablets, and phones. There are just too many variables with uncontrolled devices to allow users to log into the company network with a non-approved device.
- No external storage devices. USB storage devices are suspect, in the best of circumstances. If it is not already technically prohibited on work laptops, ensure that everyone is aware and agrees to eliminate unauthorized external storage devices.
- It may be problematic to force updates and patches on staff devices when not connected to the corporate network. Ensure that everyone understands that they are now responsible for this critical activity. And it is up to the security team to send out appropriate reminders when patches are available and update cycles (like Microsoft ‘Patch Tuesday’) come due.
Security Technology Can Help
As I mentioned before, there are likely a lot of organizations that have some controls already in place for remote work. The following is a good start, though far from an exhaustive list of technology solutions, that can provide a great deal of security for a remote workforce.
The first—and possibly most critical—is endpoint protection. This is your anti-malware/anti-virus platform. Make sure that not only does every device that is authorized to access the corporate network have endpoint protection installed and enforced, but also that updates continue to happen on an automated basis throughout the device’s lifecycle.
Remote access to systems is a close second. Even with a VPN in place, secure remote connectivity should be a priority. Products like BeyondTrust provide a highly secure method for remote access. In addition, this particular platform provides a way of managing privileged access. That is, which users have the ability to elevate privileges to Administrator level can be controlled by source, time, and destination across the enterprise.
Speaking of VPNs, there are a couple of different types that exist. Most companies leverage a ‘split tunnel’ VPN platform, which allows traffic that is not destined for the corporate network to bypass the VPN connection, improving performance. This also helps alleviate the stress on a VPN when the connections go from 2-3 during off-hours and weekends to potentially hundreds or even thousands when the entire workforce goes virtual. Single tunnel VPNs, which route all traffic, regardless of destination, through the same tunnel, are often considered more secure, but the performance degradation, especially to external network resources, can be counterproductive.
These technical controls have an added dimension beyond just straight protecting your network and data. They also each provide a good deal of reporting, which you can use to track anomalies, should they arise, across your remote workforce. And that is a great advantage to the security team overall. Because detection devices and platforms within the network may be diluted because of the sheer volume of new and diverse traffic, it will be much harder to eliminate false positives; consequently, real threats might slip through the cracks more easily.
Additionally, if it isn’t there already, implement multi-factor authentication everywhere. Realistically, if a platform you have been using doesn’t support it, consider an alternative platform. This is a crucial bit of protection that should already be in place, but it becomes even more important with every employee working from outside the confines of the corporate network.
It is also a good idea to review your collaboration tools. While this is undoubtedly something that everyone on staff has been concerned with, maintaining a centralized collaboration tool, like Slack or Skype, ensures that everyone is communicating over a unified, authorized platform. Once staff start to leverage rogue tools, the ability to protect users and systems becomes that much harder.
Leveraging the Cloud to Enhance Security
It is estimated that over 90% of all organizations utilize the Cloud in some fashion, whether it is public, private, or a hybrid, this technology advancement will prove to be invaluable to a fully remote workforce. First of all, it reduces, and in some cases even eliminates, the need for a dedicated VPN for many systems and applications. This simplifies security substantially. If Cloud services are already in wide use within an organization, there is no need to change behavior across the enterprise, as everyone is already familiar with the concept and practice. Additionally, it is easy to expand capacity quickly and seamlessly to the workforce. Elastic cloud services provided by many public providers can be rapidly deployed and configured to handle the precise predicament we find ourselves facing.
Security Education is Key
It’s already happening at an alarming rate, but coronavirus/COVID-19-related spam, phishing, and social engineering is likely the most effective attack vector when it comes to remote workers. As everyone continues to track the evolution and trajectory of the pandemic, many malicious actors have created massive campaigns to exploit vulnerable and preoccupied individuals across the globe using keywords and false pretense to gain access through a multitude of traditional social engineering avenues. CrowdStrike has already pinpointed multiple well-known bad actors, both criminal and state-sponsored blasting phishing e-mails leveraging our collective obsession with the pandemic through fake news stories and promises of supplies, treatments, and even cures. It is absolutely essential that your remote workforce is educated on dealing with these types of attacks. Rather than lowering our collective defenses to this kind of disinformation and malicious content, we need to reinforce basic security hygiene with every employee as they embark on this new, and largely uncharted, remote work journey.
In addition to awareness of potential threats, ensure that everyone reads and rereads the wider security policy already in place. Working from home can lead to bad habits for many employees. Not because staff is lazy or irresponsible, but because it is such a change in environment. We tend to relax at home, and that includes our compliance with secure protocols and procedures. Keep everyone engaged. Everyone has to work together, especially in a virtual environment, to maintain meaningful and successful security controls.
Business Continuity and Disaster Recovery Planning as it Applies to Security
Let’s face it, business continuity plans have a tendency to get written and ratified after the fact. There were likely few, if any, companies in the U.S. that had a contingency plan for ‘terrorist attack’ included in their strategic planning prior to 9/11. Now, it is likely one of the most prominent pieces of their overall continuity puzzle. It would also not be surprising to find that many, if not most, organizations had no contingency plan in place for global pandemics disrupting the business before a few weeks ago. Be that as it may, if you are one of the 51% of organizations with no plan, now is the time to get to writing. It may seem to be a little late, but there is no telling how long our current situation will persist, or whether it will get worse or better in the next few months. So, ensure you have plans for both. We tend to be optimistic, and planning for the unthinkable may feel exceptionally daunting, but with a plan in place, the unthinkable doesn’t have to be catastrophic. If you need help getting started, check out this post on Business Continuity Planning and Disaster Recovery in the Time of Coronavirus.
Last Words on Securing your Remote Workforce
It is not hyperbole to say that we have entered a new world order. While remote work has been slowly marching ahead and more and more companies are embracing the idea of a virtual workforce, few, if any, could have predicted that a global pandemic would be the catalyst to hurtle the world forward. Will we go back to our offices? Probably. But the new reality we find ourselves in will likely change the way many, if not all, of us do business. Both within our own companies, and with our clients and vendors. There are myriad moving parts involved in this shift, and a lot of organizations have been caught unawares. Now is the time to consider how you will manage the change from a security standpoint. Stay safe out there!