Over the last year, organizations have had to address many new challenges. When the COVID-19 pandemic first hit, many enterprises had to send staff home with workstations, printers and other resources they needed to continue working. Since then, organizations have learned many lessons, often the hard way, about how to help staff work more securely from remote locations. As the pandemic continued, working from home became more prevalent and now appears to be a mainstay for many enterprises that are either enabling a full-time work-from-home (WFH) model or a hybrid model (i.e., staff are only in the office 1 or 2 days a week). Regardless, it is important to continue maturing the security of WFH models to make sure that organizational data remains protected the same way that it would be in the office.
One of the first lessons organizations learned was that their attitudes toward security had to be translated for the remote office. Many of the staff working from home did not readily understand that the same security practices that took place at the office also needed to be implemented in their homes. While most organizations did not expect staff to install badge readers with personal identification number (PIN) pads on their home office doors, the need to protect sensitive organizational information did not disappear when staff started working remotely. A successful strategy to help convey the same sense of security while working from home was to help staff understand that they were working from an “alternate work site.” While this phrase seems subtle, it helps staff recognize that the security precautions taken in the office should also be applied at home. However, the implementation of such protections at home may look much different than in the office. Staff may not be required to keep visitor logs for anyone visiting their homes or remote offices, however, they should be aware of where they are keeping sensitive information and who else is living in or visiting those spaces.
Staff may not be required to keep visitor logs for anyone visiting their homes or remote offices, however, they should be aware of where they are keeping sensitive information and who else is living in or visiting those spaces.
To be successful, organizations have to ensure that staff not only have the ability to work effectively at their alternate work sites, but also securely. For example, when sending staff members home with printers, organizations should consider what type of information will be printed. If an employee needs to print sensitive information, the organization should consider sending a lock box or instructions for securing hard copies. They should also consider including a shredder so that sensitive information can be properly destroyed when it is no longer needed. Providing mechanisms for securing the printer’s output helps ensure that remote staff properly protect the organization’s data. Considerations such as these prevent the mishandling of data, which could result in the organization’s annual bonus structure being used as scrap paper for a shopping list.
When in the office, staff are continually reminded to lock their workstations when leaving them unattended and are told not to share their space or equipment with other employees. However, when working at alternate work sites, staff are more likely to allow family members—specifically children—to use their workstation for activities such as looking up a research topic or playing games. Even before the pandemic, organizations learned that when workstations are shared with family members, the likelihood of systems being infected with malicious code is greatly increased. In most cases, family members are not searching for sensitive organizational information. However, they are more likely to click on suspicious links or download a new game without considering the security implications. Organizations protect against these types of risk scenarios by blocking known malicious websites, implementing antivirus detection and not providing administrative access to users. However, the most effective way to prevent these attacks is to ensure that the user assigned to a workstation is the only user of that workstation.
To protect corporate networks from contamination by home networks, organizations expanded virtual private networks (VPNs) for their remote staff. VPNs ensure that communication from the home network to the corporate network is protected from eavesdropping and that only authorized users are permitted to access the network. However, enterprises are becoming more reliant on third-party web applications, such as Microsoft Office 365, ServiceNow and Confluence, that are not on the organization’s network. While said web applications are often configured and approved by the enterprise, staff are not required to connect to the VPN to perform many of their tasks through such applications. Additionally, when staff do not regularly connect to the enterprise network, many of the security features on their workstations are not updated. Therefore, workstations in alternate work sites are less likely to be patched, have antivirus definitions regularly updated, or provide audit logs to the organization’s security information and event management (SIEM) tool for analysis. To address these concerns, enterprises have implemented requirements for their remote staff to routinely connect to the VPN to get important updates. Organizations are also updating remote staff training to address the importance of using the VPN and setting up their SIEM to alert the organization when workstations are not routinely connecting. Implementing these checks enables a more proactive approach to ensuring that staff consistently connect to the VPN.
Workstations in alternate work sites are less likely to be patched, have antivirus definitions regularly updated or provide audit logs to the organization’s SIEM tool for analysis.
Another challenge faced by organizations is the lack of understanding of the networks that the staff are using in their alternate work locations. These alternate work site networks are typically less secure than the organization’s networks and are connected to by unknown users and devices. Therefore, when the VPN enables split tunnelling, the untrusted network is essentially bridging the untrusted home network to the organizational network. While enabling split tunneling on a VPN can greatly reduce the amount of traffic sent to the organization’s network, as only network traffic destined for the organization’s network will traverse the VPN, this bridge also enables additional attack paths stemming from the untrusted network to the organization’s network. Therefore, many enterprises have decided that the security advantages of disabling split tunneling outweigh the advantage of reduced network traffic.
Organizations have also learned that there are other protections that can help their remote staff without burdening them. Enterprises have seen that implementing technologies such as multifactor authentication (MFA), full-disk encryption and cloud access security brokers (CASBs) can significantly help control access to organizational data. For example, most remote staff are accustomed to using MFA for online banking and other personal websites. Organizations have seen that enabling MFA for enterprise resources, including the organization’s network and third-party web applications, greatly enhances the security of these environments without requiring too much effort from staff. Additionally, full-disk encryption can be enabled without user support and ensures that all data within the workstation are protected if the device is lost or stolen. A CASB helps monitor and restrict access to third-party cloud applications. These capabilities increase the control that the enterprise has over its remote staff’s access without adding complexity to workers’ daily routines.
Finally, the most common—and valuable—lesson from the remote work surge is that it is critical to ensure that staff working from alternate work sites are properly trained. Security awareness remains one of the best ways to protect organizational networks and resources, and help remote staff perform their assigned tasks efficiently and securely. Security awareness training for staff at alternate work sites should include training on the organization’s security technologies, such as MFA and the VPN. However, training should also include concepts such as operational security (OPSEC). OPSEC training reminds remote staff to be aware of their environments, including who may be watching over their shoulders or listening in on their conversations.
Conclusion
Working from alternate work sites using unsecure networks may be here to stay, but there is much to learn from 2020 that can help improve cybersecurity capabilities for remote staff. There are several technical solutions that can help such as using VPNs, enabling MFA, encrypting mobile devices and laptops, and leveraging services such as a CASB, but, ultimately, training and awareness are the most effective at protecting organizational data. Most remote staff do not want to leak organizational information and simply need to be reminded that they are responsible for following security guidelines and maintaining awareness of the resources and information entrusted to them.
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Lessons Learned From a Year of Remote Work” episode of the ISACA® Podcast.
Tom Conkle, CDPSE, CISSP
Is a cybersecurity engineer with more than 20 years of experience. He has assisted organizations in assessing their cybersecurity effectiveness through formal security assessments. Conkle has also helped dozens of commercial and government organizations implement security requirements to address risk within their cybersecurity programs. He is the coauthor of Implementing the NIST Cybersecurity Framework, which aids organizations in connecting the principles of the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and COBIT® 5 to achieve an effective cybersecurity program. Additionally, he was a principal architect and subject matter expert in the development of the CMMI Cybermaturity Platform, a self-assessment Software-as-a-Service (SaaS) tool that helps organizations identify a risk-informed cybersecurity program and track their progress as the program is implemented.
Kelly Hood, CDPSE, CISSP, CMMC RP
Is a cybersecurity and privacy professional who helps organizations implement best practices, controls, and standards to manage risk and meet compliance goals. She supports organizations across industries as a CMMC Registered Practitioner by developing and implementing cybersecurity strategies to help manage the risk to their businesses. As a member of the NIST Cybersecurity Framework team, Hood has supported the evolution and outreach of the framework. Additionally, she has supported the development and expansion of the CMMI Cybermaturity Platform. The patent-pending approach she helped develop for ISACA® translates cybersecurity risk to cybermaturity goals and identifies mitigation strategies to help organizations improve their cybersecurity capabilities.