There is this joke that surfaced among tech circles- “ Who leads the digital transformation of your organization” (A) CTO (B) CEO (C) Covid 19. And the answer being marked as (C) Covid 19.
Whether It is a large enterprise or a small one, The COVID-19 has pushed every one of us with limited InPerson interactions, imposed lockdowns, and also has disrupted the conventional approaches of doing business. As a consequence, many businesses have rolled out work from home. The forced change, otherwise not so common has also undisputedly accelerated overall digital adaption like (1) Cloud adoption (2) Collaboration (3) Connectivity (4) Leading to sensitive data flow across personal devices and home networks, implicating new areas of security concerns and risks.
There have been numerous industry reports, and new predictions about the surge in attacks, ransomware, phishing, dwell time activity threat reports in the context of work from home remote working environments. All pointing to increased attack surface, vulnerabilities, lack of controls across organizations of all kinds.
There is no doubt that remote working is here to stay. How people connect and work is evolved, businesses must adopt ways and means to secure and defend work from home/anywhere infrastructure. Generally, organizations have enough attention and resources with reasonable information security, availability measures around their core business & technology service controls (data centers – cloud-native, hybrid, on-prem)., but less on the user side remote working environments.
Here are our four key essential areas for a sustainable remote workforce security. Building blocks of secure work from home, work from anywhere environments.
- User awareness
- Device Security
- Email Security
- Access & Network Security
No matter how secure your infrastructure and policies are, an unaware employee or an ignorant user falling for a phishing link or a sophisticated social engineering attack can lead to major impacts. For Organizations, It is essentials users are regularly trained and aware of do’s and don’t’s, in addition to this best practices are (1) Multi-factor authentication (2) Least privilege access (3) log everything – user activity logging on data and services across.
For all endpoints including that of personal devices(BYOD), mobiles consider enforcing automated baseline security validations before allowing access to corporate data and services.
An organization must ensure a suitable – (1) Endpoint protection platform, (2) Disk Encryption, (3) Mandatory Critical Patching (4) Tightened device policies (EMM)/ Endpoint Management.
A key capability is that if the local agent could integrate with service side controls and determine the device health and security posture as factors in the access decision to facilitate allow/block access to corporate data and services.
Email is used widely. It is the most consumed service across businesses and naturally the preferred threat vector for cyber-attacks.
While organizations have in-place email gateway protection to combat spam and email threats. it is essential to have (1) The users trained on spear phishing, spoofing threats (2) Implement email encryption and signatures – SMIME PKI (3) enhance the security by implementing DMRAC, DKIM, SPF, MFA.
Access & Network Security
To defend against the high-risk aspects associated with vulnerable user side home networks, unsecured kiosks, internet access, public networks It is essential organizations consider deploying secure connectivity controls and access measures. Must consist (1) User Identity Protection (2) Multifactor Authentication to services (3) Any typical Zero Trust Network Access (ZTNA) facilitating access security policies allowing organizations granular access control and visibility. More advanced options are the integration of Cloud Security Access brokers (CASB) and Secure Access Service Edge (SASE) technologies.
The above approach is by no means complete and only addresses a few key areas.
Protecting the distributed workspace is critical for any organization and challenging. While technologies are evolving and new ones are emerging faster, a holistic risk-based approach would help organizations defend better.