5 Strategies to Secure the Remote Workforce
Securing the remote workforce has always been a challenge, and there are a number of reasons for that. First of all, historically there has been more focus on protecting the organization instead of the remote user. As an example, organizations have deployed more and more sophisticated network security components such as next-gen firewalls and anti-malware solutions, which typically inspect network traffic within the organization. However, when users take their laptops home, they are vulnerable as they are outside of this protection. From a technical standpoint, we have been able to address this for a number of years by backhauling remote users’ traffic to the headquarter via VPN. However, but user experience and bandwidth consumption still continue to be concerns for organizations.
Another element is the actual user behaviour, arising because users may have more versatile use of their devices when they are outside the organization as compared to internally. An example here could be the “Road warrior” who is on a business trip and needs to take care of personal tasks on his corporate device – potentially introducing risk. After all, you may know how the mail security is for the company, but do you know the security level of every consumer-based e-mail solution? Or for that matter, recreational browsing which may introduce risk to your organization? As a result, it is very challenging for organizations to maintain the same security level for the user off their internal networks as on the network.
The third and perhaps most important challenge is consumerization of the devices that remote workers are utilizing. We sometimes call it ‘Bring Your Own Device’, but the fact is that it is extremely challenging to enforce security settings on a device which you do not own and control. I still believe that many organizations are not giving enough thought to the impact of enabling users to access corporate data from privately owned devices. How do you secure the usage of the data on a device which could be inherently insecure? And how do you off-board that data again if you have no governance over the device?
Statistics also talk their own clear language and unfortunately Research by T-Systems found that when working away from the office, 31% of employees use Wi-Fi hotspots, 28% email work documents from their personal accounts, 10% use free USB charging stations and 15% connect shared USB sticks and memory cards to their work computers. Each of these activities presents known opportunities and risks for exploitation by cyber attackers.
All this being said, the ability to work from anywhere and at any time has a positive impact both on employee productivity as well as job satisfaction. In today’s business environment therefore, it is imperative for IT to support and secure the remote workforce.
So, what can organizations do to secure their remote workforce?
Employee Awareness and Training
Last year, social engineering was the initial attack vector used in 65% of the threat advisories that our Managed Security Services (MSS) team published. Recognizing that humans still present the weakest link in the cybersecurity chain, the first task should be to raise cybersecurity awareness within the workforce. This should include making employees understand the implications of their actions, company security policies and best security practices such as the use of strong passwords. Furthermore, training should be an ongoing activity rather than a one-time exercise.
Use of VPNs
As employees will often use their personal devices when connecting to company networks, it is best to provide them with secure means of access. VPNs are designed specifically for this as they encrypt data and hide the IP address of the user. So even if the employee is accessing sensitive company data via an insecure connection, potential attackers wouldn’t be able to extract any useful information.
I still believe that organizations can do much more by enforcing policies that ensure users are still protected even when outside the office premises. Always-On VPN has been around for a very long time and can be enforced without any user impact.
Identity Access Management
In a world of cloud and the distributed workforce, there is no security task more important than being able to identify users in a strong way. We unfortunately still see too many successful attacks that rely on stealing user credentials. Not a day goes by in the world of cybersecurity where we cannot add another data breach. One of the services on the internet that monitors these data breaches has a total of 6.5 unique online identities in its database.
I cannot emphasize how important identity hygiene is in our current threat landscape. Passwords should always be unique, but your most sensitive identities, including your corporate services, should also be backed up by a second factor.
Endpoint Robustness and Limiting User Rights
It’s clear that deploying the same security on endpoints and remote users can be challenging. Therefore, it is important to understand the various endpoint vulnerabilities. I find that too many organizations deploy new endpoint solutions without validating whether they have actually achieved the goal of securing the end devices. As a CISO, one also needs to understand that attacks are constantly changing, so validating how your systems hold up against new attacks is important. In the last two years, Help AG has discovered more than 80 Zero Day vulnerabilities, many of them covering kernel and application vulnerabilities that if exploited could impact endpoints and therefore remote users as well.
What is important to know is that while you may not always be able to uncover vulnerabilities, the correct configuration and security applications can make it exponentially more difficult to exploit those that do exist. Also, why not get your endpoint tested by the experts with a service such as penetration testing?
Constant Security Validation
A final thing that I also recommend CISOs is to look at how they validate the security of their remote users. Since we know that this user group is more exposed, it is important that you validate the integrity of the endpoint constantly. This could, for instance, be done at any connection to your networks and applications – this is why we have NAC, VPN, and Identity Access Management solutions which validate not just the user but also the security of the devices before granting connection. Taking it one step further moves you towards Endpoint Detection and Response. Help AG’s industry-leading Managed Security Services monitor endpoints both on and off the network allowing us to take remediation actions 24x7x365 no matter where the user is sitting.