A Whole New World – Securing a Remote Workforce & the 10 Things You Missed!
We’ll get straight to the point— this ain’t the shining, shimmering, splendid world that Aladdin and Jasmine were singing about. Following the COVID-19 outbreak, we’ve quite literally become a whole new world— and not necessarily for the better. Either way you spin it, organizations need to get their security priorities in order, and they need to do it fast.
If you didn’t catch it live or on-demand, we recently hosted a Tech Talk covering this COVID chaos and the cleanup that organizations are now faced to handle.In this blog, we’re recapping the top 10 security gaps we’ve seen with clients or heard about recently. Let’s dive in!
- Not enforcing MFA: Coming in last, but definitely not least, we’ve got multi-factor authentication (MFA). You can apply MFA to VPN, internal applications, or really anywhere that you’d like to beef up your security controls. And yeah, we know what you’re thinking: But MFA is slow and frustrating. Lucky for you, we’ve got tools for that. Contact us today to learn more.
- Not updating policies: You know the drill— when things change, you have to adapt fast. With remote workers running rampant, consider implementing an acceptable and remote use policy. Do your employees follow the BYOD policy? If so, define which devices are acceptable to use and point them to what they can and can’t do on these devices. You’ll also need to address some seemingly innocuous practices like how employees are procuring work-from-home accessories such as headsets and cameras to ensure supply chain integrity is maintained.
- Not managing through unanticipated staffing changes: This one threw a lot of people for a loop. Due to COVID-19, many organizations have been forced to lay off or furlough employees. As a result, we’re seeing account lifecycle mismanagement, tribal knowledge gaps, and more — meaning teams are letting important IT tasks slide instead of reprioritizing appropriately.
- Not updating monitoring: People aren’t in the office, meaning traffic paths within the network and ingress/egress points have changed. In this new remote world, you have to accommodate remote devices and users by updating monitoring tools to match the new information flow. In addition, IT/security teams not being in the office also changes the workflow of provisioning and incident response. If an incident occurred, how would you handle it remotely? That’s a tough question, but it’s real. Prepare sooner rather than later.
- Not adding endpoint compliance scanning for remote machines: Stop and think about your policy for endpoints accessing the network. Even if it’s not strict or formal, you probably know what your organization tolerates when it comes to attaching things to the network, yet somehow as organizations moved from in-office to remote access, a lot of the usual endpoint checks aren’t being enforced. With an endpoint solution, VPN and NAC protection, you can feel confident knowing that outside devices and users can safely navigate your network. Even when accessing the network remotely, there should be controls to validate the machine is in compliance. By the way, we offer a breadth of services relate to endpoint protection, host integrity and posture assessments not just for in-office connections but for most enterprise VPN and remote access solutions as well.
- Not being specific with remote access policies: When we’re telling you we’ve seen it all, we mean it. Enabling remote access policies for client VPNs without putting specific access rules around various users or groups is a huge security vulnerability, and one we’re seeing a lot. Without specific policies and ACLs or portals in place, you’re effectively extending your entire production networks to each and every employee’s home, opening up many paths for attacks, malicious or otherwise.
- Losing control of data paths: If you’re using split tunnel routing for any type of remote access, you’re probably losing visibility and control (and therefore security of) the majority of data going to and from an endpoint. Consider your organization’s needs. This should determine how you’ll want to set up your VPN tunnels. With split tunneling, you can route LAN-bound traffic through an encrypted VPN while other traffic accesses the internet directly. There are cases where split tunnel is required or appropriate, but in most cases it leaves organizations vulnerable to many Internet-based attacks.
- Not addressing secure home office requirements: For all you high risk organizations (you know who you are), this one’s for you. Evaluate your home office environment for things that could potentially expose your data or conversations such as an Amazon Alexa-enabled devices, Google and other smart home products. And for your newly at-home students, set boundaries to ensure that they aren’t listening in on private conversations.
- Not hardening remote management: When we say harden, we mean rock solid! When it comes to hardening for remote-accessed infrastructure, set strict VPN requirements for firewalls, switches and routers and enable MFA for any and all remote access and remote management. This is not the time to get lazy. And if you’re interested in hardening your infrastructure across gateways and wired or wireless networks, give us a ring.
- Not documenting exception and temporary changes: Ding, ding, ding, we’ve got a winner! This may sound simple, but it’s consistently missed across organizations. Documenting is key, especially in the highly dynamic environment of transitioning workforces to remote. Working documentation into your daily tasks will enable you to go back and determine what was changed and when it was changed. It doesn’t have to be anything fancy – while most organizations have at least an internal ticketing system if not a strict change management process – even a running notepad document or email is better than nothing. Temporary changes and exceptions (more often than not) morph in to forgotten security holes. If you think you may be in this situation, you can always ask us to scope a security assessment or pen test.
- Watch on-demand Tech Talk Ep 4: Securing a Remote Workforce- 10 things you missed.
- Schedule a 1:1 private COVID-19 Executive IT Briefing with our technical leadership.
Which one did you miss, and how is your organization remediating gaps? If you’re looking for consulting or turnkey services to help secure your remote workforce, contact us today to learn how we’re helping organizations everywhere adjust to securing the “new normal” of a distributed workforce.