When the first wave of the COVID-19 pandemic hit, offices and public spaces closed and every organization rushed to go virtual. The rush is over and the switch is complete: boards, executive leadership, and entire employee workforces are now working and meeting remotely. But sensitive data must be protected and employees must be kept safe. That’s already a challenge in normal circumstances, but with all stakeholders scattered, it’s become even more critical.
The pandemic isn’t over. Boards, executive leaders, and employees will continue to work and meet remotely for the foreseeable future. Here are 10 action items that need to be included in any information security program to keep your remote workers safe and secure.
1. Determine endpoint protection needs
Malware attacks cost a company an average of $2.6 million, so it’s worth ensuring that your antimalware deployment is working and updated regularly. You’ll need more than simple antivirus, though. You’re looking for total protection with Endpoint Detection and Response (EDR)-like capabilities.
2. Secure your connections
Connections to your network and online resources should be through VPN (Virtual Private Network) or HTTPS. Because remote work drastically increases the remote connections, you need to verify three items:
- People only connect securely
- Your VPN can handle the number of connections
- You’re able to monitor those connections and take action if needed to disconnect “ne’er do wells.”
3. Consider implementing 2FA
If you’re looking to further protect your network accounts, 2FA provides a lot of leverage. While 2FA is not the only consideration in identity protection, about 99% of ID attacks can be prevented with 2FA. Yes, it’s true it can be a real burden on your resources. But it’s important to revisit it and see where 2FA can be implemented.
In addition, review your regulatory requirements (e.g., 23 NYCRR Part 500). If you have any, then the cost of implementing 2FA far outweighs the costs of regulatory fines.
4. Understand your users’ access rights and permissions
Make sure you know what access rights and permissions your coworkers have on their machines and on the network. There’s no one-size-fits-all approach, so it’s essential to understand what the people in your company should and shouldn’t do, and assign permissions accordingly.
To avoid the concept of treating everyone like a criminal, think the answers to questions such as these:
- Do they have permission to disable antimalware?
- Do they have permission to run PowerShell or install applications?
- What happens if a user’s children gets a hold of a work-issued laptop?
- What if one of their kids tries to use the laptop to install and play games?
- What if someone else on a home network gets a virus?
5. Double-check your policies and update them if needed
It’s an excellent time to make sure that, among other things, your infosec policy takes remote work into account, your Business Continuity Plan (BCP) and Disaster Recovery plan (DR) includes pandemic considerations, and you have shored up your emergency communication plans. It’s a given that your BCP and DR policies account for disasters such as power outages and fires, but this pandemic response provides a new opportunity for testing and updating your plans.
6. Consider electrical outages and power surges
Another factor in remote work is power protection in regarding uptime, surges, and outages. What if the power goes out in their house or neighborhood? What do you do if equipment is damaged by a power surge? What direction has been given for approved alternative locations? If you have a company policy regarding UPS devices, are they provided by corporate or employee?
7. Schedule regular access reviews
Because of the lack of in-person interaction, remote work increases the importance of scheduling regular reviews of who has access to what. Review your identity directory, VPN, network, and firewall accounts on a regular basis (“regular” determined by your business and security requirements). Ensure that your written access processes include immediate notification of any personnel departures.
8. Keep your training going
Foundational and individual security tasks like applying updates to one’s workstation and reporting phishing emails can seem daunting amidst the stress created by mandatory remote work. An increased sense feeling emotionally disconnected makes security awareness and education even more important. The only prevention for Social Engineering attacks are training employees on how to spot them through regular training, so let them know how important they are.
9. Alert people to the BIG things going on
You have to decide what’s pertinent to your coworkers, how often to send alerts, and the right medium for your message. Alert fatigue is no fun, so you’ll have to make the judgment based on what you know about your coworkers’ ability to handle yet another pesky (yet informative!) note from the information security department.
10. Develop a process for backups and restores of data and equipment
Work toward making everyone aware of how to get equipment and data back up and running as quickly as possible. Ask yourself these important questions and develop a process arund them:
- What would happen if a remote employee’s computer stopped working?
- Where is that person’s data kept and how quickly can it be restored?
- How quickly can a new machine be sent to them, or where do they go to pick up the replacement?
- What’s the shipping procedure?
Final Thoughts: Communicate, Communicate, Communicate
Communication goes both ways: security teams need to show up on your coworkers’ radar, PLUS you need to let them contact you about ANY security concerns. Show up to virtual meetings or join in on chat threads. With the absence of office talk, communications still have to occur. After all, there are plans and announcements and urgent matters to discuss. So make sure that connection on all issues is made possible and easy.
You certainly don’t have to show up to everything because you still have a job to do, but let people know that their information security team is alive and well and working to keep them safe and secure! Be you and be real. Data is virtual – people are not.
About The Author
- Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company's BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.