COVID 19 forced many organizations into supporting a remote work force with little time to create a well-developed and documented remote work plan. Now that the initial rush to arrange the necessary logistics for remote work has passed, it is important to continually review remote work opportunities to ensure compliance with the regulatory requirements, adherence to changing security best practices, and acknowledge the changing workforce.
Risk Assessment
It is impossible to prioritize organizational resources without an accurate inventory of all software and hardware and the location(s) of sensitive data. The results of annual risk assessments should be used to develop policies and procedures and allocate resources to provide appropriate protections for all remote connections.
Policies and Procedures
A successful remote work program must have documented policies and procedures. At a minimum, these policies should contain employees and third authorization requirements, minimum system requirements and a description of technical safeguards that all users must follow. Remember, remote work may be a permanent circumstance for fully remote employees, or a temporary situation during a buildings and grounds project that limits building access. Once implemented, remote work policies and procedures should be updated on a regular basis. We suggest annually and after any significant change to the organizational structure.
Training
Users must continually differentiate between legitimate and malicious information sources such as email messages, website links, attachments, and a host of other threat vectors. A wrong choice may result in the loss of data confidentiality, integrity, and availability. It is crucial to stay abreast of the latest threats, including sector specific threats, and regularly provide security awareness training to all employees.
Users who need to wait for answers may try to find their own solutions. You need to provide remote access resources that cover the main issues specific to your organization. Additionally, you should ensure that users know who to contact when they have questions and need additional guidance.
Trusting Remote Connections
Connections from remote locations should always be verified. One way to verify the request is to use Multifactor Authentication (MFA) to verify the identity of the person or machine trying to establish the connection. MFA combines something the user knows, such as a password, with something that the user has, such as a smartphone, token, or certificate. MFA makes it much more difficult to compromise an account, even if the threat actor has access to the correct username and password.
Virtual Private Network (VPN) and Beyond
Threats and regulatory requirements continue to evolve. The solutions that were acceptable in 2020 may not be the best options for security, compliance, and efficiencies now.
VPNs provide remote users a secure connection to internal resources and can be part of a remote work security plan, but they should not be the only solution. If eliminating the use of personal devices is not an option, you should consider obtaining licensing and installing encryption, remote wipe, and local security agents to help bring your organization protections to personal devices. Devices not managed by the organization may be missing security patches and antivirus updates and may already be infected with malware. Forcing all external traffic through the VPN may allow for URL filtering and Antivirus protection; however, allowing these devices access to internal resources through the VPN may increase the risk to the network as a whole. The use of a VPN along with a virtual desktop solution can provide an added layer of security as well as access to locally available applications.
Virtual desktops allow users to connect to an organizationally controlled machine that has the same configurations in place as a workstation located in the user’s physical office. Many times, the user may even have access to specialized software that is not licensed for home use. Users of virtual desktops may still make bad choices, but the virtual machine will be more resilient to attacks than most personal devices.
Effective remote work policies and procedures take careful planning, but will help establish reliable, secure, and efficient connections for whatever challenges and opportunities lie ahead.