However strong your access controls, and however diligent your patching regime, your security can still be compromised by the behaviour of your staff. This is an ongoing concern during ‘normal’ circumstances; with everyone now working in very different conditions, often using personal devices and with new distractions and concerns, ensuring that users maintain ‘safe’ behaviour is a much greater challenge.
There are three key things IT teams can do in the current circumstances to support safe remote working behaviour:
- ensure users can access the systems and applications they need securely
- check that users have implemented basic security precautions in their home environment
- provide advice on how to avoid the most common scams and malware.
Ensure secure access
In the rush to enable remote working, organisations have found themselves with a range of mechanisms to access their corporate systems. You should be using multifactor authentication as widely as possible, particularly for your most sensitive data. If you haven’t done this already, rolling it out to your users is relatively simple and can be enabled through Azure AD and Active Directory, although making this easier enough to understand for all users may be a challenge.
With secure access also comes the requirement to keep it simple. Too many systems with too many different passwords has always been a problem, even for IT staff, and passwords can (and do) get written down. This raises one set of concerns in the office, but a different set when it is done at home. Implementing single sign-on or at the very least reducing the number of passwords required will go a long way to improving the security concerns of all organisations.
Password lengths and strength plus frequency of change have always been a problem too. The security experts want long complex passwords which are changed frequently, which is the exact opposite of what a user wants (so they write them down – see above). How do you strike a happy balance? When working with the MoD in the eighties, they would insist on exceedingly complex 14 character passwords for the secure networks and then pull every organisation up because the majority of users had their password on a post-it note stuck to the top drawer of their desk. So before an MoD audit all drawers were checked and passwords moved to a key safe (where the desk keys supposedly were held too) then handed back after the audit.
Don’t forget the basics, such as reminding users to log out of company systems when they leave their desk, particularly if they are using shared computers and – as many people are doing – working from a shared space such as the dining table. Invoke automatic screen savers after 10 minutes of inactivity.
Now is also a good time to revisit your access policy. If you haven’t already, ensure that you have implemented least privilege and default deny policies for each user and each system, to help prevent unauthorised access. If staff were initially working from home and are now furloughed, could or should you prevent them accessing corporate systems until the end of their furlough period, but by disabling accounts and not deleting them?
Alerting and auditing of access and authorisation also become much more of an issue. These are tools that businesses have looked at and some have implemented, but now they have become vital and you may not have the experience or processes to cover this.
Finally, it’s important to provide users with all the tools to enable them to do their job effectively and securely. If you don’t provide them with a secure video meeting application, or advise them which one to use and how to do so, they will find one themselves. So whichever system you prefer, from Microsoft Teams to Zoom, provide a business quality version and ensure that your users know how to use it securely.
Remind users about basic security precautions
As IT people we often assume that everyone understands the importance of up-to-date antivirus software, passwords etc. However, what’s common sense to you may be unknown or confusing to someone who’s usually office based. The range of IT capabilities within a group of users has never been broader. It’s important to check that everyone in your organisation has good basic security safeguards in place, and to offer support and advice without being patronising. Bear in mind that tools and experience to perform even the most basic checks may not be available, and for the more complex stuff you may require significant additional resource and skills.
With lockdown expected to continue for several more weeks, now is a good time to review how everyone is getting on, perhaps to suggest a change of password, and to consider if you need to provide additional support or software for specific users. It is enough to get all the users up to a reasonable standard – perfection is attainable but very difficult, and 80 percent is good enough. For example, are you aware what operating system people are using, and is it really viable in the medium term, or can you source an alternative for them which wasn’t initially available?
Provide advice on threat avoidance
We’ve already seen a spate of coronavirus malware and ransomware emails, some of which look very convincing (e.g. purporting to come from the WHO, with the correct logos etc.). While these might be expected, all the usual threats are still out there too. Educating users about potential threats such as social engineering is key to preventing cyber attacks such as phishing. This means understanding why people fall for phishing messages in the first place.
Many people don’t realise how much information they give out through social media such as LinkedIn profiles and Twitter conversations which can then be used against them, and there’s evidence that people don’t treat links in Twitter with as much caution as those in emails. A user under pressure might easily respond to a carefully crafted phishing email that seems to originate from senior management. Give users an easy way of checking, which can be just a friendly face. It is better to get 100 false alarms than one incident!
Effective user education will help your staff to avoid falling for these attacks. This means training everyone in your organisation – including senior management – about different types of threats and how to prevent them. You should also make sure that they know exactly what to do and who to contact should the worst happen. Encourage people to come to you for advice and build a culture of advice and support, while ensuring that users understand their responsibilities in this unfamiliar environment.
You can view our consolidate advice and view a short webinar on ‘Optimising remote working to become a more permanent business service’