28th October 2020
5 Min read
As a business, you want to do all you can to keep your employees and information safe while working remotely. During the coronavirus pandemic, your business may require your employees to work from home, whether this is for a period of time or indefinitely. While remote working may not be new to your organisation, it is likely that you will have to implement remote policies and procedures on a much larger scale. That is why it is important that your cyber security strategy is robust.
Home and remote working offers great benefits but carries risks that need to be addressed and managed. When employees work remotely, devices that remain protected within your organisation’s environment open up further cyber risks to your network. Your existing security controls may not provide the same level of protection to your assets remotely. Implementing sufficient cyber security measures and practices will help to reduce the risk caused by employees working remotely.
It is likely that your business already uses cloud and Software as a Service (SaaS) applications to ensure your team can collaborate. When working remotely, you may be required to review your existing software and ensure it is sufficient for a larger number of users. You may have to introduce new software and applications to your business so your employees can remain productive at home. It is important that these applications are configured appropriately to prevent vulnerabilities in your IT infrastructure.
Working from home, employee behaviour and habits can be subject to change. Your staff may become more relaxed when it comes to security and the caution they apply to your systems and data. You should ensure your team members are clued up on the risks involved in remote working when it comes to cyber security.
Especially in the midst of the coronavirus pandemic, malicious actors are taking advantage of rushed changes to remote corporate infrastructure. Cyber criminals are looking for gaps in security, particularly relating to the end-user, that they can exploit to achieve their objective or goal. There are risks surrounding GDPR and theft of devices if remote work is carried out in the presence of people that are not part of your organisation.
Phising is a common tactic used by cyber criminals, and one that has occurred a lot during the pandemic. Criminals send emails claiming to be official organisations, enticing you to click on a link to a website that could negatively affect your device and the data it stores. These scams are taking advantage of people’s concerns and can be avoided with the right guidance to spot phishing attacks.
1. Develop a remote working policy
Developing a remote working policy will ensure your employees understand your organisation’s expectations. The remote policy should cover Bring Your Own Device (BYOD), how to remotely access the network safely, passwords and authentication, removable media and encryption, and any other requirements relevant to your business.
You may want to support the remote working policy with guidance on the cyber security risks involved and how to mitigate them. Your cyber security policy should include the type of information that can be accessed on devices and the security controls set up on the device. Policies will help to maintain consistent processes across your organisation so you can manage your remote workers and security measures effectively.
2. Provide remote security training
Remote employees may be required to use devices and software they are unfamiliar with. Your employees should undertake appropriate training for the devices and software they are using to work remotely. While you may have had to switch to remote working with little preparation, conducting training sessions and sharing resources will ensure the transition is successful.
You could produce a series of ‘How to’ guides or demonstration videos to support employees’ remote setup. They can read these resources at any point they need help to ensure they can instantly access the appropriate advice. You could demonstrate how to access the devices and networks remotely, which data can and cannot be stored on devices, where to store data and how to secure it properly.
3. Ensure the use of multi-factor authentication
Implement multi-factor authentication across all of your services to provide an added layer of security for all users. If a device is lost or stolen, or a password is compromised, multi-factor authentication will help to prevent malicious actors from gaining access to sensitive data as they have to provide a second factor of authentication.
There are many types of multi-factor authentication you can implement on your accounts. This can include a strong password, code, combination or code word. You could also use a physical item such as a key, fob or token. The NCSC provides comprehensive guidance for implementing multi-factor authentication across all accounts.
4. Limit data access and implement encryption
Limiting user access will restrict users from accessing sensitive data stored on your networks and devices. You should only provide employees with the permissions they need to carry out their role to ensure the security of your information. For employees using administrative or high-privilege accounts, you should regularly review these users to ensure access is only granted to those who need it. You want to limit data access as much as possible so there is limited exposure if a malicious actor compromises a user.
Encrypting information stored on all devices will protect data should the device be lost or stolen. You should review all devices used for work purposes as encryption will need to be turned on and appropriately configured. You should use a Virtual Private Network (VPN) which allows remote employees to securely access your IT resources. VPNs ensure your users are authenticated before accessing the network and encrypts any data moving between the user and your network.
5. Develop reporting procedures and culture
Your employees should be able to report their security concerns immediately. While you may have reporting procedures in place, you should consider whether your employees feel comfortable to voice their issues. Creating a positive security culture will ensure your employees feel safe to raise their concerns about bad security practice and incidents, without fear of repercussion. You want to ensure there is sufficient communication to identify vulnerabilities and put measures in place to mitigate risks.
Create reporting procedures to outline how your employees can report security concerns. Detail the steps they need to follow if a device is lost or stolen and who to report it to. Managing these situations as soon as possible may help to reduce the risk to business data.
You should regularly check your cyber security controls with testing and review procedures. This will help you identify any vulnerabilities within your IT assets and help to improve your security posture. Sentrium’s cyber security solutions address your IT security challenges. Our testing and review services provide visibility and understanding of your weaknesses to help you make long-term improvements to your security posture and mitigate risks.
OWASP Top 10 2021 Released
The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP…
What is penetration testing and why is it important to use a CREST-approved provider?
Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…
How secure use of the cloud can digitally transform your business
Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…
How to prepare your business for secure cloud migration
The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…
Celebrating Sentrium’s contribution to cyber security
2020 is the year that remote working exploded. Businesses and the general public had to quickly adapt to new ways of working caused by the…
What is CREST and what are the benefits of using a CREST accredited company?
We’re delighted to announce that Sentrium Security is now a CREST accredited company! This is an exciting achievement for us and it’s great to be…
Application Security 101 – HTTP headers
1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…
New Exchange RCE vulnerability actively exploited
Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell.…
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle…
Application Security (AppSec)
There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from…
Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies
The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC).…