As COVID-19 remains prevalent, working remotely has become the new normal. This means that many organizations will have people working from home for extended periods, many of whom may not be familiar with the organization’s established security policies governing remote work.
It is important that organizations maintain their security posture through established policies, controls, and procedures. Remote access policies should include rules for proper use, set clear guidelines, and establish best practices for all workers across all departments. After clearly communicating current policies to all workers, organizations should continue to enforce them and review any previous exceptions for validity. For example, if an organization’s policies prohibit workers from sending internal documentation to personal email addresses, then the policy should remain in force, even if it may seem inconvenient to workers.
During this time, it is crucial to have a cohesive security strategy in place to protect a given workforce. There are several key steps organizations can take to ensure working remotely is as secure as possible.
Actions for Information Technology Departments
It is imperative that the information technology (IT) department of any organization take precautions to help keep employees and the overall organization secure. Some of the steps IT departments can take include:
Secure VPN Services
A virtual private network (VPN) allows workers to connect their computer to the organization’s network, giving them access to office resources.
IT teams must ensure workers will be able to connect to the VPN and work without getting disconnected. They also must ensure that VPN connection is secure to protect the organization from cyber criminals. Some factors for IT to consider include:
- Verify and test that the servers can keep up with the demand of an increased number of concurrent remote workers.
- Confirm that the VPN is patched with the latest updates.
- Communicate VPN usage guidelines so workers know which services are available off VPN and which services can only be accessed through VPN.
In addition, organizations should implement multifactor authentication (MFA) for all externally accessible services, especially the organization’s VPN and any gateways that allow remote administration.
Organizations must continue to identify and treat their security weaknesses and vulnerabilities to minimize their exposure to current and emerging cyber threats. In the coming weeks, it will be even more important to continue the deployment of security patches to servers and workstations. Centralized components such as VPN gateways are often overlooked because they operate 24 hours a day. VPN gateways may have serious risks and need to be patched as well. Confirming that software updates rolled out by vendors and other third-party services have been deployed is also crucial to the organization’s security. Other than patching, however, during this time it is best to not make any major changes to current firewalls. Unplanned changes often introduce unforeseeable problems.
However, some changes may be necessary. Change management through this time is crucial. Some changes will need to be deferred to avoid introducing additional risks, while others will need to be prioritized to strengthen defenses and mitigate risks. Before proceeding with a change, IT teams should discuss it with stakeholders to understand its impact on users and the business. After the stakeholders agree the change still needs to be made, it should be tested before rolling it out to all users to confirm that it will not negatively impact the work environment. During this period of remote work, IT infrastructure is under additional stress, and as a result, changes may cause it to slow down or even crash. One way to help mitigate this scenario is for IT to roll out the changes to the work environment outside of regular work hours and ask users to contact the team if they encounter any issues. Keeping track of the changes made during this time can also help alleviate issues that arise and allow IT and management to analyze the changes when organizations begin to return to normalcy.
It is crucial that all remote workers know how to contact the organization’s IT department (and its help desk, if it has one). During this time, users will have questions and may run into technical issues. As a result, organizations should have a complete contact list or system established for efficient technical support between users and the IT department, and clearly communicate that to all workers.
Least Privilege Principle
Least privilege is the practice of restricting access rights for users, accounts, and computing processes to those who are absolutely required to perform specific duties. This provides users with only what they need to do their job while working remotely. During this period, organizations should not make any changes to access rights unless absolutely necessary. All users should keep their current access to required accounts and documents. In particular, end users should not be granted administrative privileges to their laptops. Administrative tasks that require elevated privileges, such as installing a printer, should be done by IT staff.
Continuous Communication Is Essential
As part of an organizations protocol, IT must maintain continuous, efficient, and secure communication among all users. This includes:
- Create a template for all internal communication and limit the number of people who can send group emails using the template. This will help workers know whether an email is legitimate and will help them identify possibly malicious emails impersonating internal email addresses.
- Do not allow workers to send work emails from or to their personal email accounts.
- Make the current work from home (WFH) policy available for all workers to see. Have a team dedicated to answering any questions or concerns regarding the policy.
Phishing Scams Related to Coronavirus
Over the last few weeks, cyber criminals have exploited fears concerning the coronavirus outbreak by sending phishing and malware attacks, which will increase as the pandemic continues. Cyber criminals are using the coronavirus to exploit people, make money, and steal information. As more people are working from home, cyber criminals are developing more ways to gain access to corporate computer systems, including by sending phishing emails that impersonate the Centers for Disease Control (CDC) and the World Health Organization (WHO). To help safeguard an organization’s computer systems, workers should be informed that phishing scams are on the rise, and to keep in mind the following:
- Treat all emails regarding COVID-19 with caution.
- Never trust emails that request money for coronavirus testing—they are scams.
- Instead of clicking on a link in an email, navigate to the webpage on the internet.
- Government and health agencies will never ask someone to provide bank information, Social Security number, or passwords in an email.
Organizations are continuing to learn how to navigate a new and unsettling time. Working together and taking the necessary precautions for cyber health will help ensure organization remain protected.
For all questions or concerns regarding best practices during this time, please contact us at firstname.lastname@example.org.