Originally published by Christopher McNaughton.
As COVID-19 infections increase globally there has been a vast increase in the numbers of staff working from home. Many of SECMON1 clients have asked them to assess the potential security risks which may result.
SECMON1 thought it may be helpful to share some of this advice more widely.
There are a number of key security risks associated with large numbers of staff working from home, many related to the very systems and environment which make working from home possible.
So, what are the risks and how do you minimise them;
Many organisations have migrated from Microsoft Exchange to Office 365 over the last two or three years. While this is generally a very positive shift, in many implementations security was a bit of an afterthought.
We have recently seen many external attacks resulting in mailbox takeovers. These attacks were successful due to the somewhat poor implementation of Office 365.
Now is the time to validate your Office 365 security controls. We can assist with a health check of your Office 365.
Outside the physical security of the office there exists additional opportunity for leakage of sensitive data. Some of these opportunities are;
- It may be possible for staff to print sensitive information
- It may be possible for staff to copy data to other devices on their home network
- Staff members may back up sensitive data to unencrypted devices
- Laptops and other devices may be stolen from the home environment
- Laptop screens may be left unlocked exposing information to unauthorised persons
- Staff members may share laptop usage with unauthorised persons
For many staff, working from home will be something they may never done, or at least not done for extended periods. It may take some staff a few weeks to get into the rhythm of working from home. Some may never acclimatise to the new way of working.
It is important to be patient and guide staff to survive this new experience. Read our article on ‘How to Survive Working from Home’.
Equally, it is important to ensure staff balance life and work while working from home. It is very common for people to work many extra hours as the work environment is effectively only a few steps away.
Working from home brings with it many challenges in how to work effectively and securely. While the vast majority of staff are well intentioned, in attempting to simply do their job, some staff will inadvertently breach policy and security controls.
This is an opportunity to guide and help staff to understand what they can and can’t do to keep company and customer data safe. Frequent and operationally relevant security tips for staff are the order of the day here.
Virtual Private Network (VPN) Access
Although staff are away from the virtual security of the office you should add the additional layer of a VPN connection to protect your essential systems by encrypting data in transit.
Many of our clients are currently upgrading their VPN infrastructure to accommodate the additional remote staff.
Confirm that the remote staff’s laptops are completely up to date and that automatic updates are switched on. We have already seen attackers targeting remote staff using unpatched and unprotected devices.
Security Software up to Date
Prior to staff working remotely, it is essential to ensure that all standard security software is up to date, including antivirus, host-based firewalls and device encryption.
In the last week we have seen many organisations provisioning hundreds of new laptops so staff can work remotely. The increased workload for IT teams means installing and configuring essential security software becomes an additional challenge. It’s important to make sure staff are operational but the security of their devices and the organisations data is equally if not more important.
Consider how this software will stay up to date where staff are working remotely for extended periods.
There will be a temptation for some staff to use unapproved cloud services for both official and unofficial purposes. Where a staff member has difficulty accessing internal systems such as shared drives or official cloud services it is common for them to resort to private cloud storage solutions such as Dropbox. Additionally, you may find staff utilising other internet services which may expose the company to additional risk.
Do all of your controls apply to devices where staff are connected via VPN and when they are not connected to a VPN? We have observed numerous occasions where remote staff have bypassed security controls either intentionally or inadvertently. Controls such as internet proxy are frequently bypassed by remote staff.
Internet usage is an important consideration where staff are working remotely. Will the staff members internet connection support the type of work they do from home? It won’t be effective for staff to work from home if their internet connection is slow. In the last week we have seen global internet usage increase markedly, with dips in performance during working hours.
Australian Signals Directorate (ASD) Essential 8
Ask us about SECMON1 free guidance in implementing the ASD Essential 8 security controls.
About the Author:
Christopher McNaughton | Director | SECMON1
Information Governance, Workplace Investigations & Litigation Support Specialist