The New Normal
There’s a reason security professionals hate sudden changes, especially those of a drastic nature. The risk of a vulnerability being introduced because something was overlooked or someone acted in haste—albeit with best interests at heart—is all too real.
The COVID-19 pandemic brought just such a change to most organizations. Workers were forced to stay at home and work remotely. Companies that had some remote working capabilities had to try to quickly scale that up. Other organizations had to try to put something together as fast as possible. Security rarely comes first in these scenarios.
Needless to say, businesses that had no remote working capability whatsoever were the least prepared to cope with the change. Having no remote working capability meant there were either none or very few laptops in the business. Many of them had to let home workers use their own, domestic, computers to work on.
The IT department—which suddenly found itself distributed and working from home—now had to support an IT estate that had mutated overnight to include out-dated and unsupported operating systems, home routers, and hardware from any number of manufacturers.
If any of that sounds familiar, here are some effective steps to bring some security back into the situation.
Use Encryption
A security-conscious organization will already encrypt portable and mobile devices such as laptops, tablets, and smartphones. On corporate PCs it’s easy to do, and free—as long as you are on the correct version of Microsoft Windows. Microsoft Windows 10 Pro, Enterprise, and Education support BitLocker device encryption. Windows 10 Home does not. By contrast, if you use an Apple computer macOS supports device encryption by default, and right across the board.
Encrypting your computer protects your data from access if the device falls into the wrong hands. Even if the threat actors remove the hard drive and try to read it on another device, they’ll be thwarted.
However, a different kind of risk exposure occurs when files are transmitted electronically. If they are intercepted by threat actors, they’ll be able to read them unless they are encrypted before they are transmitted. This is easy to do. All the Microsoft Office products allow you to save your files with a password. This encrypts them, protecting them from prying eyes.
Other applications may not offer that facility. If you use a software package that doesn’t offer encryption from within the application you can still encrypt the files before sending them. Use a free utility such as 7Zip or one of the other archiving applications to compress your files and encrypt them with a password. It also reduces the size of the files, reducing transmission time and storage requirements.
Zipping files is a great way to encapsulate collections of disparate files that were created with different software packages that have to be distributed as a parcel of related documents. Compressing them into a single file means you only need to send someone that one file and you know they’ve got the entire set of files.
Communicate the password to the recipient using a different medium—or at least, a different message—than the one carrying the files. And don’t re-use passwords or make them predictable or formulaic. Don’t use a client’s name and the date, for example.
For users with ancient versions of Windows, you might as well let them take their office computer home. If you don’t, it’ll only sit unused in an empty office, depreciating. Why not let them use a current, secure device that is known to your IT team, is on your hardware asset register, and that you can exert total control over?
Harden Home Wi-Fi
Domestic Wi-Fi can be secure but it is often not set up that way. Start a project now to have your IT team work their way through the home workers, making sure the default router administration credentials have been changed, that secure and robust passwords are in use, and updating the firmware.
Ensure the most secure protocol that the device offers is being used and change the password to a unique, secure password. This means friends and visitors won’t be able to get onto the Wi-Fi when they visit, which is the point. If the device supports it, create a guest Wi-Fi so that family and friends can get onto the internet. They’ll get the access they need, be segregated from the main Wi-Fi, and won’t need to get the private Wi-Fi password.
You could consider hiding the main Wi-Fi network altogether, but most home users will find that a problematic system to live with. The same goes for MAC address filtering, sadly.
Turn on the firewall, and check the firewall rules If the router is archaic, replace it.
VPNs, RDP, and 2FA
Use encrypted secure communication methods, such as Virtual Private Networks (VPNs) or Microsoft’s Remote Desktop Protocol (RDP). Or, more strictly speaking, they’re secure when they are patched up to date and everyone uses unique and robust passwords. Make sure you limit the number of attempts before an account is locked out.
Wherever it is supported, implement two-factor authentication (2FA) or multi-factor authentication (MFA). Use systems that have authenticator applications or devices that generate codes. Systems that use Small Messaging System (SMS) text messages are less secure.
If your workforce use cloud-based services, remember that many of these will be able to provide two-factor authentication at no extra cost. Turn it on, and leverage those free features to your advantage.
Penetration Testing
Threat actors are many things, but they’re not dumb. They know that there has been a ground shift in working habits and that the workforce is now remote and accessing IT resources in the main office remotely.
They also know that many organizations had to establish their remote working solutions as fast as was physically possible. And they’ll know that very few of them will have been revisited. So the security no-no’s and botches that were ignored when the C-suite was screaming to “just get it working” will still be present.
Be pro-active. Have penetration testing conducted on your organization before the cybercriminals do. Have the testing done, review the results, and deal with the worst vulnerabilities straight away.
Prioritize the remainder and work through them in order of severity.
Compliance and Standards
The change of working environment and practices mean a lot of your processes and procedures will need amending. Your governance will need to be reviewed to make sure that the guidance and controls placed on staff still make sense and still apply in the new situation. If they need amending or updating, have that done as soon as possible.
In particular check your password policy, your acceptable usage policy, and your rules about data storage and transmission. The change to homeworking may have contravened existing rules about taking IT equipment home, not connecting to domestic networks, only accessing corporate resources from corporate computers, and so on. It’s vital that staff understand what rules still apply, which have been superseded, and by what.
Remember to review your standards certifications and accreditations. If your organization has achieved compliance with any standards such as ISO 27001, Cyber Essentials, or the Cybersecurity Framework, the IT estate that you described, documented, and created processes for no longer exists. You need to bring all of your governance in line with the new situation.
Data protection legislation will need to be reviewed to see how they map onto your current data processing activities. If you make changes to your data protection policies and procedures make sure you update your Privacy Policy so that data subjects are informed of the changes.
Wash Your Hands for 40 Seconds
Like other hygiene regimes that are critical at present, remember your basic cybersecurity hygiene too. Getting the basics right will go a long way to winning the battle.